| { |
| security_policy: { |
| job_policy: { |
| ambient_mark_vmo_exec: [ |
| "/core/appmgr", |
| ], |
| main_process_critical: [ |
| "/bootstrap/archivist", |
| "/bootstrap/driver_manager", |
| "/bootstrap/fshost", |
| "/bootstrap/power_manager", |
| "/bootstrap/shutdown_shim", |
| ], |
| }, |
| capability_policy: [ |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.boot.RootResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console", |
| "/bootstrap/console-launcher", |
| "/bootstrap/driver_manager", |
| "/bootstrap/netsvc", |
| "/bootstrap/svchost", |
| "/core", |
| "/core/appmgr", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.DebugResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/appmgr", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.HypervisorResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/appmgr", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.InfoResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/appmgr", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IoportResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/appmgr", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IrqResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/appmgr", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.RootJob", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/driver_manager", |
| "/bootstrap/netsvc", |
| "/bootstrap/svchost", |
| "/core", |
| "/core/appmgr", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.RootJobForInspect", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/netsvc", |
| "/core", |
| "/core/appmgr", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.MmioResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/appmgr", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.SmcResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/appmgr", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.VmexResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/fshost", |
| "/core", |
| "/core/appmgr", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "bin", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| "/bootstrap/netsvc", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "blob", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| "/bootstrap/netsvc", |
| "/core", |
| "/core/appmgr", |
| "/core/pkg-cache", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "pkgfs", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| "/bootstrap/netsvc", |
| "/core", |
| "/core/appmgr", |
| "/core/pkg-cache", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "minfs", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| "/bootstrap/netsvc", |
| "/core", |
| "/core/appmgr", |
| "/core/minfs", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "system", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/driver_manager", |
| "/bootstrap/fshost", |
| "/bootstrap/netsvc", |
| "/core", |
| "/core/appmgr", |
| "/core/vulkan_loader", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "tmp", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| "/bootstrap/netsvc", |
| "/core", |
| "/core/appmgr", |
| ], |
| }, |
| { |
| // We restrict access to PackageResolver because it gives direct access to package |
| // handles which provide executability which bypass VX security policy. |
| source_moniker: "/core/appmgr", |
| source: "component", |
| source_name: "fuchsia.pkg.PackageResolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| |
| // This is only used when the kernel commandline flag devmgr.enable-ephemeral |
| // is set, which enables loading drivers ephemerally. This is intended for |
| // eng builds only. |
| "/bootstrap/driver_manager", |
| "/bootstrap/netsvc", |
| "/core/universe-resolver", |
| ], |
| }, |
| { |
| // We restrict access to PackageCache because it gives direct access to package |
| // handles which provide executability which bypass VX security policy. |
| source_moniker: "/core/pkg-cache", |
| source: "component", |
| source_name: "fuchsia.pkg.PackageCache", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/appmgr", |
| ], |
| }, |
| { |
| // We restrict access to base-resolver's ComponentResolver protocol because we |
| // expect only parts of component framework to be able to access it. |
| source_moniker: "/bootstrap/base-resolver", |
| source: "component", |
| source_name: "fuchsia.sys2.ComponentResolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/universe-resolver", |
| ], |
| }, |
| ], |
| debug_registration_policy: [ |
| { |
| debug: "protocol", |
| environment_name: "test-env", |
| source_moniker: "/core/test_manager/debug_data", |
| source_name: "fuchsia.debugdata.DebugData", |
| target_moniker: "/core/test_manager", |
| }, |
| ], |
| }, |
| } |