| // This policy enforces platform-level contraints on Fuchsia user builds at build time. |
| // It is consumed by Scrutiny and defines assorted checks that are not currently categorized |
| // under the existing component, routing, or package allowlist-based verifiers. |
| // This should be run in addition to any product-specific policy. |
| // See https://fuchsia.dev/fuchsia-src/contribute/governance/rfcs/0115_build_types for more |
| // detail on build type strategy. |
| { |
| additional_boot_args_checks: { |
| // Ensure netsvc is disabled on non-eng builds. |
| // netsvc allows for execution of unverified code via netbooting and is not suitable for |
| // use outside of dev environments. |
| must_not_contain: [ |
| { |
| KeyValuePair: [ |
| "netsvc.all-features", |
| "true", |
| ], |
| }, |
| { |
| KeyValuePair: [ |
| "netsvc.netboot", |
| "true", |
| ], |
| }, |
| ], |
| }, |
| bootfs_file_checks: [], |
| package_checks: [ |
| // Checks involving the system image package. |
| { |
| source: "SystemImage", |
| file_checks: [ |
| // Ensure that iquery is not included in static packages, as it is a debugging |
| // tool for use in eng builds. |
| { |
| source: { |
| PackageMetaContents: "data/static_packages", |
| }, |
| state: "Present", |
| content_checks: { |
| must_not_contain: [ |
| { |
| String: "iquery", |
| }, |
| ], |
| }, |
| }, |
| |
| // One of either data/cache_packages or data/cache_packages.json may be present. |
| // Ensure that it is absent or empty for user builds. |
| { |
| source: { |
| PackageMetaContents: "data/cache_packages", |
| }, |
| state: "AbsentOrEmpty", |
| }, |
| { |
| source: { |
| PackageMetaContents: "data/cache_packages.json", |
| }, |
| state: "AbsentOrEmpty", |
| }, |
| |
| // Ensure data/pkgfs_disable_executability_restrictions file is absent. |
| // The presence of this file disables executability enforcement. |
| { |
| source: { |
| PackageMetaContents: "data/pkgfs_disable_executability_restrictions", |
| }, |
| state: "Absent", |
| }, |
| ], |
| }, |
| |
| // Checks involving the config data package. |
| { |
| source: { |
| StaticPackages: "config-data", |
| }, |
| file_checks: [ |
| // Ensure dynamic configuration is not enabled for pkg-resolver in user builds. |
| // If present, these files could allow pkg-resolver to rewrite TUF repositories and rules. |
| { |
| source: { |
| PackageFar: [ |
| "meta/data/pkg-resolver/config.json", |
| ], |
| }, |
| state: "Absent", |
| }, |
| { |
| source: { |
| PackageFar: [ |
| "meta/data/pkg-resolver/enable_dynamic_config.json", |
| ], |
| }, |
| state: "Absent", |
| }, |
| |
| // Ensure sshd_config is absent in user builds. |
| // SSH should not be enabled in user builds. |
| { |
| source: { |
| PackageFar: [ |
| "meta/data/sshd-host/sshd_config", |
| ], |
| }, |
| state: "Absent", |
| }, |
| ], |
| }, |
| ], |
| } |