build/security/policies_swd.gni - fuchsia - Git at Google

 # Copyright 2021 The Fuchsia Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.

 # Defines high level SWD Policy configurations.

 # Since there are dependencies both in system_image_deps and base_packages, we
 # define two groups per policy.
 # Policy names must be one of the set of
 # ["unrestricted", "local_dynamic_config", "base_components_only"].
 # These groups are added to the build image in //build/images:base_packages
 # and //build/input/product:system_image_deps.
 # Note, the build arg `auto_update_packages` is not captured in the scope of
 # these configurations, despite being SWD related.

 # Default policy_labels definition to ease with the transition away from
 # manually defining SWD policies across different product gni files.
 # The transition process will be as follows:
 # 1. Define all SWD policies.
 # 2. Add dependency on SWD policies in base_package_deps and
 #    system_image_deps, but do not apply a SWD policy to retain existing
 #    product behavior.
 # 3. Apply SWD policies in product definitions alongside the existing
 #    SWD targets configuration. Assert that product configuration has not
 #    changed.
 # 4. Remove manually defined SWD targets in product definitions, rely solely
 #    on defined SWD policies to determine product configuration of SWD policy.

 # A definition of existing swd policies is included below:
 # ┌──────────────────────┬──────────────────────────────┬─────────────────────┬────────────────────────────────────┐
 # │ POLICY_NAME          │ enable_dynamic_configuration │ persisted_repos_dir │ disable_executability_restrictions │
 # ├──────────────────────┼──────────────────────────────┼─────────────────────┼────────────────────────────────────┤
 # │ base_components_only │ OFF                          │ OFF                 │ OFF                                │
 # ├──────────────────────┼──────────────────────────────┼─────────────────────┼────────────────────────────────────┤
 # │ local_dynamic_config │ ON                           │ OFF                 │ OFF                                │
 # ├──────────────────────┼──────────────────────────────┼─────────────────────┼────────────────────────────────────┤
 # │ unrestricted         │ ON                           │ ON                  │ ON                                 │
 # └──────────────────────┴──────────────────────────────┴─────────────────────┴────────────────────────────────────┘

 policies_swd = [
   {
     name = "base_components_only"
     base_package_deps = []
     system_image_deps = []
   },
   {
     name = "local_dynamic_config"
     base_package_deps =
         [ "//src/sys/pkg/bin/pkg-resolver:enable_dynamic_configuration" ]
     system_image_deps = []
   },
   {
     name = "unrestricted"
     base_package_deps = [
       "//src/sys/pkg/bin/pkg-resolver:enable_dynamic_configuration",
       "//src/sys/pkg/bin/pkg-resolver:persisted_repos_dir",
     ]
     system_image_deps =
         [ "//src/sys/pkg:pkgfs-disable-executability-restrictions" ]
   },
 ]

 # Policy names must be either unset, or one of the set of
 # ["omaha_client", "system_update_checker"].
 #
 # Each policy defines the following scopes:
 # * if_board_supports_update_configurator, which will be applied if
 #   board_supports_update_configurator is set to true by a board's config.
 #   This scope defines the following scopes:
 #   * core_realm_shards - a set of labels to add as deps to the core realm's
 #     core_realm target in //build/images/fuchsia:core_realm
 #
 # A definition of existing update_checker policies is included below:
 # ┌───────────────────────┬────────────────────────┐
 # │ POLICY_NAME           │  update checker        │
 # │                       │  implementation        │
 # ├───────────────────────┼────────────────────────┤
 # │                       │  none                  │
 # ├───────────────────────┼────────────────────────┤
 # │ omaha_client          │  omaha_client          │
 # ├───────────────────────┼────────────────────────┤
 # │ system_update_checker │  system_update_checker │
 # └───────────────────────┴────────────────────────┘

 policies_update_checker = [
   {
     name = "omaha_client"
     if_board_supports_update_configurator = {
       core_realm_shards = [
         # FIXME(fxbug.dev/93695) Replace with an optional capability route when
         # that feature is available
         "//src/sys/pkg:system-update-configurator-route-to-omaha-client",
       ]
     }
   },
   {
     name = "system_update_checker"
     if_board_supports_update_configurator = {
       core_realm_shards = []
     }
   },
 ]
	# Copyright 2021 The Fuchsia Authors. All rights reserved.
	# Use of this source code is governed by a BSD-style license that can be
	# found in the LICENSE file.

	# Defines high level SWD Policy configurations.

	# Since there are dependencies both in system_image_deps and base_packages, we
	# define two groups per policy.
	# Policy names must be one of the set of
	# ["unrestricted", "local_dynamic_config", "base_components_only"].
	# These groups are added to the build image in //build/images:base_packages
	# and //build/input/product:system_image_deps.
	# Note, the build arg `auto_update_packages` is not captured in the scope of
	# these configurations, despite being SWD related.

	# Default policy_labels definition to ease with the transition away from
	# manually defining SWD policies across different product gni files.
	# The transition process will be as follows:
	# 1. Define all SWD policies.
	# 2. Add dependency on SWD policies in base_package_deps and
	# system_image_deps, but do not apply a SWD policy to retain existing
	# product behavior.
	# 3. Apply SWD policies in product definitions alongside the existing
	# SWD targets configuration. Assert that product configuration has not
	# changed.
	# 4. Remove manually defined SWD targets in product definitions, rely solely
	# on defined SWD policies to determine product configuration of SWD policy.

	# A definition of existing swd policies is included below:
	# ┌──────────────────────┬──────────────────────────────┬─────────────────────┬────────────────────────────────────┐
	# │ POLICY_NAME │ enable_dynamic_configuration │ persisted_repos_dir │ disable_executability_restrictions │
	# ├──────────────────────┼──────────────────────────────┼─────────────────────┼────────────────────────────────────┤
	# │ base_components_only │ OFF │ OFF │ OFF │
	# ├──────────────────────┼──────────────────────────────┼─────────────────────┼────────────────────────────────────┤
	# │ local_dynamic_config │ ON │ OFF │ OFF │
	# ├──────────────────────┼──────────────────────────────┼─────────────────────┼────────────────────────────────────┤
	# │ unrestricted │ ON │ ON │ ON │
	# └──────────────────────┴──────────────────────────────┴─────────────────────┴────────────────────────────────────┘

	policies_swd = [
	{
	name = "base_components_only"
	base_package_deps = []
	system_image_deps = []
	},
	{
	name = "local_dynamic_config"
	base_package_deps =
	[ "//src/sys/pkg/bin/pkg-resolver:enable_dynamic_configuration" ]
	system_image_deps = []
	},
	{
	name = "unrestricted"
	base_package_deps = [
	"//src/sys/pkg/bin/pkg-resolver:enable_dynamic_configuration",
	"//src/sys/pkg/bin/pkg-resolver:persisted_repos_dir",
	]
	system_image_deps =
	[ "//src/sys/pkg:pkgfs-disable-executability-restrictions" ]
	},
	]

	# Policy names must be either unset, or one of the set of
	# ["omaha_client", "system_update_checker"].
	#
	# Each policy defines the following scopes:
	# * if_board_supports_update_configurator, which will be applied if
	# board_supports_update_configurator is set to true by a board's config.
	# This scope defines the following scopes:
	# * core_realm_shards - a set of labels to add as deps to the core realm's
	# core_realm target in //build/images/fuchsia:core_realm
	#
	# A definition of existing update_checker policies is included below:
	# ┌───────────────────────┬────────────────────────┐
	# │ POLICY_NAME │ update checker │
	# │ │ implementation │
	# ├───────────────────────┼────────────────────────┤
	# │ │ none │
	# ├───────────────────────┼────────────────────────┤
	# │ omaha_client │ omaha_client │
	# ├───────────────────────┼────────────────────────┤
	# │ system_update_checker │ system_update_checker │
	# └───────────────────────┴────────────────────────┘

	policies_update_checker = [
	{
	name = "omaha_client"
	if_board_supports_update_configurator = {
	core_realm_shards = [
	# FIXME(fxbug.dev/93695) Replace with an optional capability route when
	# that feature is available
	"//src/sys/pkg:system-update-configurator-route-to-omaha-client",
	]
	}
	},
	{
	name = "system_update_checker"
	if_board_supports_update_configurator = {
	core_realm_shards = []
	}
	},
	]