Google Git
Sign in
fuchsia / fuchsia / HEAD / . / src / security / policy / component_manager_policy_base.json5
blob: 3a261febd25da755780154c50b7bdfdd95c68e09 [file] [log] [blame]
{
security_policy: {
job_policy: {
main_process_critical: [
"/bootstrap/archivist",
"/bootstrap/devfs",
"/bootstrap/devfs-with-pkg",
"/bootstrap/driver_manager",
"/bootstrap/power_manager",
"/bootstrap/shutdown_shim",
],
},
capability_policy: [
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.CpuResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/base-drivers:cpu-controller-f521000",
"/bootstrap/boot-drivers:**",
"/bootstrap/power_manager",
"/bootstrap/cpu_manager",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.DebugResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console",
"/bootstrap/console-launcher",
"/bootstrap/kernel_debug_broker",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.DebuglogResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console",
"/bootstrap/svchost",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.HypervisorResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.InfoResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/sysmem",
"/bootstrap/boot-drivers:**",
"/bootstrap/console-launcher",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.IommuResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/sysmem",
"/bootstrap/boot-drivers:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.IoportResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/boot-drivers:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.IrqResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/boot-drivers:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.RootJob",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/netsvc",
"/bootstrap/critical-services",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.RootJobForInspect",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/netsvc",
"/core/memory_monitor",
"/core/memory_monitor2",
"/core/memory_pressure_signaler",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.MexecResource",
capability: "protocol",
target_monikers: [
"/bootstrap/driver_manager",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.MmioResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/sysmem",
"/bootstrap/boot-drivers:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.MsiResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/boot-drivers:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.ProfileResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/role_manager",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.PowerResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/driver_manager",
"/bootstrap/boot-drivers:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.SmcResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/boot-drivers:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.TracingResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console",
"/bootstrap/console-launcher",
"/bootstrap/kernel_debug_broker",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.SamplingResource",
capability: "protocol",
target_monikers: [],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.VmexResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/fshost/blobfs",
"/bootstrap/fshost/fvm2/blobfs-collection:**",
"/bootstrap/pkg-cache",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.pkg.PackageResolver-boot",
capability: "protocol",
target_monikers: [],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "blob",
capability: "directory",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/fshost",
"/core/system-update/system-updater",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "data",
capability: "directory",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/fshost",
"/core",
"/core/minfs",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "tmp",
capability: "directory",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/fshost",
],
},
{
source_moniker: "/bootstrap/fshost/blobfs",
source: "component",
source_name: "blob-exec",
capability: "directory",
target_monikers: [
"/bootstrap/fshost",
"/bootstrap/fshost/blobfs",
"/bootstrap/pkg-cache",
],
},
{
// We restrict access to PackageResolver because it gives direct access to package
// handles which provide executability which bypass VX security policy.
source_moniker: "/core/pkg-resolver",
source: "component",
source_name: "fuchsia.pkg.PackageResolver",
capability: "protocol",
target_monikers: [
"/core/pkg-resolver",
"/core/system-update/system-update-checker",
],
},
{
// Enforce that full-resolver is only used on builds that explicitly enable it.
source_moniker: "/core/pkg-resolver",
source: "component",
source_name: "full-resolver",
capability: "resolver",
target_monikers: [],
},
{
// Enforce that full-resolver is only used on builds that explicitly enable it.
source_moniker: "/core/pkg-resolver",
source: "component",
source_name: "fuchsia.component.resolution.Resolver",
capability: "protocol",
target_monikers: [
// These components expose the resolver protocol, so they need to be
// allowlisted here.
"/core",
"/core/pkg-resolver",
],
},
{
// We restrict access to PackageResolver-ota because it gives direct access to
// package handles which provide executability which bypass VX security policy.
// Additionally, this "-ota" implementation does not protect resolved packages from
// garbage collection and so should only be used by the system-updater.
source_moniker: "/core/pkg-resolver",
source: "component",
source_name: "fuchsia.pkg.PackageResolver-ota",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/303275551): Update target "/core/pkg-resolver" when use-from-expose
// policy check is fixed.
"/core/pkg-resolver",
"/core/system-update/system-updater",
],
},
{
source_moniker: "/core/lowpanservice",
source: "component",
source_name: "fuchsia.factory.lowpan.FactoryLookup",
capability: "protocol",
target_monikers: [
"/core/lowpanservice",
],
},
{
source_moniker: "/core/lowpanservice",
source: "component",
source_name: "fuchsia.lowpan.device.DeviceExtraConnector",
capability: "protocol",
target_monikers: [
"/core/lowpanservice",
],
},
{
source_moniker: "/core/lowpanservice",
source: "component",
source_name: "fuchsia.lowpan.device.DeviceRouterExtraConnector",
capability: "protocol",
target_monikers: [
"/core/lowpanservice",
],
},
// NB: Consult Netstack team before routing the following protocols
// as there may be alternatives available.
// TODO(https://fxbug.dev/42175379): once product assembly supports product-specific
// components running in the network realm, remove this policy.
{
source_moniker: "/core/network/netstack",
source: "component",
source_name: "fuchsia.posix.socket.raw.Provider",
capability: "protocol",
target_monikers: [
"/core/network",
"/core/network/netstack",
"/core/network/socket-proxy",
"/core/lowpan-ot-driver",
"/core/test_manager",
"/core/testing/starnix-tests:**",
],
},
{
source_moniker: "/core/network/netstack",
source: "component",
source_name: "fuchsia.net.root.Interfaces",
capability: "protocol",
target_monikers: [
"/core/network",
"/core/network/netstack",
"/core/testing/netstack-tests:**",
// TODO(https://fxbug.dev/42062982): Move away from Root API.
"/core/weavestack",
],
},
{
source_moniker: "/core/network/netstack",
source: "component",
source_name: "fuchsia.net.debug.Interfaces",
capability: "protocol",
target_monikers: [
"/core/network",
"/core/network/netstack",
"/core/network/reachability",
"/core/testing/netstack-tests:**",
],
},
{
source_moniker: "/core/network/netstack",
source: "component",
source_name: "fuchsia.posix.socket.packet.Provider",
capability: "protocol",
target_monikers: [
"/core/network",
"/core/network/dhcpd",
"/core/network/netstack/dhcp-client",
"/core/network/netstack",
"/core/testing/netstack-tests:**",
],
},
{
source_moniker: "/core/network/netstack",
source: "component",
source_name: "fuchsia.net.filter.Control",
capability: "protocol",
target_monikers: [
"/core/network",
"/core/network/netstack",
"/core/network/netcfg",
],
},
{
source_moniker: "/core/network/netstack",
source: "component",
source_name: "fuchsia.net.filter.SocketControl",
capability: "protocol",
target_monikers: [
"/core/network",
"/core/network/netstack",
],
},
{
source_moniker: "/core/network/netcfg",
source: "component",
source_name: "fuchsia.net.name.DnsServerWatcher",
capability: "protocol",
target_monikers: [
"/core/network",
"/core/network/netcfg",
// TODO(https://fxbug.dev/42175016): This is temporary until the new DNS
// configuration API is designed.
"/core/lowpan-ot-driver",
],
},
],
child_policy: {
reboot_on_terminate: [
"/bootstrap/cpu_manager",
"/bootstrap/driver_index",
"/bootstrap/fshost",
"/bootstrap/pkg-cache",
"/bootstrap/sysmem",
"/core/audio_core",
"/core/network/netstack",
"/core/network/socket-proxy",
"/core/setui_service",
"/core/system-update/omaha-client-service",
"/core/system-update/system-update-checker",
"/core/system-update/system-update-committer",
"/core/wlancfg",
"/core/wlandevicemonitor",
],
},
},
}