[security][appmgr] check in package resolver allowlists
Also create /src/sys/security/policy directory.
The userdebug allowlist will be superseded by a slightly more restrictive
allowlist in user builds.
Change-Id: I0893f5198d3883f164d6e3b3cd89aa236b575948
diff --git a/products/core.gni b/products/core.gni
index dedbccd..07ec552 100644
--- a/products/core.gni
+++ b/products/core.gni
@@ -63,6 +63,7 @@
"//src/identity/bin:core",
"//src/media/audio/bundles:audio_config",
"//src/recovery/factory_reset",
+ "//src/security/policy:appmgr_package_resolver_allowlist_userdebug",
"//src/sys/appmgr",
"//src/sys/appmgr:appmgr_component_event_provider_allowlist",
"//src/sys/appmgr:appmgr_deprecated_shell_allowlist",
diff --git a/src/security/policy/BUILD.gn b/src/security/policy/BUILD.gn
new file mode 100644
index 0000000..5a20417
--- /dev/null
+++ b/src/security/policy/BUILD.gn
@@ -0,0 +1,19 @@
+# Copyright 2020 The Fuchsia Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+import("//build/config.gni")
+
+config_data("appmgr_package_resolver_allowlist_user") {
+ for_pkg = "appmgr"
+ sources = [ "package_resolver_allowlist_user.txt" ]
+ outputs = [ "allowlist/package_resolver.txt" ]
+}
+
+# The primary difference from _user is support for pkgctl.
+config_data("appmgr_package_resolver_allowlist_userdebug") {
+ for_pkg = "appmgr"
+ sources = [ "package_resolver_allowlist_userdebug.txt" ]
+ outputs = [ "allowlist/package_resolver.txt" ]
+ deps = [ "//build/images:non_production_tag" ] # Ensure exclusion from _user builds.
+}
diff --git a/src/security/policy/OWNERS b/src/security/policy/OWNERS
new file mode 100644
index 0000000..bc8dec1
--- /dev/null
+++ b/src/security/policy/OWNERS
@@ -0,0 +1,4 @@
+jln@google.com
+dkrahn@google.com
+ampearce@google.com
+per-file package_resolver_allowlist_* = file: /src/sys/pkg/OWNERS
diff --git a/src/security/policy/package_resolver_allowlist_user.txt b/src/security/policy/package_resolver_allowlist_user.txt
new file mode 100644
index 0000000..20b0c0d
--- /dev/null
+++ b/src/security/policy/package_resolver_allowlist_user.txt
@@ -0,0 +1,8 @@
+fuchsia-pkg://fuchsia.com/system_updater#meta/system_updater.cmx
+fuchsia-pkg://fuchsia.com/system-update-checker#meta/system-update-checker.cmx
+fuchsia-pkg://fuchsia.com/component_manager#meta/component_manager_sfw.cmx
+fuchsia-pkg://fuchsia.com/system_updater_isolated#meta/system_updater_isolated.cmx
+# Minimizing this list is tracked in fxb/43629. At least the following will be removed.
+fuchsia-pkg://fuchsia.com/amberctl#meta/amberctl.cmx
+fuchsia-pkg://fuchsia.com/pkgctl#meta/pkgctl.cmx
+fuchsia-pkg://fuchsia.com/system-update-checker#meta/system-update-checker-for-integration-test.cmx
diff --git a/src/security/policy/package_resolver_allowlist_userdebug.txt b/src/security/policy/package_resolver_allowlist_userdebug.txt
new file mode 100644
index 0000000..1e45579
--- /dev/null
+++ b/src/security/policy/package_resolver_allowlist_userdebug.txt
@@ -0,0 +1,18 @@
+# TODO: don't block components started in a testenv from getting resolver access
+# if they're not interacting with the privileged capability. Until then, this
+# list can grow.
+fuchsia-pkg://fuchsia.com/system_updater#meta/system_updater.cmx
+fuchsia-pkg://fuchsia.com/amberctl#meta/amberctl.cmx
+fuchsia-pkg://fuchsia.com/pkgctl#meta/pkgctl.cmx
+fuchsia-pkg://fuchsia.com/system-update-checker#meta/system-update-checker.cmx
+fuchsia-pkg://fuchsia.com/system-update-checker#meta/system-update-checker-for-integration-test.cmx
+fuchsia-pkg://fuchsia.com/system-update-checker-integration-tests#meta/system-update-checker-for-integration-test.cmx
+fuchsia-pkg://fuchsia.com/component_manager#meta/component_manager_sfw.cmx
+fuchsia-pkg://fuchsia.com/component_manager_panic_test#meta/component_manager_panic_test.cmx
+fuchsia-pkg://fuchsia.com/shutdown_integration_test#meta/shutdown_integration_test.cmx
+fuchsia-pkg://fuchsia.com/dash_test#meta/dash_test.cmx
+fuchsia-pkg://fuchsia.com/amberctl-tests#meta/amberctl.cmx
+fuchsia-pkg://fuchsia.com/system-update-checker-integration-tests#meta/system-update-checker-integration-test.cmx
+fuchsia-pkg://fuchsia.com/pkgctl-integration-tests#meta/pkgctl-integration-test.cmx
+fuchsia-pkg://fuchsia.com/system-updater-integration-tests#meta/system_updater_isolated.cmx
+fuchsia-pkg://fuchsia.com/pkgctl-integration-tests#meta/pkgctl.cmx
