Google Git
Sign in
fuchsia / fuchsia / f66dca77d1ac3cb26ced89d9e21fb92d0aa91873 / . / src / security / policy / component_manager_policy.json5
blob: 205e8bc04ae780addfb81071771edf3e8e7fa868 [file] [log] [blame]
{
security_policy: {
job_policy: {
ambient_mark_vmo_exec: [
"/core/appmgr",
],
main_process_critical: [
"/bootstrap/archivist",
"/bootstrap/driver_manager",
"/bootstrap/fshost",
"/bootstrap/power_manager",
"/bootstrap/shutdown_shim",
],
},
capability_policy: [
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.boot.RootResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console",
"/bootstrap/console-launcher",
"/bootstrap/driver_manager",
"/bootstrap/netsvc",
"/bootstrap/svchost",
"/core",
"/core/appmgr",
"/core/debug_serial",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.DebugResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/core",
"/core/appmgr",
"/core/debug_serial",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.HypervisorResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/core",
"/core/appmgr",
"/core/debug_serial",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.InfoResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/core",
"/core/appmgr",
"/core/debug_serial",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.IoportResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/core",
"/core/appmgr",
"/core/debug_serial",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.IrqResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/core",
"/core/appmgr",
"/core/debug_serial",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.RootJob",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/driver_manager",
"/bootstrap/netsvc",
"/bootstrap/svchost",
"/core",
"/core/appmgr",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.RootJobForInspect",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/netsvc",
"/core",
"/core/appmgr",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.MmioResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/core",
"/core/appmgr",
"/core/debug_serial",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.SmcResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/core",
"/core/appmgr",
"/core/debug_serial",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.VmexResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/fshost",
"/core",
"/core/appmgr",
"/core/debug_serial",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "bin",
capability: "directory",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/fshost",
"/bootstrap/netsvc",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "blob",
capability: "directory",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/fshost",
"/bootstrap/netsvc",
"/core",
"/core/appmgr",
"/core/pkg-cache",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "pkgfs",
capability: "directory",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/fshost",
"/bootstrap/netsvc",
"/core",
"/core/appmgr",
"/core/pkg-cache",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "minfs",
capability: "directory",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/fshost",
"/bootstrap/netsvc",
"/core",
"/core/appmgr",
"/core/minfs",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "system",
capability: "directory",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/driver_manager",
"/bootstrap/fshost",
"/bootstrap/netsvc",
"/core",
"/core/appmgr",
"/core/vulkan_loader",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "tmp",
capability: "directory",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/fshost",
"/bootstrap/netsvc",
"/core",
"/core/appmgr",
],
},
{
// We restrict access to PackageResolver because it gives direct access to package
// handles which provide executability which bypass VX security policy.
source_moniker: "/core/appmgr",
source: "component",
source_name: "fuchsia.pkg.PackageResolver",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/netsvc",
"/core/universe-resolver",
],
},
{
// We restrict access to PackageCache because it gives direct access to package
// handles which provide executability which bypass VX security policy.
source_moniker: "/core/pkg-cache",
source: "component",
source_name: "fuchsia.pkg.PackageCache",
capability: "protocol",
target_monikers: [
"/core/appmgr",
],
},
{
// We restrict access to base-resolver's ComponentResolver protocol because we
// expect only parts of component framework to be able to access it.
source_moniker: "/bootstrap/base-resolver",
source: "component",
source_name: "fuchsia.sys2.ComponentResolver",
capability: "protocol",
target_monikers: [
"/core/universe-resolver",
],
},
],
},
}