src/security/policy/component_manager_policy_build_type_base.json5

{
    security_policy: {
        job_policy: {
            main_process_critical: [
                "/bootstrap/fshost",
            ],
        },
        capability_policy: [
            {
                source_moniker: "<component_manager>",
                source: "component",
                source_name: "fuchsia.kernel.VmexResource",
                capability: "protocol",
                target_monikers: [
                    "/bootstrap/base_resolver",
                ],
            },
            {
                source_moniker: "/bootstrap/fshost",
                source: "component",
                source_name: "bin",
                capability: "directory",
                target_monikers: [
                    "/bootstrap/console-launcher",
                    "/bootstrap/fshost",
                ],
            },
            {
                source_moniker: "/bootstrap/fshost",
                source: "component",
                source_name: "data",
                capability: "directory",
                target_monikers: [
                    // TODO(https://fxbug.dev/42077029): Remove once session_manager gets autolaunch override
                    // from structured configuration
                    "/core/session-manager",
                ],
            },
            {
                source_moniker: "/bootstrap/fshost",
                source: "component",
                source_name: "tmp",
                capability: "directory",
                target_monikers: [
                    "/bootstrap/netsvc",
                    "/core",
                ],
            },
            {
                source_moniker: "/bootstrap/fshost/blobfs",
                source: "component",
                source_name: "blob-exec",
                capability: "directory",
                target_monikers: [
                    "/bootstrap/base_resolver",
                ],
            },
            {
                source_moniker: "/core/pkg-resolver",
                source: "component",
                source_name: "fuchsia.pkg.PackageResolver",
                capability: "protocol",
                target_monikers: [
                    "/core/system-updater",

                    // TODO(https://fxbug.dev/42074079) Use optional routing to remove these three routes on
                    // non-eng builds.
                    // Use of this capability is controlled by driver_index's structured config
                    // flag enable_ephemeral_drivers, which is disabled on non-eng builds.
                    // https://cs.opensource.google/fuchsia/fuchsia/+/main:src/lib/assembly/platform_configuration/src/subsystems/driver_framework.rs;l=30;drc=a6dbab2808229e37578e6dabdb6bae2a1c0130fe
                    "/bootstrap/driver_index",
                    "/bootstrap/driver_manager",

                    // TODO(https://fxbug.dev/294908859) Use optional routing to remove this route on
                    // non-eng builds.
                    // Use of this capability is controlled by kernel command line options
                    // https://cs.opensource.google/fuchsia/fuchsia/+/main:src/bringup/bin/console-launcher/console_launcher.cc;l=53;drc=2abb92a67d8528b484e1c8ee49bdc8badeaec184
                    "/bootstrap/console-launcher",

                    // TODO(b/303275551): Remove once the security policy error is fixed.
                    "/core",
                ],
            },
            {
                // We restrict access to base_resolver's Resolver protocol because we
                // expect only parts of component framework to be able to access it.
                source_moniker: "/bootstrap/base_resolver",
                source: "component",
                source_name: "fuchsia.component.resolution.Resolver",
                capability: "protocol",
                target_monikers: [
                    "/core/full-resolver",
                ],
            },
        ],
    },
}