Google Git
Sign in
fuchsia / fuchsia / refs/heads/main / . / src / security / policy / component_manager_policy_eng.json5
blob: 5ce9c8133185c935c3310420029dc4a2498df493 [file] [log] [blame]
{
enable_introspection: true,
security_policy: {
job_policy: {
ambient_mark_vmo_exec: [
// We allow tests to access ambient executability in the same
// way that we're permissive with use of the components v1
// deprecated-ambient-replace-as-executable feature and
// VmexResource protocol on eng builds.
//
// We explicitly enumerate all test realms here for
// informationial purposes.
"/core/test_manager/chromium-system-tests:**",
"/core/test_manager/chromium-tests:**",
"/core/test_manager/cts-tests:**",
"/core/test_manager/devices-tests:**",
"/core/test_manager/drm-tests:**",
"/core/test_manager/google-tests:**",
"/core/test_manager/media-tests:**",
"/core/test_manager/system-tests:**",
"/core/test_manager/system-validation-tests:**",
"/core/test_manager/tests:**",
"/core/test_manager/vulkan-tests:**",
// We allow tests to access ambient executability in the same
// way that we're permissive with use of the components v1
// deprecated-ambient-replace-as-executable feature and
// VmexResource protocol on eng builds.
//
// Some test runners explicitly require ambient executability.
"/core/test_manager/elf_test_ambient_exec_runner",
"/core/test_manager/g3_dart_jit_product_runner",
],
create_raw_processes: [
"/core/test_manager/elf_test_create_raw_processes_runner",
"/core/test_manager/rust_test_create_raw_processes_runner",
"/core/testing/rust_test_create_raw_processes_runner",
],
},
capability_policy: [
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.boot.RootResource",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/core/test_manager/system-tests:**",
"/core/testing/vfs-compliance-tests:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.CpuResource",
capability: "protocol",
target_monikers: [
"/core/testing/vfs-compliance-tests:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.DebugResource",
capability: "protocol",
target_monikers: [
"/core/profiler",
"/core/testing/vfs-compliance-tests:**",
"/core/trace_manager/cpuperf_provider/cpu-trace",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.DebuglogResource",
capability: "protocol",
target_monikers: [
"/core/testing/vfs-compliance-tests:**",
"/bootstrap/pkg-drivers:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.FramebufferResource",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.HypervisorResource",
capability: "protocol",
target_monikers: [
"/core/testing/vfs-compliance-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.InfoResource",
capability: "protocol",
target_monikers: [
"/core/testing/vfs-compliance-tests:**",
"/bootstrap/pkg-drivers:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.IommuResource",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.IoportResource",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.IrqResource",
capability: "protocol",
target_monikers: [
"/core/testing/vfs-compliance-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.MexecResource",
capability: "protocol",
target_monikers: [
"/core/testing/vfs-compliance-tests:**",
"/core/test_manager/system-tests:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.MmioResource",
capability: "protocol",
target_monikers: [
"/core/testing/vfs-compliance-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.MsiResource",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.ProfileResource",
capability: "protocol",
target_monikers: [
"/core/testing/system-tests:**",
"/bootstrap/role_manager",
"/bootstrap/console-launcher",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.PowerResource",
capability: "protocol",
target_monikers: [
"/core/testing/vfs-compliance-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.RootJob",
capability: "protocol",
target_monikers: [
"/core/process_explorer",
"/core/debugger/agents:**",
"/core/testing/vfs-compliance-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.RootJobForInspect",
capability: "protocol",
target_monikers: [
"/core/testing/vfs-compliance-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.SmcResource",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.VmexResource",
capability: "protocol",
target_monikers: [
"/core/testing/vfs-compliance-tests:**",
// We allow tests to access ambient executability in the same
// way that we're permissive with use of the components v1
// deprecated-ambient-replace-as-executable feature and
// VmexResource protocol on eng builds.
"/core/test_manager/**",
// This protocol is used by `ffx component explore` in eng-only builds.
"/core/debug-dash-launcher",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
// Allow Lavapipe only on Eng builds.
"/core/vulkan_loader",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "bin",
capability: "directory",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "blob",
capability: "directory",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "data",
capability: "directory",
target_monikers: [
"/bootstrap/base_resolver",
"/core/sshd-host",
// TODO(https://fxbug.dev/42181129): Remove once fixed.
"/core/sl4f",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "tmp",
capability: "directory",
target_monikers: [
// TODO(https://fxbug.dev/42181123): Remove once https://fxbug.dev/42167600 is fixed.
"/core/sl4f",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "build-info",
capability: "directory",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/core/pkg-resolver",
source: "component",
source_name: "fuchsia.pkg.PackageResolver",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/netsvc",
"/core/debug-dash-launcher",
"/core/process_resolver",
"/core/system-update-checker",
"/bootstrap/driver_index",
"/bootstrap/driver_manager",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/core/lowpanservice",
source: "component",
source_name: "fuchsia.factory.lowpan.FactoryLookup",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/core/lowpanservice",
source: "component",
source_name: "fuchsia.lowpan.device.DeviceExtraConnector",
capability: "protocol",
target_monikers: [
"/core/sl4f",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/core/lowpanservice",
source: "component",
source_name: "fuchsia.lowpan.device.DeviceRouterExtraConnector",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this
// capability no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
],
debug_registration_policy: [
{
debug: "protocol",
environment_name: "test-env",
name: "fuchsia.debugdata.Publisher",
moniker: "/core/test_manager/**",
},
{
debug: "protocol",
environment_name: "test-env",
name: "fuchsia.debugdata.Publisher",
moniker: "/core/testing/**",
},
{
debug: "protocol",
environment_name: "fuzzed-env",
name: "fuchsia.fuzzer.CoverageDataCollector",
moniker: "/core/test_manager/tests:**",
},
{
debug: "protocol",
environment_name: "test-env",
name: "fuchsia.debugdata.DebugData",
moniker: "/core/test_manager",
},
],
},
}