| { |
| security_policy: { |
| job_policy: { |
| ambient_mark_vmo_exec: [ |
| // We allow tests to access ambient executability in the same |
| // way that we're permissive with use of the components v1 |
| // deprecated-ambient-replace-as-executable feature and |
| // VmexResource protocol on eng builds. |
| "/core/test_manager/**", |
| "/core/testing/**", |
| ], |
| create_raw_processes: [ |
| "/core/test_manager/elf_test_create_raw_processes_ambient_exec_runner", |
| "/core/test_manager/elf_test_create_raw_processes_runner", |
| "/core/test_manager/starnix_unit_test_runner", |
| "/core/test_manager/system-tests:**", |
| "/core/testing/elf_test_create_raw_processes_ambient_exec_runner", |
| "/core/testing/elf_test_create_raw_processes_runner", |
| "/core/testing/starnix-tests:**", |
| "/core/testing/system-tests:**", |
| "/core/testing/starnix_test_runners/starnix_unit_test_runner", |
| ], |
| }, |
| capability_policy: [ |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.CpuResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.DebugResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.DebuglogResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.FramebufferResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/boot-drivers:dev", |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.HypervisorResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/zircon-guest-manager/vmm", |
| "/core/debian-guest-manager/vmm", |
| "/core/termina-guest-manager/vmm", |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.InfoResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/boot-drivers:**", |
| "/bootstrap/pkg-drivers:**", |
| "/bootstrap/full-pkg-drivers:**", |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IommuResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/boot-drivers:dev", |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IoportResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/boot-drivers:dev", |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IrqResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/boot-drivers:dev", |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.RootJob", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/process_explorer", |
| "/core/profiler", |
| "/core/debugger/agents:**", |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.RootJobForInspect", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.MexecResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.MmioResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/boot-drivers:dev", |
| "/core/zircon-guest-manager/vmm", |
| "/core/debian-guest-manager/vmm", |
| "/core/termina-guest-manager/vmm", |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.MsiResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/boot-drivers:dev", |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.PowerResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.SmcResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/boot-drivers:dev", |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.VmexResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/zircon-guest-manager/vmm", |
| "/core/debian-guest-manager/vmm", |
| "/core/termina-guest-manager/vmm", |
| "/core/testing/starnix-tests:**", |
| "/core/testing/system-tests:**", |
| "/core/test_manager/system-tests:**", |
| "/core/test_manager/chromium-system-tests:**", |
| "/core/test_manager/chromium-tests:**", |
| "/core/testing/chromium-tests:**", |
| |
| // debug-dash-launcher is used in engineering builds to launch dash shells. |
| // It uses PackageResolver to add tool package directories into the dash |
| // environment. |
| "/core/debug-dash-launcher", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.component.resolution.Resolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/driver_index", |
| "/bootstrap/driver_manager", |
| ], |
| }, |
| { |
| source_moniker: "/", |
| source: "framework", |
| source_name: "fuchsia.component.Introspector", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/memory_monitor", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "blob", |
| capability: "directory", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "fuchsia.fxfs.WriteBlob", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/pkg-cache", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "data", |
| capability: "directory", |
| target_monikers: [ |
| "/core/ssh-key-manager", |
| "/core/sshd-host", |
| |
| // TODO(https://fxbug.dev/42181129): Remove once fixed. |
| "/core/sl4f", |
| |
| // TODO(https://fxbug.dev/42077029): Remove once session_manager gets autolaunch |
| // override from structured configuration. |
| "/core/session-manager", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "tmp", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap/netsvc", |
| "/core", |
| |
| // TODO(https://fxbug.dev/42181123): Remove once https://fxbug.dev/42167600 is fixed. |
| "/core/sl4f", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| // We restrict access to PackageResolver because it gives direct access to package |
| // handles which provide executability which bypass VX security policy. |
| source_moniker: "/core/pkg-resolver", |
| source: "component", |
| source_name: "fuchsia.pkg.PackageResolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/full_resolver", |
| "/bootstrap/netsvc", |
| |
| // debug-dash-launcher is used in engineering builds to launch |
| // dash shells. It uses PackageResolver to add tool package directories |
| // into the dash environment. |
| "/core/debug-dash-launcher", |
| "/core/process_resolver", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| // We restrict access to ProcessResolver because it is a deprecated protocol |
| // that allows resolving binaries from universe packages. |
| source_moniker: "/core/process_resolver", |
| source: "component", |
| source_name: "fuchsia.process.Resolver", |
| capability: "protocol", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| |
| // This protocol is available in the serial console |
| "/bootstrap/console-launcher", |
| |
| // This collection is used by CTF tests |
| "/core/testing/ctf-tests:**", |
| |
| // TODO(https://fxbug.dev/42057361): Scrutiny throws an routing error unless |
| // this is added. `process_resolver` does not have a `use` declaration for |
| // it's own capability. |
| "/core/process_resolver", |
| "/core/driver_playground", |
| |
| // debug-dash-launcher is used in engineering builds to launch dash shells. It |
| // uses ProcessResolver to allow #!resolve scripts to be include in the dash |
| // environment. |
| "/core/debug-dash-launcher", |
| ], |
| }, |
| { |
| // We restrict access to PackageResolver because it gives direct access to |
| // executable package handles. |
| source_moniker: "/bootstrap/pkg-cache", |
| source: "component", |
| source_name: "fuchsia.pkg.PackageResolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/debug-dash-launcher", |
| "/core/process_resolver", |
| ], |
| }, |
| { |
| // We restrict access to component.resolution.Resolver because it gives direct |
| // access to executable package handles. |
| source_moniker: "/bootstrap/pkg-cache", |
| source: "component", |
| source_name: "fuchsia.component.resolution.Resolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/driver_index", |
| "/bootstrap/driver_manager", |
| "/core/full-resolver", |
| ], |
| }, |
| { |
| // We restrict access to component.resolution.Resolver because it gives direct |
| // access to executable package handles. |
| source_moniker: "/bootstrap/full_resolver", |
| source: "component", |
| source_name: "fuchsia.component.resolution.Resolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/driver_index", |
| "/bootstrap/driver_manager", |
| ], |
| }, |
| { |
| // We restrict access to PackageCache because it gives direct access to package |
| // handles which provide executability which bypass VX security policy. |
| source_moniker: "/bootstrap/pkg-cache", |
| source: "component", |
| source_name: "fuchsia.pkg.PackageCache", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/pkg-resolver", |
| "/core/system-update/system-updater", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| // We restrict access to RetainedPackages because it gives callers the ability |
| // to override certain package garbage collection behavior intended to only be |
| // used by the system updater. |
| source_moniker: "/bootstrap/pkg-cache", |
| source: "component", |
| source_name: "fuchsia.pkg.RetainedPackages", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/system-update/system-updater", |
| ], |
| }, |
| { |
| // We restrict access to PackageCache because it gives direct access to executable |
| // binaries. |
| source_moniker: "/bootstrap/pkg-cache", |
| source: "component", |
| source_name: "bin", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap/console-launcher", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/pkg-cache", |
| source: "component", |
| source_name: "build-info", |
| capability: "directory", |
| target_monikers: [ |
| "/core/build-info", |
| "/core/feedback", |
| "/core/system-update/omaha-client-service", |
| "/core/system-update/system-update-checker", |
| "/core/system-update/system-updater", |
| |
| // TODO(crbug.com/1326674): Is this still needed for one |
| // or both realms? |
| // TODO(https://fxbug.dev/42173552): Once we can define test realms out of tree |
| // we should remove this. |
| "/core/test_manager/chromium-system-tests:**", |
| "/core/test_manager/chromium-tests:**", |
| "/core/testing/chromium-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| // We restrict access to pkgfs because it gives direct access to executable package |
| // handles. |
| source_moniker: "/bootstrap/pkg-cache", |
| source: "component", |
| source_name: "pkgfs", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap/console-launcher", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| // We restrict access to pkgfs-packages because it gives direct access to |
| // executable package handles. |
| source_moniker: "/bootstrap/pkg-cache", |
| source: "component", |
| source_name: "pkgfs-packages", |
| capability: "directory", |
| target_monikers: [], |
| }, |
| { |
| // We restrict access to system because it gives direct access to executable |
| // binaries. |
| source_moniker: "/bootstrap/pkg-cache", |
| source: "component", |
| source_name: "system", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/driver_manager", |
| "/core/system-update/omaha-client-service", |
| "/core/system-update/system-update-checker", |
| "/core/system-update/system-updater", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| |
| // Only route Component resolver to test manager and system tests. |
| // TODO(https://fxbug.dev/42167477): Remove this once we have facet API |
| { |
| source_moniker: "/core/full-resolver", |
| source: "component", |
| source_name: "fuchsia.component.resolution.Resolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/test_manager", |
| "/core/testing/test-arch-tests:**", |
| "/core/full-resolver", |
| ], |
| }, |
| |
| //TODO(https://fxbug.dev/42173364) - Remove source moniker after from target. |
| { |
| source_moniker: "/bootstrap/cr50_agent", |
| source: "component", |
| source_name: "fuchsia.tpm.cr50.PinWeaver", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/cr50_agent", |
| ], |
| }, |
| |
| //TODO(https://fxbug.dev/42173364) - Remove source moniker after from target. |
| { |
| source_moniker: "/bootstrap/cr50_agent", |
| source: "component", |
| source_name: "fuchsia.tpm.cr50.Cr50", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/cr50_agent", |
| "/bootstrap/console-launcher", |
| "/bootstrap/paver", |
| ], |
| }, |
| { |
| source_moniker: "/core/lowpanservice", |
| source: "component", |
| source_name: "fuchsia.factory.lowpan.FactoryLookup", |
| capability: "protocol", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/core/lowpanservice", |
| source: "component", |
| source_name: "fuchsia.lowpan.device.DeviceExtraConnector", |
| capability: "protocol", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42059298): Create explicit security policies for |
| // out-of-tree product variants. |
| "/core/factory/realm_builder:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/core/lowpanservice", |
| source: "component", |
| source_name: "fuchsia.lowpan.device.DeviceRouterExtraConnector", |
| capability: "protocol", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| // We restrict access to dev because it is equivalent to giving access to the |
| // component hub. |
| // Users should try to use the dev-class directory capability instead. |
| // OWNERS: surajmalhotra@google.com, dgilhooley@google.com |
| source_moniker: "/bootstrap/devfs", |
| source: "component", |
| source_name: "dev-topological", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap/devfs", |
| "/bootstrap/devfs-with-pkg", |
| "/bootstrap/fshost", |
| "/bootstrap/fshost/blobfs", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/devfs-with-pkg", |
| source: "component", |
| source_name: "dev-topological", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/cpu_manager", |
| "/bootstrap/devfs-with-pkg", |
| "/bootstrap/flashmap", |
| "/bootstrap/paver", |
| "/bootstrap/power_manager", |
| "/bootstrap/sysinfo", |
| "/bootstrap/vboot-fwparam", |
| "/core/audio_recording", |
| "/core/bt-rootcanal", |
| "/core/driver_playground", |
| "/core/factory", |
| "/core/factory_env", |
| "/core/factory/framework", |
| "/core/factory_reset", |
| "/core/ffx-laboratory:**", |
| "/core/oemcrypto", |
| "/core/playready-cdm", |
| "/core/pre-migration-service", |
| "/core/reverse-migration", |
| "/core/sl4f", |
| "/core/termina-guest-manager", |
| "/core/test_manager/google-tests:**", |
| "/core/test_manager/system-tests:**", |
| "/core/testing/devices-tests:**", |
| "/core/testing/drm-tests:**", |
| "/core/testing/system-tests:**", |
| "/core/testing/system-validation-tests:**", |
| "/core/trace_manager/cpuperf_provider", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability |
| // no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| // devfs access should be routed through the /bootstrap/devfs component |
| source_moniker: "/bootstrap/driver_manager", |
| source: "component", |
| source_name: "dev", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap/devfs", |
| "/bootstrap/driver_manager", |
| ], |
| }, |
| ], |
| }, |
| } |