Google Git
Sign in
fuchsia / fuchsia / refs/heads/releases/canary / . / src / security / policy / component_manager_policy.json5
blob: 5a404a2391f71c128287567ad26b442d4345ff92 [file] [log] [blame]
{
security_policy: {
job_policy: {
ambient_mark_vmo_exec: [
// We allow tests to access ambient executability in the same
// way that we're permissive with use of the components v1
// deprecated-ambient-replace-as-executable feature and
// VmexResource protocol on eng builds.
"/core/test_manager/**",
"/core/testing/**",
],
create_raw_processes: [
"/core/test_manager/elf_test_create_raw_processes_ambient_exec_runner",
"/core/test_manager/elf_test_create_raw_processes_runner",
"/core/test_manager/starnix_unit_test_runner",
"/core/test_manager/system-tests:**",
"/core/testing/elf_test_create_raw_processes_ambient_exec_runner",
"/core/testing/elf_test_create_raw_processes_runner",
"/core/testing/starnix-tests:**",
"/core/testing/system-tests:**",
"/core/testing/starnix_test_runners/starnix_unit_test_runner",
],
},
capability_policy: [
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.boot.RootResource",
capability: "protocol",
target_monikers: [
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.CpuResource",
capability: "protocol",
target_monikers: [
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.DebugResource",
capability: "protocol",
target_monikers: [
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.DebuglogResource",
capability: "protocol",
target_monikers: [
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.FramebufferResource",
capability: "protocol",
target_monikers: [
"/bootstrap/boot-drivers:dev",
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.HypervisorResource",
capability: "protocol",
target_monikers: [
"/core/zircon-guest-manager/vmm",
"/core/debian-guest-manager/vmm",
"/core/termina-guest-manager/vmm",
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.InfoResource",
capability: "protocol",
target_monikers: [
"/bootstrap/boot-drivers:**",
"/bootstrap/pkg-drivers:**",
"/bootstrap/full-pkg-drivers:**",
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.IommuResource",
capability: "protocol",
target_monikers: [
"/bootstrap/boot-drivers:dev",
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.IoportResource",
capability: "protocol",
target_monikers: [
"/bootstrap/boot-drivers:dev",
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.IrqResource",
capability: "protocol",
target_monikers: [
"/bootstrap/boot-drivers:dev",
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.RootJob",
capability: "protocol",
target_monikers: [
"/core/process_explorer",
"/core/profiler",
"/core/debugger/agents:**",
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.RootJobForInspect",
capability: "protocol",
target_monikers: [
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.MexecResource",
capability: "protocol",
target_monikers: [
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.MmioResource",
capability: "protocol",
target_monikers: [
"/bootstrap/boot-drivers:dev",
"/core/zircon-guest-manager/vmm",
"/core/debian-guest-manager/vmm",
"/core/termina-guest-manager/vmm",
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.MsiResource",
capability: "protocol",
target_monikers: [
"/bootstrap/boot-drivers:dev",
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.PowerResource",
capability: "protocol",
target_monikers: [
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.SmcResource",
capability: "protocol",
target_monikers: [
"/bootstrap/boot-drivers:dev",
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.kernel.VmexResource",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/42073035): Remove once merkle verification happens
// out-of-process.
"/bootstrap/fshost/fxfs",
"/core/zircon-guest-manager/vmm",
"/core/debian-guest-manager/vmm",
"/core/termina-guest-manager/vmm",
"/core/testing/starnix-tests:**",
"/core/testing/system-tests:**",
"/core/test_manager/system-tests:**",
"/core/test_manager/chromium-system-tests:**",
"/core/test_manager/chromium-tests:**",
"/core/testing/chromium-tests:**",
// debug-dash-launcher is used in engineering builds to launch dash shells.
// It uses PackageResolver to add tool package directories into the dash
// environment.
"/core/debug-dash-launcher",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "<component_manager>",
source: "component",
source_name: "fuchsia.component.resolution.Resolver",
capability: "protocol",
target_monikers: [
"/bootstrap/driver_index",
"/bootstrap/driver_manager",
],
},
{
source_moniker: "/",
source: "framework",
source_name: "fuchsia.component.Introspector",
capability: "protocol",
target_monikers: [
"/core/memory_monitor",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "blob",
capability: "directory",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "fuchsia.fxfs.WriteBlob",
capability: "protocol",
target_monikers: [
"/bootstrap/pkg-cache",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "data",
capability: "directory",
target_monikers: [
"/core/ssh-key-manager",
"/core/sshd-host",
// TODO(https://fxbug.dev/42181129): Remove once fixed.
"/core/sl4f",
// TODO(https://fxbug.dev/42077029): Remove once session_manager gets autolaunch
// override from structured configuration.
"/core/session-manager",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/bootstrap/fshost",
source: "component",
source_name: "tmp",
capability: "directory",
target_monikers: [
"/bootstrap/netsvc",
"/core",
// TODO(https://fxbug.dev/42181123): Remove once https://fxbug.dev/42167600 is fixed.
"/core/sl4f",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
// We restrict access to PackageResolver because it gives direct access to package
// handles which provide executability which bypass VX security policy.
source_moniker: "/core/pkg-resolver",
source: "component",
source_name: "fuchsia.pkg.PackageResolver",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/full_resolver",
"/bootstrap/netsvc",
// debug-dash-launcher is used in engineering builds to launch
// dash shells. It uses PackageResolver to add tool package directories
// into the dash environment.
"/core/debug-dash-launcher",
"/core/process_resolver",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
// We restrict access to ProcessResolver because it is a deprecated protocol
// that allows resolving binaries from universe packages.
source_moniker: "/core/process_resolver",
source: "component",
source_name: "fuchsia.process.Resolver",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
// This protocol is available in the serial console
"/bootstrap/console-launcher",
// This collection is used by CTF tests
"/core/testing/ctf-tests:**",
// TODO(https://fxbug.dev/42057361): Scrutiny throws an routing error unless
// this is added. `process_resolver` does not have a `use` declaration for
// it's own capability.
"/core/process_resolver",
"/core/driver_playground",
// debug-dash-launcher is used in engineering builds to launch dash shells. It
// uses ProcessResolver to allow #!resolve scripts to be include in the dash
// environment.
"/core/debug-dash-launcher",
],
},
{
// We restrict access to PackageResolver because it gives direct access to
// executable package handles.
source_moniker: "/bootstrap/pkg-cache",
source: "component",
source_name: "fuchsia.pkg.PackageResolver",
capability: "protocol",
target_monikers: [
"/core/debug-dash-launcher",
"/core/process_resolver",
],
},
{
// We restrict access to component.resolution.Resolver because it gives direct
// access to executable package handles.
source_moniker: "/bootstrap/pkg-cache",
source: "component",
source_name: "fuchsia.component.resolution.Resolver",
capability: "protocol",
target_monikers: [
"/bootstrap/driver_index",
"/bootstrap/driver_manager",
"/core/full-resolver",
],
},
{
// We restrict access to component.resolution.Resolver because it gives direct
// access to executable package handles.
source_moniker: "/bootstrap/full_resolver",
source: "component",
source_name: "fuchsia.component.resolution.Resolver",
capability: "protocol",
target_monikers: [
"/bootstrap/driver_index",
"/bootstrap/driver_manager",
],
},
{
// We restrict access to PackageCache because it gives direct access to package
// handles which provide executability which bypass VX security policy.
source_moniker: "/bootstrap/pkg-cache",
source: "component",
source_name: "fuchsia.pkg.PackageCache",
capability: "protocol",
target_monikers: [
"/core/pkg-resolver",
"/core/system-update/system-updater",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
// We restrict access to RetainedPackages because it gives callers the ability
// to override certain package garbage collection behavior intended to only be
// used by the system updater.
source_moniker: "/bootstrap/pkg-cache",
source: "component",
source_name: "fuchsia.pkg.RetainedPackages",
capability: "protocol",
target_monikers: [
"/core/system-update/system-updater",
],
},
{
// We restrict access to PackageCache because it gives direct access to executable
// binaries.
source_moniker: "/bootstrap/pkg-cache",
source: "component",
source_name: "bin",
capability: "directory",
target_monikers: [
"/bootstrap/console-launcher",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/bootstrap/pkg-cache",
source: "component",
source_name: "build-info",
capability: "directory",
target_monikers: [
"/core/build-info",
"/core/feedback",
"/core/system-update/omaha-client-service",
"/core/system-update/system-update-checker",
"/core/system-update/system-updater",
// TODO(crbug.com/1326674): Is this still needed for one
// or both realms?
// TODO(https://fxbug.dev/42173552): Once we can define test realms out of tree
// we should remove this.
"/core/test_manager/chromium-system-tests:**",
"/core/test_manager/chromium-tests:**",
"/core/testing/chromium-tests:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
// We restrict access to pkgfs because it gives direct access to executable package
// handles.
source_moniker: "/bootstrap/pkg-cache",
source: "component",
source_name: "pkgfs",
capability: "directory",
target_monikers: [
"/bootstrap/console-launcher",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
// We restrict access to pkgfs-packages because it gives direct access to
// executable package handles.
source_moniker: "/bootstrap/pkg-cache",
source: "component",
source_name: "pkgfs-packages",
capability: "directory",
target_monikers: [],
},
{
// We restrict access to system because it gives direct access to executable
// binaries.
source_moniker: "/bootstrap/pkg-cache",
source: "component",
source_name: "system",
capability: "directory",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/driver_manager",
"/core/system-update/omaha-client-service",
"/core/system-update/system-update-checker",
"/core/system-update/system-updater",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
// Only route Component resolver to test manager and system tests.
// TODO(https://fxbug.dev/42167477): Remove this once we have facet API
{
source_moniker: "/core/full-resolver",
source: "component",
source_name: "fuchsia.component.resolution.Resolver",
capability: "protocol",
target_monikers: [
"/core/test_manager",
"/core/testing/test-arch-tests:**",
"/core/full-resolver",
],
},
//TODO(https://fxbug.dev/42173364) - Remove source moniker after from target.
{
source_moniker: "/bootstrap/cr50_agent",
source: "component",
source_name: "fuchsia.tpm.cr50.PinWeaver",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/cr50_agent",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
//TODO(https://fxbug.dev/42173364) - Remove source moniker after from target.
{
source_moniker: "/bootstrap/cr50_agent",
source: "component",
source_name: "fuchsia.tpm.cr50.Cr50",
capability: "protocol",
target_monikers: [
"/bootstrap",
"/bootstrap/cr50_agent",
"/bootstrap/console-launcher",
"/bootstrap/paver",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/core/lowpanservice",
source: "component",
source_name: "fuchsia.factory.lowpan.FactoryLookup",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/core/lowpanservice",
source: "component",
source_name: "fuchsia.lowpan.device.DeviceExtraConnector",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/42059298): Create explicit security policies for
// out-of-tree product variants.
"/core/factory/realm_builder:**",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
source_moniker: "/core/lowpanservice",
source: "component",
source_name: "fuchsia.lowpan.device.DeviceRouterExtraConnector",
capability: "protocol",
target_monikers: [
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
// We restrict access to dev because it is equivalent to giving access to the
// component hub.
// Users should try to use the dev-class directory capability instead.
// OWNERS: surajmalhotra@google.com, dgilhooley@google.com
source_moniker: "/bootstrap/devfs",
source: "component",
source_name: "dev-topological",
capability: "directory",
target_monikers: [
"/bootstrap/devfs",
"/bootstrap/devfs-with-pkg",
"/bootstrap/fshost",
"/bootstrap/fshost/blobfs",
],
},
{
source_moniker: "/bootstrap/devfs-with-pkg",
source: "component",
source_name: "dev-topological",
capability: "directory",
target_monikers: [
"/bootstrap",
"/bootstrap/console-launcher",
"/bootstrap/cpu_manager",
"/bootstrap/devfs-with-pkg",
"/bootstrap/flashmap",
"/bootstrap/paver",
"/bootstrap/power_manager",
"/bootstrap/sysinfo",
"/bootstrap/vboot-fwparam",
"/core/audio_recording",
"/core/bt-rootcanal",
"/core/driver_playground",
"/core/factory",
"/core/factory_env",
"/core/factory/framework",
"/core/factory_reset",
"/core/ffx-laboratory:**",
"/core/oemcrypto",
"/core/playready-cdm",
"/core/pre-migration-service",
"/core/reverse-migration",
"/core/sl4f",
"/core/termina-guest-manager",
"/core/test_manager/google-tests:**",
"/core/test_manager/system-tests:**",
"/core/testing/devices-tests:**",
"/core/testing/drm-tests:**",
"/core/testing/system-tests:**",
"/core/testing/system-validation-tests:**",
"/core/trace_manager/cpuperf_provider",
// TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this capability
// no longer run in the sshd realm.
"/core/sshd-host/shell:**",
],
},
{
// devfs access should be routed through the /bootstrap/devfs component
source_moniker: "/bootstrap/driver_manager",
source: "component",
source_name: "dev",
capability: "directory",
target_monikers: [
"/bootstrap/devfs",
"/bootstrap/driver_manager",
],
},
],
},
}