| { |
| security_policy: { |
| job_policy: { |
| main_process_critical: [ |
| "/bootstrap/archivist", |
| "/bootstrap/devfs", |
| "/bootstrap/devfs-with-pkg", |
| "/bootstrap/driver_manager", |
| "/bootstrap/power_manager", |
| "/bootstrap/shutdown_shim", |
| ], |
| }, |
| capability_policy: [ |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.boot.RootResource", |
| capability: "protocol", |
| target_monikers: [], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.CpuResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/boot-drivers:**", |
| "/bootstrap/power_manager", |
| "/bootstrap/cpu_manager", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.DebugResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console", |
| "/bootstrap/console-launcher", |
| "/bootstrap/kernel_debug_broker", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.DebuglogResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console", |
| "/bootstrap/svchost", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.FramebufferResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/boot-drivers:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.HypervisorResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.InfoResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/boot-drivers:**", |
| "/bootstrap/console-launcher", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IommuResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/boot-drivers:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IoportResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/boot-drivers:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IrqResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/boot-drivers:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.RootJob", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/netsvc", |
| "/bootstrap/critical-services", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.RootJobForInspect", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/netsvc", |
| "/core/memory_monitor", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.MexecResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap/driver_manager", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.MmioResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/boot-drivers:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.MsiResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/boot-drivers:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.ProfileResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/role_manager", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.PowerResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/driver_manager", |
| "/bootstrap/boot-drivers:**", |
| "/core/thermd", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.SmcResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/boot-drivers:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.VmexResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/fshost/blobfs", |
| "/bootstrap/pkg-cache", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "blob", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "data", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| "/core", |
| "/core/minfs", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "tmp", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost/blobfs", |
| source: "component", |
| source_name: "blob-exec", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap/fshost", |
| "/bootstrap/fshost/blobfs", |
| "/bootstrap/pkg-cache", |
| ], |
| }, |
| { |
| // We restrict access to PackageResolver because it gives direct access to package |
| // handles which provide executability which bypass VX security policy. |
| source_moniker: "/core/pkg-resolver", |
| source: "component", |
| source_name: "fuchsia.pkg.PackageResolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/full-resolver", |
| "/core/system-update/system-update-checker", |
| ], |
| }, |
| { |
| // We restrict access to PackageResolver-ota because it gives direct access to |
| // package handles which provide executability which bypass VX security policy. |
| // Additionally, this "-ota" implementation does not protect resolved packages from |
| // garbage collection and so should only be used by the system-updater. |
| source_moniker: "/core/pkg-resolver", |
| source: "component", |
| source_name: "fuchsia.pkg.PackageResolver-ota", |
| capability: "protocol", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/303275551): Update target "/core/pkg-resolver" when use-from-expose |
| // policy check is fixed. |
| "/core/pkg-resolver", |
| "/core/system-update/system-updater", |
| ], |
| }, |
| { |
| source_moniker: "/core/lowpanservice", |
| source: "component", |
| source_name: "fuchsia.factory.lowpan.FactoryLookup", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/lowpanservice", |
| ], |
| }, |
| { |
| source_moniker: "/core/lowpanservice", |
| source: "component", |
| source_name: "fuchsia.lowpan.device.DeviceExtraConnector", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/lowpanservice", |
| ], |
| }, |
| { |
| source_moniker: "/core/lowpanservice", |
| source: "component", |
| source_name: "fuchsia.lowpan.device.DeviceRouterExtraConnector", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/lowpanservice", |
| ], |
| }, |
| |
| // TODO(https://fxbug.dev/42175614): not security policy; split out into separate file. |
| // TODO(https://fxbug.dev/42175379): once product assembly supports product-specific |
| // components running in the network realm, remove this policy. |
| { |
| source_moniker: "/core/network/netstack", |
| source: "component", |
| source_name: "fuchsia.posix.socket.raw.Provider", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/network", |
| "/core/network/netstack", |
| "/core/lowpan-ot-driver", |
| "/core/test_manager", |
| "/core/testing/starnix-tests:**", |
| ], |
| }, |
| { |
| source_moniker: "/core/network/netstack", |
| source: "component", |
| source_name: "fuchsia.net.root.Interfaces", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/network", |
| "/core/network/netstack", |
| "/core/network/test-components:**", |
| |
| // TODO(https://fxbug.dev/42062982): Move away from Root API. |
| "/core/weavestack", |
| ], |
| }, |
| { |
| source_moniker: "/core/network/netstack", |
| source: "component", |
| source_name: "fuchsia.posix.socket.packet.Provider", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/network", |
| "/core/network/dhcpd", |
| "/core/network/netstack/dhcp-client", |
| "/core/network/netstack", |
| "/core/network/test-components:**", |
| ], |
| }, |
| ], |
| child_policy: { |
| reboot_on_terminate: [ |
| "/bootstrap/cpu_manager", |
| "/bootstrap/driver_index", |
| "/bootstrap/fshost", |
| "/bootstrap/pkg-cache", |
| "/bootstrap/sysmem", |
| "/core", |
| "/core/audio_core", |
| "/core/network/netstack", |
| "/core/setui_service", |
| "/core/system-update/omaha-client-service", |
| "/core/system-update/system-update-checker", |
| "/core/system-update/system-update-committer", |
| "/core/wlancfg", |
| "/core/wlandevicemonitor", |
| "/core/wlanstack", |
| ], |
| }, |
| }, |
| } |