| { |
| enable_introspection: true, |
| security_policy: { |
| job_policy: { |
| ambient_mark_vmo_exec: [ |
| // We allow tests to access ambient executability in the same |
| // way that we're permissive with use of the components v1 |
| // deprecated-ambient-replace-as-executable feature and |
| // VmexResource protocol on eng builds. |
| // |
| // We explicitly enumerate all test realms here for |
| // informationial purposes. |
| "/core/test_manager/chromium-system-tests:**", |
| "/core/test_manager/chromium-tests:**", |
| "/core/test_manager/cts-tests:**", |
| "/core/test_manager/devices-tests:**", |
| "/core/test_manager/drm-tests:**", |
| "/core/test_manager/google-tests:**", |
| "/core/test_manager/media-tests:**", |
| "/core/test_manager/system-tests:**", |
| "/core/test_manager/system-validation-tests:**", |
| "/core/test_manager/tests:**", |
| "/core/test_manager/vulkan-tests:**", |
| |
| // We allow tests to access ambient executability in the same |
| // way that we're permissive with use of the components v1 |
| // deprecated-ambient-replace-as-executable feature and |
| // VmexResource protocol on eng builds. |
| // |
| // Some test runners explicitly require ambient executability. |
| "/core/test_manager/elf_test_ambient_exec_runner", |
| "/core/test_manager/g3_dart_jit_product_runner", |
| ], |
| create_raw_processes: [ |
| "/core/test_manager/elf_test_create_raw_processes_runner", |
| "/core/test_manager/rust_test_create_raw_processes_runner", |
| "/core/testing/rust_test_create_raw_processes_runner", |
| ], |
| }, |
| capability_policy: [ |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.boot.RootResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/core/test_manager/system-tests:**", |
| "/core/testing/vfs-compliance-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.CpuResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/vfs-compliance-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.DebugResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/profiler", |
| "/core/testing/vfs-compliance-tests:**", |
| "/core/trace_manager/cpuperf_provider/cpu-trace", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.DebuglogResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/vfs-compliance-tests:**", |
| "/bootstrap/pkg-drivers:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.FramebufferResource", |
| capability: "protocol", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.HypervisorResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/vfs-compliance-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.InfoResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/vfs-compliance-tests:**", |
| "/bootstrap/pkg-drivers:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IommuResource", |
| capability: "protocol", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IoportResource", |
| capability: "protocol", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IrqResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/vfs-compliance-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.MexecResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/vfs-compliance-tests:**", |
| "/core/test_manager/system-tests:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.MmioResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/vfs-compliance-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.MsiResource", |
| capability: "protocol", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.ProfileResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/sshd-host/shell:**", |
| "/core/testing/system-tests:**", |
| "/bootstrap/role_manager", |
| "/bootstrap/console-launcher", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.PowerResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/vfs-compliance-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.RootJob", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/process_explorer", |
| "/core/debugger/agents:**", |
| "/core/testing/vfs-compliance-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.RootJobForInspect", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/vfs-compliance-tests:**", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.SmcResource", |
| capability: "protocol", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.VmexResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/testing/vfs-compliance-tests:**", |
| |
| // We allow tests to access ambient executability in the same |
| // way that we're permissive with use of the components v1 |
| // deprecated-ambient-replace-as-executable feature and |
| // VmexResource protocol on eng builds. |
| "/core/test_manager/**", |
| |
| // This protocol is used by `ffx component explore` in eng-only builds. |
| "/core/debug-dash-launcher", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| |
| // Allow Lavapipe only on Eng builds. |
| "/core/vulkan_loader", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "bin", |
| capability: "directory", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "blob", |
| capability: "directory", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "data", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap/base_resolver", |
| "/core/sshd-host", |
| |
| // TODO(https://fxbug.dev/42181129): Remove once fixed. |
| "/core/sl4f", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "tmp", |
| capability: "directory", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42181123): Remove once https://fxbug.dev/42167600 is fixed. |
| "/core/sl4f", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "build-info", |
| capability: "directory", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/core/pkg-resolver", |
| source: "component", |
| source_name: "fuchsia.pkg.PackageResolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/netsvc", |
| "/core/debug-dash-launcher", |
| "/core/process_resolver", |
| "/core/system-update-checker", |
| "/bootstrap/driver_index", |
| "/bootstrap/driver_manager", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/core/lowpanservice", |
| source: "component", |
| source_name: "fuchsia.factory.lowpan.FactoryLookup", |
| capability: "protocol", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/core/lowpanservice", |
| source: "component", |
| source_name: "fuchsia.lowpan.device.DeviceExtraConnector", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/sl4f", |
| |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| { |
| source_moniker: "/core/lowpanservice", |
| source: "component", |
| source_name: "fuchsia.lowpan.device.DeviceRouterExtraConnector", |
| capability: "protocol", |
| target_monikers: [ |
| // TODO(https://fxbug.dev/42080863): Remove once the shell tools that use this |
| // capability no longer run in the sshd realm. |
| "/core/sshd-host/shell:**", |
| ], |
| }, |
| ], |
| debug_registration_policy: [ |
| { |
| debug: "protocol", |
| environment_name: "test-env", |
| name: "fuchsia.debugdata.Publisher", |
| moniker: "/core/test_manager/**", |
| }, |
| { |
| debug: "protocol", |
| environment_name: "test-env", |
| name: "fuchsia.debugdata.Publisher", |
| moniker: "/core/testing/**", |
| }, |
| { |
| debug: "protocol", |
| environment_name: "fuzzed-env", |
| name: "fuchsia.fuzzer.CoverageDataCollector", |
| moniker: "/core/test_manager/tests:**", |
| }, |
| { |
| debug: "protocol", |
| environment_name: "test-env", |
| name: "fuchsia.debugdata.DebugData", |
| moniker: "/core/test_manager", |
| }, |
| ], |
| }, |
| } |