| { |
| security_policy: { |
| job_policy: { |
| ambient_mark_vmo_exec: [ |
| "/core/appmgr", |
| "/core/test_manager/elf_test_ambient_exec_runner", |
| |
| // The v2 Flutter and Dart JIT runners (which are not used for |
| // release builds) execute VMOs in order to run Flutter and |
| // Dart components. |
| // TODO(fxb/88626): These runners are configured in |
| // experiences.git (a product) and references to them do not |
| // belong in fuchsia.git (the platform). Add support for |
| // per-product policies and remove the runners from here. |
| "/core/session-manager/session:session/dart_jit_runner", |
| "/core/session-manager/session:session/flutter_jit_runner", |
| |
| // We allow tests to access ambient executability in the same |
| // way that we're permissive with use of the components v1 |
| // deprecated-ambient-replace-as-executable feature and |
| // VmexResource protocol on eng builds. |
| "/core/test_manager/system-tests:**", |
| ], |
| main_process_critical: [ |
| "/bootstrap/archivist", |
| "/bootstrap/driver_manager", |
| "/bootstrap/fshost", |
| "/bootstrap/power_manager", |
| "/bootstrap/shutdown_shim", |
| ], |
| create_raw_processes: [ |
| "/core/starnix_manager/starnix_runner", |
| "/core/test_manager/starnix_test_runner/starnix_runner", |
| "/core/test_manager/starnix_unit_test_runner", |
| ], |
| }, |
| capability_policy: [ |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.boot.RootResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console", |
| "/bootstrap/console-launcher", |
| "/bootstrap/driver_manager", |
| "/bootstrap/netsvc", |
| "/bootstrap/svchost", |
| "/core", |
| "/core/debug_serial", |
| "/core/test_manager/system-tests:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.CpuResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/power_manager", |
| "/core", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.DebugResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.HypervisorResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.InfoResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IoportResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.IrqResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.RootJob", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/driver_manager", |
| "/bootstrap/netsvc", |
| "/bootstrap/svchost", |
| "/core", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.RootJobForInspect", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/netsvc", |
| "/core", |
| "/core/memory_monitor", |
| "/core/test_manager/system-tests:**", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.MmioResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.SmcResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/core", |
| "/core/debug_serial", |
| ], |
| }, |
| { |
| source_moniker: "<component_manager>", |
| source: "component", |
| source_name: "fuchsia.kernel.VmexResource", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/fshost", |
| "/core", |
| "/core/debug_serial", |
| "/core/starnix_manager/starnix_runner", |
| "/core/test_manager/starnix_test_runner/starnix_runner", |
| "/core/test_manager/system-tests:**", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "bin", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| "/bootstrap/netsvc", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "blob", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| "/bootstrap/netsvc", |
| "/core", |
| "/core/appmgr", |
| "/core/pkg-cache", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "pkgfs", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| "/bootstrap/netsvc", |
| "/core", |
| "/core/appmgr", |
| "/core/pkg-cache", |
| "/core/pkg-resolver", |
| "/core/system-update-checker", |
| "/core/system-updater", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "minfs", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| "/bootstrap/netsvc", |
| "/core", |
| "/core/appmgr", |
| "/core/minfs", |
| "/core/ssh-key-manager", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "system", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/driver_manager", |
| "/bootstrap/fshost", |
| "/bootstrap/netsvc", |
| "/core", |
| "/core/appmgr", |
| "/core/system-updater", |
| "/core/vulkan_loader", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "tmp", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| "/bootstrap/fshost", |
| "/bootstrap/netsvc", |
| "/core", |
| "/core/appmgr", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "build-info", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap/fshost", |
| "/core/build-info", |
| "/core/feedback", |
| "/core/omaha-client-service", |
| "/core/system-updater", |
| ], |
| }, |
| { |
| source_moniker: "/bootstrap/fshost", |
| source: "component", |
| source_name: "deprecated-misc-storage", |
| capability: "directory", |
| target_monikers: [ |
| "/bootstrap/fshost", |
| "/core/system-updater", |
| "/core/system-update-checker", |
| ], |
| }, |
| { |
| // We restrict access to PackageResolver because it gives direct access to package |
| // handles which provide executability which bypass VX security policy. |
| source_moniker: "/core/pkg-resolver", |
| source: "component", |
| source_name: "fuchsia.pkg.PackageResolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/bootstrap", |
| "/bootstrap/console-launcher", |
| |
| // This is only used when the kernel commandline flag devmgr.enable-ephemeral |
| // is set, which enables loading drivers ephemerally. This is intended for |
| // eng builds only. |
| "/bootstrap/driver_manager", |
| "/bootstrap/netsvc", |
| |
| // system-updater still runs as a v1 component and is a |
| // valid client of PackageResolver. appmgr has its own |
| // allowlist for v1 components accessing pkg-resolver. |
| "/core", |
| "/core/full-resolver", |
| "/core/system-update-checker", |
| "/core/system-updater", |
| ], |
| }, |
| { |
| // We restrict access to PackageCache because it gives direct access to package |
| // handles which provide executability which bypass VX security policy. |
| source_moniker: "/core/pkg-cache", |
| source: "component", |
| source_name: "fuchsia.pkg.PackageCache", |
| capability: "protocol", |
| target_monikers: [ |
| "/core", |
| "/core/pkg-resolver", |
| "/core/system-updater", |
| ], |
| }, |
| { |
| // We restrict access to RetainedPackages because it gives callers the ability |
| // to override certain package garbage collection behavior intended to only be |
| // used by the system updater. |
| source_moniker: "/core/pkg-cache", |
| source: "component", |
| source_name: "fuchsia.pkg.RetainedPackages", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/system-updater", |
| ], |
| }, |
| { |
| // We restrict access to base-resolver's ComponentResolver protocol because we |
| // expect only parts of component framework to be able to access it. |
| source_moniker: "/bootstrap/base-resolver", |
| source: "component", |
| source_name: "fuchsia.sys2.ComponentResolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/full-resolver", |
| ], |
| }, |
| |
| // Only route Component resolver to test manager and system tests. |
| // TODO(fxbug.dev/86464): Remove this once we have facet API |
| { |
| source_moniker: "/core/full-resolver", |
| source: "component", |
| source_name: "fuchsia.sys2.ComponentResolver", |
| capability: "protocol", |
| target_monikers: [ |
| "/core/test_manager", |
| "/core/test_manager/system-tests:**", |
| "/core/full-resolver", |
| ], |
| }, |
| ], |
| child_policy: { |
| reboot_on_terminate: [ |
| "/bootstrap/driver_index", |
| "/core", |
| "/core/appmgr", |
| "/core/network/netstack", |
| "/core/omaha-client-service", |
| "/core/setui_service", |
| "/core/system-update-checker", |
| "/core/system-update-committer", |
| "/core/wlancfg", |
| "/core/wlandevicemonitor", |
| "/core/wlanstack", |
| ], |
| }, |
| debug_registration_policy: [ |
| { |
| debug: "protocol", |
| environment_name: "test-env", |
| source_moniker: "/core/test_manager/debug_data", |
| source_name: "fuchsia.debugdata.DebugData", |
| target_moniker: "/core/test_manager", |
| }, |
| ], |
| }, |
| } |