[roll] Roll fuchsia [cm][security] Expand flexibility of capability policy allowlists Previously the capability policy allowlists were a simple list of absolute monikers, meaning that every allowed component needed to be individually enumerated. This also prevented us from allowlisting dynamic children in a collection, where the instance name may not be known ahead of time. This adds two new ways to specify allowlist entries in component_manager's config: - "/foo/**", i.e. "any descendant of foo", - "/foo/bar:**", i.e. "any descendant in foo's 'bar' collection", Both of these perform prefix matches against the moniker, meaning that both direct children and any of their transitive children match and are allowed. In other words, "/foo/coll:**" includes both "/foo/coll:bar" and "/foo/coll:bar/baz". It's possible that in the future we might be interested in more limited versions of this, e.g. "any direct child but not further children", but right now that doesn't seem terribly useful. Original-Fixed: 77471 Original-Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/535691 Original-Revision: f74405d215598007cd4b97507a2e73d55f439ebd GitOrigin-RevId: d836e04891a0ffa8a6ed6ce9119f8d6907adbc0c Change-Id: Ib41d997fbe91cbe26645abcb7e201a4b74c1b089
This repository contains Fuchsia's Global Integration manifest files.
All changes should be made to the internal version of this repository. Our infrastructure automatically updates this version when the internal one changes.
Currently all changes must be made by a Google employee. Non-Google employees wishing to make a change can ask for assistance via the IRC channel #fuchsia on Freenode.
First install Jiri.
Next run:
$ jiri init $ jiri import minimal https://fuchsia.googlesource.com/integration $ jiri update
Third party projects should have their own subdirectory in ./third_party.