#
# Policy rules for clusterAgent Daemon and its helper programs, including
# the etcd watchdog.
#


# (Watchdog) Upon executing etcd, switch to its domain.
-d etcdObj etcdDom file_exec grant


# (All) Basic file usage and memory management.
-s genericSys grant
-s openSys grant
-s mprotectSys grant

# (Agent, Watchdog) Misc management.
-s ioctlSys grant
-s syncSys grant
-s cloneSys grant
-s killSys grant

# (RPCfg) Resource pool control for itself and etcd.
-s vsiReadSys grant
-s vsiWriteSys grant

# (Agent, Watchdog) Launching of helper programs and etcd.
-s forkSys grant
-s execSys grant
-s forkExecSys grant


# (Agent) IP sockets to allow DNS requests and API connections to etcd.
-c inet_stream_socket_create grant
-c inet_dgram_socket_create grant

# (Agent, Watchdog) UNIX sockets allow local APIs and exposure of runtime profiling info.
-c unix_socket_create grant
-c unix_dgram_socket_bind grant
-c unix_dgram_socket_connect grant
-c unix_stream_socket_bind grant
-c unix_stream_socket_connect grant
-c unix_vmklink_socket_connect grant


# (Agent, Watchdog) Syslog access.
-p unix_dgram_socket_connect /dev/log grant
-p unix_dgram_socket_connect /dev/vmwSyslog grant

-p unix_stream_socket_connect vmwLocalSocketAuthentication revoke
-p unix_stream_socket_bind vmwLocalSocketAuthentication revoke

# (Agent) Local APIs and runtime profiling.
-p unix_stream_socket_bind /var/run/vmware/clusterAgentPprofIPC.sock grant
-p unix_stream_socket_bind /var/run/vmware/clusterAgentAdminIPC.sock grant
-p unix_stream_socket_bind /var/run/vmware/clusterAgentKvIPC.sock grant


# (Agent) Etcd client and DNS.
-p inet_socket_connect nonloopback 2379 grant
-p inet_socket_connect nonloopback 53 grant

# (Agent) VOBs.
-p unix_stream_socket_connect /var/run/vmware/vobd-user-ctx.sock grant

# (Watchdog) NSCD access.
-p unix_stream_socket_connect /var/run/nscd/socket grant


# Deny everything except specific paths.
-r /

# (Agent) Golang runtime occasionally creates temp files and mmaps them (requiring x).
-r /tmp rwx

# (All) Executable and libraries.
-r /lib64 rx
-r /usr/lib64 rx
-r /usr/lib/vmware/clusterAgent/bin/clusterAgent rx
-r /usr/lib/vmware/configmanager/bin/configstorecli rx
-r /usr/lib/vmware/vob/bin/addvob rx
-r /bin/configstorecli rx
-r /bin/watchdog.sh rx
-r /bin/python rx
-r /bin/rpcfg rx
-r /bin/vmkvsitools rx
-r /bin/vsish rx
-r /bin/esxcfg-advcfg rx
-r /usr/lib/vmware/busybox/bin/busybox rx
-r /usr/lib/vmware/etcd/bin/etcd rx

# (Agent) Misc for runtime and DNS.
-r /etc/localtime r
-r /etc/hosts r
-r /etc/host.conf r
-r /etc/localtime r
-r /etc/nsswitch.conf r
-r /etc/resolv.conf r

# (Agent) Certificate files.
-r /etc/vmware/ssl/rui.crt r
-r /etc/vmware/ssl/rui.key r
-r /etc/vmware/ssl/castore.pem r
-r /etc/vmware/ssl/fipsmodule.cnf r
-r /etc/vmware/ssl/openssl.cnf r

# (Agent) Log files.
# Parent of /var/run/log/clusterAgent.stderr which we create.
-r /var/log/vmware r
-r /var/run/log rw

# (Agent, ConfigStore) Etcd/clusterAgent datafiles. Resolves to OSDATA on policy load.
# Parent of /var/cache/datafiles, which we might create.
-r /var/cache rw

# (ConfigStore) Scripts and database.
-r /usr/lib/vmware/configmanager/configstorecli r
-r /etc/vmware/schemastore rw
-r /etc/vmware/configstore rw

# (Watchdog) Etcd PID file.
-r /var/run/vmware/watchdog-etcdmain.PID rw

# (All) utilities.
-r /dev/null rw
-r /dev/urandom r
-r /etc/nsswitch.conf r
-r /etc/passwd r
-r /etc/vmware/config r
-r /etc/vmware/settings r
-r /etc/vmware/vsphereFeatures/vsphereFeatures.cfg r
-r /etc/vmware/vsphereFeatures/techPreview.cfg r
