#!/bin/bash
# Policy rules for sdrsInjector Daemon
#

-c unix_dgram_socket_bind grant
-c unix_dgram_socket_connect grant
-c unix_socket_create grant
-c unix_stream_socket_bind grant
-c unix_stream_socket_connect grant
-c unix_vmklink_socket_connect grant

-p unix_dgram_socket_connect /dev/vmwSyslog grant
-p unix_stream_socket_connect vmwLocalSocketAuthentication revoke
-p unix_stream_socket_bind vmwLocalSocketAuthentication revoke

-s genericSys grant
-s ioctlSys grant
-s vsiReadSys grant
-s vsiWriteSys grant
-s killSys grant
-s cloneSys grant
-s openSys grant
-s mprotectSys grant

# Deny everything
-r /
# except ...
-r /bin/sdrsInjector x
-r /bin x
-r /dev/char/vmkdriver/urandom r
-r /etc/localtime r
-r /etc/vmware/config r
-r /etc/vmware/settings r
-r /etc/vmware/ssl/castore.pem r
-r /etc/vmware/ssl/fipsmodule.cnf r
-r /etc/vmware/ssl/openssl.cnf r
-r /etc/vmware/vsphereFeatures/techPreview.cfg r
-r /etc/vmware/vsphereFeatures/vsphereFeatures.cfg r
-r /lib64 x
-r /usr/lib64 x
-r /usr x
-r /var/run/sdrsInjector.pid w
-r /var/run/storageRM.pid r

# sdrsInjector process needs to have access to the vmfs folder, e.g:
# -r /vmfs/volumes/<hash-id>/.naa.* r
# -r /vmfs/volumes/<hash-id> r
# -r /vmfs/volumes/<hash-id>/stats* r
# -r /vmfs/volumes/<hash-id>/*.vmdk r
# -r /vmfs/volumes/ r
# Since the security domain definition doesn't support regex expressions, and
# the hash id changes from one deployment to another deployment,
# we have to grant the read access recursively to the whole vmfs directory.
# More context: https://vmware.slack.com/archives/C02862D5AN8/p1628787719073700
-r /vmfs/volumes r
-r /dev/disks r
