#
# Rules for tpm2emu
#
# Everything is disabled, except open/mprotect
# (needed by dynamic linker), and access to the
# binary itself, its libraries, /dev/null and
# /dev/random, time zone definition, and
# config files (so loglevel.tpm2emu can be set).
#

-s mprotectSys grant
-s openSys grant

-c unix_vmklink_socket_connect grant

# Deny everything
-r /
# except ...
-r /bin/tpm2emu rx
-r /etc/ld.so.conf r
-r /etc/ld.so.cache r
-r /lib64 rx
-r /usr/lib64 x
-r /dev/null r
-r /dev/random r
-r /dev/urandom r
-r /etc/localtime r
-r /etc/vmware/config r
-r /etc/vmware/ssl/castore.pem r
-r /etc/vmware/ssl/fipsmodule.cnf r
-r /etc/vmware/ssl/openssl.cnf r
-r /usr/lib/vmware/settings r
-r /.vmware/config r
