#
# Policy rules for etcd daemon.
#


# Basic file usage and memory management.
-s genericSys grant
-s openSys grant
-s mprotectSys grant

# Thread management.
-s cloneSys grant
-s killSys grant

# Database file syncing.
-s syncSys grant


# IP sockets to allow DNS requests and API + peer connections.
-c inet_stream_socket_create grant
-c inet_dgram_socket_create grant

# UNIX sockets allow exposure of runtime profiling info.
-c unix_socket_create grant
-c unix_dgram_socket_bind grant
-c unix_dgram_socket_connect grant
-c unix_stream_socket_bind grant
-c unix_stream_socket_connect grant
-c unix_vmklink_socket_connect grant


# Block connect/bind to vmwLocalSocketAuthentication
-p unix_stream_socket_connect vmwLocalSocketAuthentication revoke
-p unix_stream_socket_bind vmwLocalSocketAuthentication revoke

# Syslog access.
-p unix_dgram_socket_connect /dev/log grant

# Binding of ephemeral, API, and peer sockets.
-p inet_socket_bind 0 grant
-p inet_socket_bind 2379 grant
-p inet_socket_bind 2380 grant

# Runtime profiling.
-p unix_stream_socket_bind kvstoreMetricsIPC.sock:0 grant

# Peer client and DNS.
-p inet_socket_connect nonloopback 2380 grant
-p inet_socket_connect nonloopback 53 grant


# Deny everything except specific paths.
-r /

# Golang runtime occasionally creates temp files and mmaps them (requiring x).
-r /tmp rwx

# Executable and libraries.
-r /usr/lib/vmware/etcd/bin/etcd rx
-r /lib64 rx

# Misc for runtime and DNS.
-r /etc/localtime r
-r /etc/hosts r
-r /etc/host.conf r
-r /etc/nsswitch.conf r
-r /etc/resolv.conf r

# Runtime profiling.
-r /kvstoreMetricsIPC.sock:0 rw
-r /var/log/vmware/kvstoreMetricsIPC.sock:0 rw

# Certificate files.
-r /etc/vmware/ssl/rui.crt r
-r /etc/vmware/ssl/rui.key r
-r /etc/vmware/ssl/castore.pem r
-r /etc/vmware/ssl/fipsmodule.cnf r
-r /etc/vmware/ssl/openssl.cnf r

# Etcd/clusterAgent datafiles. Parent of /var/cache/datafiles, which may not
# exist during policy load. But /var/cache always resolves to the OSDATA volume.
-r /var/cache rw
