-c inet_dgram_socket_create grant
-c inet_stream_socket_create grant
-c stream_vsocket_connect grant # Used to connect to crx vsockets
-c stream_vsocket_create grant
-c stream_vsocket_trusted grant
-c unix_socket_create grant

-c opaque_net_connect revoke
-c unix_dgram_socket_bind revoke
-c unix_dgram_socket_connect revoke
-c unix_stream_socket_bind revoke
-c unix_stream_socket_connect revoke
-c unix_vmklink_socket_connect revoke

-d crxcliObj globalVMDom file_exec grant

-p inet_socket_bind 10260 grant
-p inet_socket_connect loopback 53 grant
-p inet_socket_connect loopback 443 grant
-p inet_socket_connect loopback 6443 grant
-p inet_socket_connect nonloopback 443 grant
-p inet_socket_connect nonloopback 6443 grant
-p inet_socket_connect loopback 10260 grant

-p unix_dgram_socket_connect /dev/auditlog grant
-p unix_dgram_socket_connect /dev/log grant
-p unix_dgram_socket_connect /dev/vmwSyslog grant

-p unix_stream_socket_connect /var/run/nscd/socket grant

-p unix_stream_socket_bind /var/run/vmware/inf-ctrops grant

# Global deny.
-r /

-r /bin/crx-cli x
-r /bin/esxcfg-advcfg x
-r /bin/openssl x
-r /bin/python3.8 x
-r /bin/vmkfstools x
-r /bin/vsish x
-r /dev/char/vmkdriver/random r
-r /dev/char/vmkdriver/urandom r
-r /dev/null w
-r /etc/hosts r
-r /etc/localtime r
-r /etc/nsswitch.conf r
-r /etc/passwd r
-r /etc/resolv.conf r
-r /etc/vmware/infravisor/ rw
-r /etc/vmware/ssl/openssl.cnf r
-r /etc/vmware/vsphereFeatures/techPreview.cfg r
-r /etc/vmware/vsphereFeatures/vsphereFeatures.cfg r
-r /lib rx
-r /lib64 rx
-r /tmp rw
-r /usr/lib/vmware/busybox/bin/busybox rx
-r /usr/lib/vmware/crx/ r
-r /usr/lib/vmware/esxcli rx
-r /usr/lib/vmware/infravisor rx
-r /usr/lib64 rx
-r /var/run/vmware/infra-runtime.crxid rw
-r /var/run/vmware/vmsyslogd.pid r
-r /var/run/vmware/watchdog-infravisor.PID w
-r /var/run/vmware-hostd-ticket r # Necessary to read local ticket for vimclient

# Required for vmkfstools (setuuid)
-r /etc/vmware/config r
-r /etc/vmware/icu/icudt44l.dat r
-r /etc/vmware/settings r
-r /etc/vmware/ssl/castore.pem r

# Neccessary to allow us to access osdatas volumes
# Also to allow PodVolumes to use arbitrary datastores
-r /var/lib/vmware/osdata rw
-r /var/lib/vmware/osdata/infravisor rw

# Necessary for the following command:
# /bin/esxcfg-advcfg -q -g /UserVars/ESXiVPsAllowedCiphers
-r /etc/vmware/configstore/current-store-1 rw
-r /etc/vmware/schemastore/schema-store-1 rw

# Necessary to allow for Infravisor to write
# to arbitrary log config files which are
# not bounded and will not be known till runtime.
# This can be removed once wildcard support for
# file paths is provided.
-r /etc/vmsyslog.conf.d/ w

-s cloneSys grant
-s execSys grant
-s forkExecSys grant
-s forkSys grant
-s genericSys grant
-s ioctlSys grant
-s killSys grant
-s mprotectSys grant
-s openSys grant
-s rpcSys grant
-s syncSys grant
-s vmfsGenSys grant
-s vsiReadSys grant
-s vsiWriteSys grant
