#
# Policy rules for Sensord Daemon
#

-c inet_dgram_socket_create grant
-c inet_stream_socket_create grant
-c opaque_net_connect revoke
-c unix_dgram_socket_bind revoke
-c unix_dgram_socket_connect revoke
-c unix_socket_create grant
-c unix_stream_socket_bind revoke
-c unix_stream_socket_connect revoke
-c unix_vmklink_socket_connect revoke

-p unix_dgram_socket_connect /dev/vmwSyslog grant
-p unix_stream_socket_bind sensordVapiLocal.sock grant
-p unix_stream_socket_connect vmwLocalSocketAuthentication grant
-p unix_stream_socket_connect /var/run/nscd/socket grant
-p inet_socket_connect loopback 80 grant
-p unix_stream_socket_connect vmwLocalSocketApiForwarder grant
-p unix_dgram_socket_connect /dev/auditlog grant
-p inet_socket_connect nonloopback 53 grant

-r /
-r /dev/char/vmkdriver rw # /dev/char/vmkdriver/i2c-<n> where n is a variable number
-r /etc/hosts r
-r /etc/host.conf r
-r /etc/localtime r
-r /etc/nsswitch.conf r
-r /etc/resolv.conf r
-r /etc/smartnic-mockup.conf r
-r /etc/vmware/config r
-r /etc/vmware/configstore/current-store-1 rw
-r /etc/vmware/schemastore/schema-store-1 rw
-r /etc/vmware/settings r
-r /etc/vmware/ssl/fipsmodule.cnf r
-r /etc/vmware/ssl/openssl.cnf r
-r /etc/vmware/vsphereFeatures/techPreview.cfg r
-r /etc/vmware/vsphereFeatures/vsphereFeatures.cfg r
-r /lib64 rx
-r /usr/lib/vmware/vapi/sensordApi_vapi_metadata.json r
-r /usr/lib64 rx
-r /usr/share/sensors r
-r /var/run/vmware/tokend-secret r

# mock dpu sensors
-r /tmp
-r /var/tmp r

# deny sensitive locations
-r /usr/lib64/locale
-r /usr/lib64/openwsman

-s genericSys grant
-s ioctlSys grant
-s vsiReadSys grant
-s vsiWriteSys grant
-s cloneSys grant
-s openSys grant
-s mprotectSys grant
