# This domain serves as the ESX side to the Spherelet Security domain.
# This domain is used to execute binaries running on the ESX host
# and thus requires a tighter binding to a specific ESX host than
# a Security domain installed in a VIB can provide. This domain
# can only be editted with the approval of the Spherelet team.

-c inet_dgram_socket_create grant
-c inet_stream_socket_create grant
-c stream_vsocket_connect grant
-c stream_vsocket_create grant
-c stream_vsocket_trusted grant
-c unix_socket_create grant

-c opaque_net_connect revoke
-c unix_dgram_socket_bind revoke
-c unix_dgram_socket_connect revoke
-c unix_stream_socket_bind revoke
-c unix_stream_socket_connect revoke
-c unix_vmklink_socket_connect revoke

-p inet_socket_connect loopback 53 grant
-p inet_socket_connect loopback grant        # required by locacli nw vm list

-p unix_dgram_socket_connect /dev/auditlog grant
-p unix_dgram_socket_connect /dev/log grant
-p unix_dgram_socket_connect /dev/vmwSyslog grant

-p unix_stream_socket_connect /var/run/nscd/socket grant
-p unix_stream_socket_connect /var/run/vmware/nsx-cfgagent/spherelet.sock grant

# Global deny.
-r /

-r /bin/esxcfg-advcfg x
-r /bin/openssl x
-r /dev/char/mem/null w
-r /dev/char/vmkdriver/urandom r
-r /dev/char/vsock/vsock r
-r /dev/null w
-r /etc/hosts r
-r /etc/localtime r
-r /etc/nsswitch.conf r
-r /etc/passwd r
-r /etc/resolv.conf r
-r /etc/vmware/config r
-r /etc/vmware/settings r
-r /etc/vmware/ssl/openssl.cnf r
-r /etc/vmware/vsphereFeatures/techPreview.cfg r
-r /etc/vmware/vsphereFeatures/vsphereFeatures.cfg r
-r /lib64 x
-r /tmp rw
-r /usr x
-r /usr/lib x
-r /usr/lib64 x
-r /usr/lib64/vmware x
-r /usr/lib64/vmware/plugin x
-r /usr/lib64/vmware/plugin/objLib x
-r /var/run/vmware-hostd-ticket r # Necessary to read local ticket for vimclient

# Necessary for the following command:
# /bin/esxcfg-advcfg -q -g /UserVars/ESXiVPsAllowedCiphers
-r /etc/vmware/configstore/current-store-1 rw
-r /etc/vmware/schemastore/schema-store-1 rw

# Necessary to run vds-ioctl cli for PodVM on VDS
-r /usr/lib/vmware/vds-vsip/lib64/libvsipfw.so x
-r /usr/lib/vmware/vds-vsip/bin/vds-vsipioctl x
-r /usr/lib/vmware/vds-vsip/lib64/libvsipioctl.so x
-r /usr/lib/vmware/vds-vsip/lib64/libvdsioctl.so x
-r /dev/char/vmkdriver/vds-vsip w
-r /dev/char/vmkdriver/dvfiltertbl w
-r /dev/char/vmkdriver/dvsdev rw
-r /usr/lib64/libsqlite3.so.0.8.6 x
-r /etc/protocols r
-r /bin/localcli x

# Necessary to install vds-vsip module
-r /var/lib/vmware/vmkmod w
-r /etc/vmware/settings r
-r /etc/vmware/config r
-r /bin/vmkload_mod x
-r /usr/lib/vmware/vmkmod/vds-vsip x
-r /usr/lib/vmware/vmkmod/nmp x
-r /usr/lib/vmware/vmkmod/dvfilter x
-r /usr/lib/vmware/vmkmod/iodm x
-r /usr/lib/vmware/vmkmod/iscsi_trans_compat_shim x
-r /usr/lib/vmware/vmkmod/nrdma_vmkapi_shim x
-r /usr/lib/vmware/vmkmod/vflash x
-r /usr/lib/vmware/vmkmod/vmkapi_mgmt x
-r /usr/lib/vmware/vmkmod/vmkapei x
-r /usr/lib/vmware/vmkmod/vmknvme x
-r /bin/vsish x

-s cloneSys grant
-s forkExecSys grant
-s genericSys grant
-s ioctlSys grant
-s killSys grant
-s mprotectSys grant
-s openSys grant
-s rpcSys grant
-s syncSys grant
-s vobSys grant
-s vsiReadSys grant
-s moduleSys grant
-s vsiWriteSys grant