#!/bin/bash
# Policy rules for storageRM Daemon
#

-c unix_socket_create grant
-c unix_dgram_socket_bind grant
-c unix_dgram_socket_connect grant
-c unix_stream_socket_bind grant
-c unix_stream_socket_connect grant
-c unix_vmklink_socket_connect grant

-p unix_dgram_socket_connect /dev/vmwSyslog grant
-p unix_stream_socket_connect /var/run/nscd/socket grant
-p unix_stream_socket_connect /var/run/vmware/vobd-user-ctx.sock grant
-p unix_stream_socket_connect vmwLocalSocketAuthentication revoke
-p unix_stream_socket_bind vmwLocalSocketAuthentication revoke

-s cloneSys grant
-s execSys grant
-s forkSys grant
-s genericSys grant
-s ioctlSys grant
-s mprotectSys grant
-s openSys grant
-s vsiReadSys grant
-s vsiWriteSys grant

# Deny everything
-r /
# except ...
-r /bin/storageRM x
-r /bin/watchdog.sh x
-r /bin x
-r /dev/char/mem/null w
-r /dev/char/vmkdriver/urandom r
-r /dev/null w
-r /etc/localtime r
-r /etc/nsswitch.conf r
-r /etc/passwd r
-r /etc/vmware/config r
-r /etc/vmware/settings r
-r /etc/vmware/ssl/castore.pem r
-r /etc/vmware/ssl/fipsmodule.cnf r
-r /etc/vmware/ssl/openssl.cnf r
-r /etc/vmware/vsphereFeatures/techPreview.cfg r
-r /etc/vmware/vsphereFeatures/vsphereFeatures.cfg r
-r /lib64 x
-r /. r
-r /usr/lib64 x
-r /usr/lib x
-r /usr x
-r /var/run/storageRM.pid w
-r /var/run/vmware/watchdog-storageRM.PID w

# StorageRM process needs to have access to the vmfs folder, e.g:
# -r /vmfs/volumes/<hash-id>/.naa.6006016012203e00d46ce45c89260952/slotsfile w
# -r /vmfs/volumes/<hash-id> r
# -r /vmfs/volumes/<hash-id>/.iormstats.sf w
# -r /vmfs/volumes/<hash-id>/.naa.6006016012203e00d46ce45c89260952 w
# -r /vmfs/volumes/ r
# Since the security domain definition doesn't support regex expressions, and
# the hash id changes from one deployment to another deployment,
# we have to grant the read/write access recursively to the whole vmfs directory.
# More context: https://vmware.slack.com/archives/C02862D5AN8/p1628787719073700
-r /vmfs/volumes/ rw

