#
# Security Domain Policy rules for VMware Tools daemon
#    - Permissions for guest info
#    - Permissions for guest operations
#        *   ListProcessesInGuest does not work in ESXi
#        **  For Power operations and StartProgramInGuest see vmtoolsdShellDom

# Capabilities (network)
-c inet_dgram_socket_create grant       # Required startup
-c unix_socket_create grant             # Required startup
-c unix_dgram_socket_bind revoke        # Revoke global bind allowed by create
-c unix_dgram_socket_connect revoke     # Revoke global connect allowed by create
-c unix_stream_socket_bind revoke       # Revoke global bind allowed by create
-c unix_stream_socket_connect revoke    # Revoke global connect allowed by create

-p unix_dgram_socket_connect /dev/log grant
-p unix_dgram_socket_connect /dev/vmwSyslog grant
-p unix_stream_socket_connect /var/run/nscd/socket grant


# Domain transitions
#   transitions when launching 'sh' (Power ops scripts, StartProgramInGuest).
-d shellObj vmtoolsdShellDom file_exec grant


# Files & file systems
# Deny All
#    Caveat: No file transfers to '/'
#            /tmp is rw for file transfer
-r /


# Allow / Restrict / disallow for guestInfo & power ops
#  - allow exec all,
#  - disallow secpolicytools
#  Required exec on: sh (Power ops, StartProgramInGuest), vmtoolsd
-r /bin x
-r /bin/secpolicytools         # Disallow

-r /dev/char/mem/null w
#-r /dev/char/tty/console w     # Needed when failing vmwSyslog connect
-r /dev/char/vmkdriver/urandom r
-r /dev/char/vsock/vsock r

-r /etc/environment r
-r /etc/group r
-r /etc/hosts r
-r /etc/host.conf r
-r /etc/localtime r
-r /etc/nsswitch.conf r
-r /etc/pam.d r
-r /etc/passwd r
-r /etc/resolv.conf r
-r /etc/security/access.conf r
-r /etc/security/pam_env.conf r
-r /etc/shadow r               # Guest operations: StartProgramInGuest (PAM)

#
# VMware Tools:
#   plugins are mostly libraries and executables
#   script-data: Disallow, belongs to vmkperf app, not related to vmware tools
#   scripts: executable script files
-r /etc/vmware-tools/plugins x
-r /etc/vmware-tools/poweroff-vm-default x
-r /etc/vmware-tools/poweron-vm-default x
-r /etc/vmware-tools/resume-vm-default x
-r /etc/vmware-tools/scripts rwx            # Power ops (user power ops).
-r /etc/vmware-tools/scripts/vmware x       # Power ops.
-r /etc/vmware-tools/statechange.subr r     # Power ops (sourced by scripts).
-r /etc/vmware-tools/suspend-vm-default x
-r /etc/vmware-tools/tools.conf r

-r /lib64 x
-r /lib64/security x           # pam libs

-r /lib r                      # Crypto libs

-r /tmp rw                     # Allow file upload to here.

-r /usr/lib x
-r /usr/lib64 x
-r /usr/lib64/locale/locale-archive r

-r /var/log w                  # Create/Write to vmware-<svc>-<usr> logs
-r /var/run/vmware-imc rwx     # Guest Customization payload/scripts folder
-r /var/tmp/ rw                # Allow file upload to here.

# Volumes access is more for VM maintenance, file access and collection.
# This should be achievable through other means (NFC, ...)
#-r /vmfs/volumes/ rw           # Allow file upload to here.
-r /vmfs/volumes/ x            # Access files, execute scripts (user power ops)


# The system call rules
-s cloneSys grant
-s execSys grant
-s forkExecSys grant           # Power ops, StartProgramInGuest
-s forkSys grant
-s genericSys grant
-s ioctlSys grant              # Required, startup
-s killSys grant               # TerminateProcessInGuest
-s mprotectSys grant
-s openSys grant
-s syncSys grant
-s timeSys grant
-s vsiReadSys grant
