#
# Security Domain Policy rules for VMware Tools daemon Shell commands
#
# Shell commands executed or launched through VMware tools are running
# under the vmtoolsdShellDom security policy rules.
#
#   - Power operations scripts
#   - Guest operations commands launched through StartProgramInGuest
#   - Guest Customization (deployPkg)
#
# Rules herein need to be updated as needed.
#


# Network
-c inet_dgram_socket_create grant       # vim-cmd, esxcli, python
-c inet_stream_socket_create grant      # vim-cmd, esxcli, python
-c unix_socket_create grant             # vim-cmd, esxcli, python
-c unix_dgram_socket_bind revoke        # Revoke global bind allowed by create
-c unix_dgram_socket_connect revoke     # Revoke global connect allowed by create
-c unix_stream_socket_bind revoke       # Revoke global bind allowed by create
-c unix_stream_socket_connect revoke    # Revoke global connect allowed by create

-p inet_socket_connect loopback 80 grant    # Power ops scripts (esxcli)
-p inet_socket_connect loopback 8307 grant  # vim-cmd
-p unix_dgram_socket_connect /dev/log grant # Power ops scripts (python)
-p unix_dgram_socket_connect /dev/vmwSyslog grant
-p unix_stream_socket_connect /dev/log grant    # Power ops scripts (python)
-p unix_stream_socket_connect /var/run/nscd/socket grant    # vim-cmd
-p unix_stream_socket_connect /var/run/vmware/vobd-user-ctx.sock grant


# Domain transition
-d supershellObj superDom file_exec grant   # From sshd - same caveat
-d supportUtilObj superDom file_exec grant  # From sshd - same caveat


# Files & file systems
# Deny all
-r /

# Restrict / disallow
#
# Allow execute for all in /bin
#   - Power ops requires:
#       + esxcli (and related python accesses)
#       + sed
#   - supershell & support-util needed for transitions rules and are used
#     through both StartProgramInGuest and Power ops scripts.
# Disallow
#   - secpolicytools
#
-r /bin x                      # Allow to exec all.
-r /bin/secpolicytools         # Disable access to secpolicytools

-r /dev/char/mem/null w
-r /dev/char/vmkdriver/urandom r
-r /dev/null w                 # Same as /dev/char/mem/null, but needed.

-r /etc/localtime r
-r /etc/nsswitch.conf r
-r /etc/pam.d r
-r /etc/passwd r
-r /etc/vmware/ w              # Guest Customization (runtime:esx.conf.LOCK.*)
-r /etc/vmware/config r
-r /etc/vmware/configstore/current-store-1 r
-r /etc/vmware/esx.conf rw     # Guest Customization (runtime)
-r /etc/vmware/schemastore/schema-store-1 r
-r /etc/vmware/settings r
-r /etc/vmware/vsphereFeatures r
#
# VMware Tools:
#   plugins are mostly libraries and executables
#   script-data: Disallow, belongs to vmkperf app, not related to vmware tools
#   scripts: executable script files
-r /etc/vmware-tools/plugins x
-r /etc/vmware-tools/poweroff-vm-default x
-r /etc/vmware-tools/poweron-vm-default x
-r /etc/vmware-tools/resume-vm-default x
-r /etc/vmware-tools/scripts x             # Power ops (user power ops).
-r /etc/vmware-tools/scripts/vmware x      # Power ops.
-r /etc/vmware-tools/statechange.subr r
-r /etc/vmware-tools/suspend-vm-default x
-r /etc/vmware-tools/tools.conf r

-r /lib64 x
-r /lib64/python3.5 r          # Power ops scripts
-r /lib64/python3.8 r          # Power ops scripts
-r /lib64/python3.8/lib-dynload x
-r /lib64/security x           # pam libs

-r /lib r                      # Crypto libs

-r /tmp rw                     # Access transferred files, writeable space

-r /usr/lib x
-r /usr/lib/vmware/busybox/bin/busybox x
-r /usr/lib64 x
-r /usr/lib64/locale/locale-archive r

-r /var/log/tallylog w         # pamd.d
-r /var/run/vmware-imc rwx     # Guest Customization payload/scripts folder
-r /var/run/vmware-hostd-ticket r  # Power ops (resume), Guest Custom. (runtime)
-r /var/run/vmware-dhcp-nics w # Power ops scripts
-r /var/tmp/ rw                # Access transferred files, writeable space

# Volumes access is more for VM maintenance, file access and collection.
# # This should be achievable through other means (NFC, ...)
-r /vmfs/volumes/ x            # Access files, execute scripts (user power ops)


# The system call rules
-s cloneSys grant
-s execSys grant
-s forkExecSys grant           # Run scripts & commands
-s forkSys grant
-s genericSys grant
-s ioctlSys grant              # Power ops scripts (reboot, shutdown), more
-s killSys grant               # Power ops scripts (reboot, shutdown)
-s mprotectSys grant
-s openSys grant
-s syncSys grant               # Power ops scripts (reboot, shutdown)
-s timeSys grant
-s vobSys grant                # Guest Customization (runtime)
-s vsiReadSys grant
-s vsiWriteSys grant           # Guest Customization (runtime)

