###
### File to describe some constraints on what file paths may be used when
### powering on a virtual machine.
### 

# Basic list to describe some paths no VM device backends should be using.
rule "No System Files"
{
  vm regex ".*"

  # General VM paths
  key match "suspend.directory"
  key match "log.fileName"
  key match "redoLogDir"
  key match "workingDir"
  key match "vmx.stdin"
  key match "vmx.stdout"
  key match "vmx.stderr"

  # Serial file backend. 4 devices
  key regex "^serial[0-3]\.fileName$"

  # Parallel file backend. 4 devices
  key regex "^parallel[0-3]\.fileName$"

  # Floppy file backend. 2 devices
  key regex "^floppy[0-1]\.fileName$"

  # IDE device backend. 2 controllers, 2 devices each
  key regex "^ide[0-1]:[0-1]\.fileName$"

  # SCSI device backend. 4 controllers, 16 devices each
  key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.name$"
  key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.fileName$"

  # Service Console Paths
  reject regex_case "^/bin/?"
  reject regex_case "^/boot/?"
  reject regex_case "^/etc/?"
  reject regex_case "^/home/?"
  reject regex_case "^/initrd/?"
  reject regex_case "^/lib/?"
  reject regex_case "^/mnt/?"
  reject regex_case "^/opt/?"
  reject regex_case "^/proc/?"
  reject regex_case "^/root/?"
  reject regex_case "^/sbin/?"
  reject regex_case "^/tmp/?"
  reject regex_case "^/var/?"

  # VMvisor paths
  reject regex_case "^/altbootbank/?"
  reject regex_case "^/bootbank/?"
  reject regex_case "^/locker/?"
  reject regex_case "^/mod/?"
  reject regex_case "^/productLocker/?"
  reject regex_case "^/scratch/?"
  reject regex_case "^/share/?"
  reject regex_case "^/store/?"
  reject regex_case "^/vmupgrade/?"
  reject regex_case "^/vmfs/volumes/Hypervisor[1-3]"

  # No parent directories in a path component
  reject regex "^(.*/)?\.\.(/.*)?$"
}


# Rule to restrict everything under /usr except the virtual media
rule "No Files Under /usr Except Virtual Media"
{
  vm regex ".*"

  # General VM paths
  key match "suspend.directory"
  key match "log.fileName"
  key match "redoLogDir"
  key match "workingDir"
  key match "vmx.stdin"
  key match "vmx.stdout"
  key match "vmx.stderr"

  # Serial file backend. 4 devices
  key regex "^serial[0-3]\.fileName$"

  # Parallel file backend. 4 devices
  key regex "^parallel[0-3]\.fileName$"

  # Floppy file backend. 2 devices
  key regex "^floppy[0-1]\.fileName$"

  # IDE device backend. 2 controllers, 2 devices each
  key regex "^ide[0-1]:[0-1]\.fileName$"

  # SCSI device backend. 4 controllers, 16 devices each
  key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.name$"
  key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.fileName$"

  # Service Console Paths
  accept prefix_case "/usr/lib/vmware/isoimages/"
  accept prefix_case "/usr/lib/vmware/floppies/"
  accept !regex_case "^/usr/"
}


# General virtual machine files may only reside on the VMFS volume
rule "General Virtual Machine Files"
{
  vm regex ".*"

  # General VM paths
  key match "suspend.directory"
  key match "log.fileName"
  key match "redoLogDir"
  key match "workingDir"
  key match "vmx.stdin"
  key match "vmx.stdout"
  key match "vmx.stderr"

  # Only allow paths under /vmfs/volumes and relative paths
  accept prefix_case "/vmfs/volumes/"
  accept !prefix     "/"
}


# Virtual SCSI devices can point to VMFS volume or raw device.
rule "Virtual SCSI Devices"
{
  vm regex ".*"

  # SCSI device backend. 4 controllers, 16 devices each
  key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.name$"
  key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.fileName$"

  # Only allow paths under /vmfs/ and relative paths
  accept prefix_case "/vmfs/"
  accept !prefix     "/"
}


# Virtual IDE devices can point to VMFS volume, raw device, or virtual
# tools media.
rule "Virtual IDE Devices"
{
  vm regex ".*"

  # IDE device backend. 2 controllers, 2 devices each
  key regex "^ide[0-1]:[0-1]\.fileName$"

  # Allow CDROM devices
  accept regex_case  "^/dev/cdrom[0-9]*$"
  accept regex_case  "^/dev/hd[a-z]$"
  accept regex_case  "^/dev/scd[0-9]+$"

  # Only allow paths under /vmfs/, /vmimages, and relative paths
  accept prefix_case "/vmfs/"
  accept prefix_case "/vmimages/"
  accept prefix_case "/usr/lib/vmware/isoimages/"
  accept !prefix     "/"

  # Virtual Center sets dummy values
  accept match       "/null.iso"
}


# Virtual IDE devices can point to VMFS volume, physical floppy device, or
# virtual tools media.
rule "Virtual Floppy Device Backend"
{
  vm regex ".*"

  # Floppy file backend. 2 devices
  key regex "^floppy[0-1]\.fileName$"

  # Under /dev, only allow floppy device backends
  accept regex_case  "^/dev/fd[0-9]+$"
  accept prefix_case "/vmfs/volumes/"
  accept prefix_case "/vmimages/"
  accept prefix_case "/usr/lib/vmware/floppies/"
  accept !prefix     "/"

  # Virtual Center sets dummy values
  accept match       "/null.flp"
}


# Under /dev, allow only /dev/ttyS* to be used as serial port backends.
# Allow files in the VMFS volume.
rule "Virtual Serial Port Device Backend"
{
  vm regex ".*"

  # Serial file backend. 4 devices
  key regex "^serial[0-3]\.fileName$"

  # Under /dev, only allow serial port device backends
  accept regex_case  "^/dev/ttyS[0-9]+$"
  accept regex_case  "^/dev/char/serial/uart[0-9]+$"
  accept regex_case  "^/vmfs/devices/char/serial/uart[0-9]+$"
  accept prefix_case "/vmfs/volumes/"
  accept prefix_case "/vmfs/devices/char/vmwire/"
  accept !prefix     "/"
}


# Under /dev, allow only /dev/parport* to be used as a parallel port backend.
# Allow files in the VMFS volume.
rule "Virtual Parallel Port Device Backend"
{
  vm regex ".*"

  # Parallel file backend. 4 devices
  key regex "^parallel[0-3]\.fileName$"

  # Under /dev, only allow parallel port device backends
  accept regex_case  "^/dev/parport[0-9]+$"
  accept prefix_case "/vmfs/volumes/"
  accept !prefix     "/"
}
