###
### File to describe some constraints on what file paths may be used when
### powering on a virtual machine.
### 

# Basic list to describe some paths no VM device backends should be using.
rule "No System Files"
{
  vm regex ".*"

  # General VM paths
  key match "suspend.directory"
  key match "redoLogDir"
  key match "workingDir"
  key match "workingDirectory"
  key match "vmx.stdin"
  key match "vmx.stdout"
  key match "vmx.stderr"
  key match "vmx.allocTrack.logFile"
  key match "vmx.fileTrack.logFile"
  key regex "^.*log.fileName$"

  # nvram
  key match "nvram"
  key match "nvram_default"

  # ROMs
  key match "bios440.filename"
  key match "efi32.filename"
  key match "efi64.filename"
  key match "sbios.filename"
  key match "vbios.filename"
  key match "lsibios.filename"
  key match "nbios.filename"
  key match "nxbios.filename"
  key match "e1000bios.filename"
  key match "e1000ebios.filename"
  key match "sas1068bios.filename"
  key match "nx3bios.filename"
  key match "pvscsibios.filename"

  # Serial file backend. 4 devices
  key regex "^serial[0-3]\.fileName$"

  # Parallel file backend. 4 devices
  key regex "^parallel[0-3]\.fileName$"

  # Floppy file backend. 2 devices
  key regex "^floppy[0-1]\.fileName$"

  # IDE device backend. 2 controllers, 2 devices each
  key regex "^ide[0-1]:[0-1]\.fileName$"

  # SCSI device backend. 4 controllers, 16 devices each
  key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.name$"
  key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.fileName$"

  # Service Console Paths
  reject regex_case "^/bin/?"
  reject regex_case "^/boot/?"
  reject regex_case "^/etc/?"
  reject regex_case "^/home/?"
  reject regex_case "^/initrd/?"
  reject regex_case "^/lib/?"
  reject regex_case "^/mnt/?"
  reject regex_case "^/opt/?"
  reject regex_case "^/proc/?"
  reject regex_case "^/root/?"
  reject regex_case "^/sbin/?"
  reject regex_case "^/tmp/?"
  reject regex_case "^/var/?"

  # VMvisor paths
  reject regex_case "^/altbootbank/?"
  reject regex_case "^/bootbank/?"
  reject regex_case "^/locker/?"
  reject regex_case "^/mod/?"
  reject regex_case "^/productLocker/?"
  reject regex_case "^/scratch/?"
  reject regex_case "^/share/?"
  reject regex_case "^/store/?"
  reject regex_case "^/vmupgrade/?"
  reject regex_case "^/vmfs/volumes/Hypervisor[1-3]"

  # No parent directories in a path component
  reject regex "^(.*/)?\.\.(/.*)?$"
}


# Rule to restrict everything under /usr except the virtual media
rule "No Files Under /usr Except Virtual Media"
{
  vm regex ".*"

  # General VM paths
  key match "suspend.directory"
  key match "redoLogDir"
  key match "workingDir"
  key match "workingDirectory"
  key match "vmx.stdin"
  key match "vmx.stdout"
  key match "vmx.stderr"
  key match "vmx.allocTrack.logFile"
  key match "vmx.fileTrack.logFile"
  key regex "^.*log.fileName$"

  # nvram
  key match "nvram"
  key match "nvram_default"

  # ROMs
  key match "bios440.filename"
  key match "efi32.filename"
  key match "efi64.filename"
  key match "sbios.filename"
  key match "vbios.filename"
  key match "lsibios.filename"
  key match "nbios.filename"
  key match "nxbios.filename"
  key match "e1000bios.filename"
  key match "e1000ebios.filename"
  key match "sas1068bios.filename"
  key match "nx3bios.filename"
  key match "pvscsibios.filename"

  # Serial file backend. 4 devices
  key regex "^serial[0-3]\.fileName$"

  # Parallel file backend. 4 devices
  key regex "^parallel[0-3]\.fileName$"

  # Floppy file backend. 2 devices
  key regex "^floppy[0-1]\.fileName$"

  # IDE device backend. 2 controllers, 2 devices each
  key regex "^ide[0-1]:[0-1]\.fileName$"

  # SCSI device backend. 4 controllers, 16 devices each
  key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.name$"
  key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.fileName$"

  # Service Console Paths
  accept prefix_case "/usr/lib/vmware/isoimages/"
  accept prefix_case "/usr/lib/vmware/floppies/"
  accept !regex_case "^/usr/"
}


# General virtual machine files may only reside on the VMFS volume
rule "General Virtual Machine Files"
{
  vm regex ".*"

  # General VM paths
  key match "suspend.directory"
  key match "redoLogDir"
  key match "workingDir"
  key match "workingDirectory"
  key match "vmx.stdin"
  key match "vmx.stdout"
  key match "vmx.stderr"
  key match "vmx.allocTrack.logFile"
  key match "vmx.fileTrack.logFile"
  key regex "^.*log.fileName$"

  # Only allow paths under /vmfs/volumes and relative paths
  accept prefix_case "/vmfs/volumes/"
  accept !prefix     "/"
}


# Virtual SCSI devices can point to VMFS volume or raw device.
rule "Virtual SCSI Devices"
{
  vm regex ".*"

  # SCSI device backend. 4 controllers, 16 devices each
  key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.name$"
  key regex "^scsi[0-3]:(([0-9])|(1[0-5]))\.fileName$"

  # Only allow paths under /vmfs/ and relative paths
  accept prefix_case "/vmfs/"
  accept !prefix     "/"
}


# Virtual ROM can only point to VMFS volume.
rule "Virtual ROMs"
{
  vm regex ".*"

  # ROMs
  key match "bios440.filename"
  key match "efi32.filename"
  key match "efi64.filename"
  key match "sbios.filename"
  key match "vbios.filename"
  key match "lsibios.filename"
  key match "nbios.filename"
  key match "nxbios.filename"
  key match "e1000bios.filename"
  key match "e1000ebios.filename"
  key match "sas1068bios.filename"
  key match "nx3bios.filename"
  key match "pvscsibios.filename"

  # Only allow paths under /vmfs/ and relative paths
  accept prefix_case "/vmfs/"
  accept !prefix     "/"
}


# Virtual IDE devices can point to VMFS volume, raw device, or virtual
# tools media.
rule "Virtual IDE Devices"
{
  vm regex ".*"

  # IDE device backend. 2 controllers, 2 devices each
  key regex "^ide[0-1]:[0-1]\.fileName$"

  # Allow CDROM devices
  accept regex_case  "^/dev/cdrom[0-9]*$"
  accept regex_case  "^/dev/hd[a-z]$"
  accept regex_case  "^/dev/scd[0-9]+$"

  # Only allow paths under /vmfs/, /vmimages, and relative paths
  accept prefix_case "/vmfs/"
  accept prefix_case "/vmimages/"
  accept prefix_case "/usr/lib/vmware/isoimages/"
  accept !prefix     "/"

  # Virtual Center sets dummy values
  accept match       "/null.iso"
}


# Virtual IDE devices can point to VMFS volume, physical floppy device, or
# virtual tools media.
rule "Virtual Floppy Device Backend"
{
  vm regex ".*"

  # Floppy file backend. 2 devices
  key regex "^floppy[0-1]\.fileName$"

  # Under /dev, only allow floppy device backends
  accept regex_case  "^/dev/fd[0-9]+$"
  accept prefix_case "/vmfs/volumes/"
  accept prefix_case "/vmimages/"
  accept prefix_case "/usr/lib/vmware/floppies/"
  accept !prefix     "/"

  # Virtual Center sets dummy values
  accept match       "/null.flp"
}


# Under /dev, allow only /dev/ttyS* to be used as serial port backends.
# Allow files in the VMFS volume.
rule "Virtual Serial Port Device Backend"
{
  vm regex ".*"

  # Serial file backend. 4 devices
  key regex "^serial[0-3]\.fileName$"

  # Under /dev, only allow serial port device backends
  accept regex_case  "^/dev/ttyS[0-9]+$"
  accept regex_case  "^/dev/char/serial/uart[0-9]+$"
  accept regex_case  "^/vmfs/devices/char/serial/uart[0-9]+$"
  accept prefix_case "/vmfs/volumes/"
  accept prefix_case "/vmfs/devices/char/vmwire/"
  accept !prefix     "/"
}


# Under /dev, allow only /dev/parport* to be used as a parallel port backend.
# Allow files in the VMFS volume.
rule "Virtual Parallel Port Device Backend"
{
  vm regex ".*"

  # Parallel file backend. 4 devices
  key regex "^parallel[0-3]\.fileName$"

  # Under /dev, only allow parallel port device backends
  accept regex_case  "^/dev/parport[0-9]+$"
  accept prefix_case "/vmfs/volumes/"
  accept !prefix     "/"
}
