ESXi uses daemon sandboxing as a means of access control between Userworlds(hostd, vpxa, etc.) and Objects(Files, directories, network sockets, etc.)
Secpolicytools helps you list and tweak the security policies that are defiend under each domain(daemon sandbox)
[root@esx01:~] secpolicytools -h
Usage: secpolicytools <options>
-r|--reset Reset all policy rules.
-p|--load-policy[policy dir] Load a predefined policy.
A default dir of /etc/vmware/secpolicy
will be used.
-d|--display-policy Display the current policy.
-D|--lookup-domain <label> Lookup the value of a domain label.
-O|--lookup-object <label> Lookup the value of an object label.
-l|--list-labels List all valid domains and objects
-k|--keywords List all policy keywords.
-g|--get-label <file> Get the object label for a file.
-s|--set-label <file> -L|--label <label> Set the object label for a file.
-T|--set-tag <string> -L|--label <label> Add VMCI service access to privileged VM with label.
-N|--new-dom <label> Create domain for privileged VM with label.
-C|--del-dom <label> Delete domain for privileged VM with label.
-h|--help Show this message.
There are additional options in esxcli system secpolicy.
You can list all defined domains using the commands esxcli system secpolicy domain list or secpolicytools -l
[root@esx01:~] esxcli system secpolicy domain list
Domain Name Enforcement Level
---------------------- -----------------
superDom enforcing
regularVMDom enforcing
appDom enforcing
daemonFrameworkDom enforcing
globalVMDom enforcing
ioFilterDom enforcing
muxDom enforcing
ntpdDom enforcing
pluginDom enforcing
pluginFrameworkDom enforcing
ptpdDom enforcing
sfcbPluginFrameworkDom enforcing
sfcbVmwPluginDom enforcing
slpdDom enforcing
snmpdDom enforcing
tpm2emuDom enforcing
vmwpluginDom enforcing
wsmandDom enforcing
cfgagentDom enforcing
nestdbDom enforcing
hostd311 enforcing
hostd343 enforcing
hostd345 enforcing
hostd350 enforcing
hostd356 enforcing
hostd358 enforcing
hostd359 enforcing
hostd365 enforcing
hostd370 enforcing
hostd373 enforcing
hostd375 enforcing
hostd376 enforcing
hostd383 enforcing
hostd384 enforcing
hostd304 enforcing
[root@esx01:~] secpolicytools -l
------------------------------
Valid Object Labels
------------------------------
appObj 3117
authObj 3119
certObj 3120
cimObj 3113
muxObj 3112
pluginObj 3114
secpolicyObj 3111
sfcbVmwPluginObj 3116
sslKeyObj 3118
tardiskMountObj 3121
tpm2emuObj 3122
unlabeled 0
vmwpluginObj 3115
-----------------------------------
Valid domains
-----------------------------------
0 superDom
1 regularVMDom
2 appDom
3 daemonFrameworkDom
4 globalVMDom
5 ioFilterDom
6 muxDom
7 ntpdDom
8 pluginDom
9 pluginFrameworkDom
10 ptpdDom
11 sfcbPluginFrameworkDom
12 sfcbVmwPluginDom
13 slpdDom
14 snmpdDom
15 tpm2emuDom
16 vmwpluginDom
17 wsmandDom
18 cfgagentDom
19 nestdbDom
27 hostd311
44 hostd343
46 hostd345
49 hostd350
50 hostd356
52 hostd358
53 hostd359
57 hostd365
62 hostd370
65 hostd373
67 hostd375
68 hostd376
75 hostd383
76 hostd384
78 hostd304
To review specific policies that are defiend for a specific domain you will have to use the commands secpolicytools -D DOMAINand secpolicytools -dVALUE
Example
[root@esx01:~] secpolicytools -D globalVMDom
4
[root@esx01:~] secpolicytools -d4
------------------------
Policy set in the kernel
------------------------
------------------------------------------------------------------
Domain Name: globalVMDom Domain ID :4 Enforcement Level: enforcing
State: 3 RefCount: 2 WorldRefCount: 0
------------------------------------------------------------------
-c dgram_vsocket_bind grant
-c dgram_vsocket_create grant
-c dgram_vsocket_send grant
-c dgram_vsocket_trusted grant
-c inet_dgram_socket_create grant
-c inet_stream_socket_create grant
-c stream_vsocket_bind grant
-c stream_vsocket_connect grant
-c stream_vsocket_create grant
-c stream_vsocket_trusted grant
-c unix_dgram_socket_bind grant
-c unix_socket_create grant
-c unix_stream_socket_bind grant
-c vsocket_provide_service grant
-d tpm2emuObj tpm2emuDom file_exec grant
-p inet_socket_bind all grant
-p inet_socket_connect loopback grant
-p inet_socket_connect nonloopback grant
-r /usr/share/certs r
-r /tools r
-r /bin/remoteDeviceConnect rx
-r /bin/vmx rx
-r /tmp rw
-r /vmimages r
-r /bin/tpm2emu rx
-r /dev/cbt rw
-r /var/run rw
-r /dev/char rw
-r /dev/upit rw
-r /var/lock rw
-r /dev/vdfm rw
-r /dev/deltadisks rw
-r /lib rx
-r /usr/libexec rx
-r /usr/share/nvidia r
-r /lib64 rx
-r /bin/vmx-stats rx
-r /dev/vvol rw
-r /dev/PMemDisk rw
-r /usr/lib64 rx
-r /dev/vflash rw
-r /usr/lib rx
-r /etc r
-r /dev/vsan rw
-r /dev/svm rw
-r /var/run/vmware-hostd-ticket
-r /var/run/inetd.conf
-r /.vmware r
-r /dev/vsansparse rw
-r /bin/vmx-debug rx
So, why did i go digging into secpolicytools on ESXi?
We had a VMware Tools upgrade failure, that reported an IO Error when accessing the tools iso file on the esxi host.
2021-10-05T04:43:53.966Z| vmx| | I005: ToolsISO: Failed to open Tools ISO /vmfs/volumes/5d3fb5c5-3146d212-4263-8030e03bdef0/productLocker/vmtools/windows.iso (FileIOResult=2).
2021-10-05T04:43:53.966Z| vmx| | I005: Cannot open ISO image with upgrader binaries.
2021-10-05T04:43:53.966Z| vmx| | I005: TOOLS INSTALL entering IDLE state.
VMware tools ISO images are saved in /productLocker. The productLocker volume was on a external device. In the example above /vmfs/volumes/5d3fb5c5-3146d212-4263-8030e03bdef0/productLocker/
The VMs were unable to access the ISO files as there was no policy defined for the external productLocker path!
To resolve the issue
- Ensure /productLocker is symmlinked to the correct path
- Migrate/poweroff VMs on the host
- Run the command
secpolicytools -p. This will rebuild all the policies based on the config files from `/etc/vmware/secpolicy`` - Migrate VMs back or power on the VMs.