# ----------------------------------------------------------------------------
#
#    Copyright (C) 2000-2014 Synology Inc. All rights reserved.
#
# ----------------------------------------------------------------------------


/etc/group                r,
/etc/host.conf            r,
/etc/hosts                r,
/etc/nsswitch.conf        r,
/etc/passwd               r,
/etc/protocols            r,
/etc/resolv.conf          r,
/etc/services             r,

# nslcd
#include <abstractions/ldapclient>

# winbind
#include <abstractions/winbind>

# kerberos
#include <abstractions/kerberosclient>

# tcp/udp network access
network inet    stream,
network inet6   stream,
network inet    dgram,
network inet6   dgram,

# ----------------------------------------------------------------------------
# Synology related files
# ----------------------------------------------------------------------------

capability        setuid,

# rebuild DB
/etc/group_desc                                       r,
/etc/shadow                                           r,
/etc/synoappprivilege.db                              rwk,
/etc/synouser.conf                                    r,
/etc/synoinfo.conf                                    r,
/usr/syno/etc/private/                                r,
/usr/syno/etc/private/{kdc,pdc}_ip                    r,
/usr/syno/etc/private/smbpass                         r,
/usr/syno/etc/private/trust_domain_info               r,
/usr/syno/etc/smbinfo.conf                            r,

# domain user/group cache
/usr/syno/etc/private/domain_{group,user}.*           rw,
/usr/syno/etc/private/domain_list                     rw,
/usr/syno/etc/private/secrets.tdb                     rwk,

# ldap user/group cache
/usr/syno/etc/private/ldap_{group,user}{,.tmp.@{pid}} rw,

# user/group DB
/usr/syno/etc/private/.db.domain_{group,user}                       rwk,
/usr/syno/etc/private/.db.domain_{group,user}.@{pid}{,-journal}     rwk,

# samba run time read file
/usr/share/samba/codepages/upcase.dat                 rm,
/usr/share/samba/codepages/lowcase.dat                rm,

# admin check
/usr/syno/etc/smb.conf         r,
/usr/syno/etc/extra-admin-*    r,

# sdk plugins
/usr{,/local}/libexec/dirsvs_db_refresh/{,*}        rix,

# vim:ft=apparmor
