# ----------------------------------------------------------------------------
#
#    Copyright (C) 2000-2015 Synology Inc. All rights reserved.
#
# ----------------------------------------------------------------------------


#include <tunables/global>

/volume*/@appstore/VPNCenter/sbin/openvpn {
	#include <abstractions/base>
	#include <abstractions/base-cgi>

	capability chown,
	capability net_bind_service,
	/tmp/synovpnnet										ix,
	/dev/net/tun										rw,
	/usr/sbin/ifconfig									ix,
	/usr/sbin/route										ix,
	/usr/syno/etc/packages/VPNCenter/openvpn/**						rwk,
	/usr/syno/etc/packages/VPNCenter/*.db*							rwk,
	/volume*/@appstore/VPNCenter/bin/synovpnnet						ix,
	/volume*/@appstore/VPNCenter/etc/openvpn/keys/**					r,
	/volume*/@appstore/VPNCenter/etc/openvpn/radiusplugin.cnf				r,
	/volume*/@appstore/VPNCenter/etc/synovpncon.sql						r,
	/volume*/@appstore/VPNCenter/etc/synovpnlog.sql						r,
	/volume*/@appstore/VPNCenter/lib/**							mr,
	/volume*/@appstore/VPNCenter/sbin/openvpn						ix,
	/volume*/@appstore/VPNCenter/scripts/openvpn.sh						rix,
	/volume*/@appstore/VPNCenter/var/log/							r,
	/volume*/@appstore/VPNCenter/var/log/*.db*						rwk,
}

/volume*/@appstore/VPNCenter/sbin/vpnauthd {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/authentication>
	#include <abstractions/autoblock>

	capability chown,
	/etc/											r,
	/etc/shells										r,
	/etc/synoautoblock.db*									rwk,
	/etc/samba/{,**}									rwk,
	/usr/syno/etc/packages/VPNCenter/*.db*							rwk,
	/volume*/@appstore/VPNCenter/bin/synovpnnet						ix,
	/volume*/@appstore/VPNCenter/bin/synovpnlog						ix,
	/volume*/@appstore/VPNCenter/bin/accel-cmd						ix,
	/volume*/@appstore/VPNCenter/etc/raddb/**						r,
	/volume*/@appstore/VPNCenter/etc/synovpncon.sql						r,
	/volume*/@appstore/VPNCenter/etc/synovpnlog.sql						r,
	/volume*/@appstore/VPNCenter/lib/**							mr,
	/volume*/@appstore/VPNCenter/share/freeradius/dictionary*				r,
	/volume*/@appstore/VPNCenter/var/log/							r,
	/volume*/@appstore/VPNCenter/var/log/*.db*						rwk,
	/volume*/@appstore/VPNCenter/var/log/radius/{,**}					rwk,
	/volume*/@appstore/VPNCenter/var/run/radiusd/radiusd.pid				rwk,
}

^/usr/syno/sbin/synoscgi//SYNO.VPNServer.Settings.Config {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/SDKPlugin>
	#include <abstractions/libsynow3>
	#include <abstractions/synow3>

	capability net_admin,
	capability block_suspend,
	capability chown,
	capability mknod,
	capability net_bind_service,
	capability setgid,
	capability sys_resource,

	network,
	network inet  dgram,
	network inet6 dgram,
	network inet  stream,
	network inet6 stream,
	network pppox stream,

	/											r,
	/dev/{,**}										rw,
	/etc/											r,
	/etc/ddns.conf										r,
	/etc/dhclient/{,**}									r,
	/etc/dhcpc/{,**}									r,
	/etc/ipsec.d/{,**}									r,
	/etc/localtime										r,
	/etc/parental/timectrl.conf								r,
	/etc/portforward/routerpf/dnat_rules*							rwk,
	/etc/portforward/routerpf/rule.conf							r,
	/etc/ppp/{,**}										rix,
	/etc/radiusclient									rwk,
	/etc/resolv.conf									r,
	/etc/shadow										r,
	/etc/shells										r,
	/etc/synoautoblock.db*									rwk,
	/etc/sysconfig/miniupnpd/								r,
	/etc/tc_cmd.sh*										rwkix,
	/etc/tc_rules.dump*									rwk,
	/etc/tc_6_rules.dump*									rwk,
	/etc/tc/{,**}										r,
	/etc/tc/default.cmd									wix,
	/etc/samba/{,**}									rwk,
	/proc/sys/net/ipv4/{,**}								rwk,
	/proc/sys/net/ipv6/{,**}								rwk,
	/run/pppd2.tdb										wk,
	/run/pluto/pluto.ctl									rwk,
	/run/pluto/pluto.pid									rwk,
	/sbin/ip										ix,
	/sbin/runlevel										ix,
	/tmp/ovpn_status_2_result								rw,
	/tmp/synotimecontrol									ix,
	/tmp/synovpnnet										rix,
	/usr/bin/bash										ix,
	/usr/local/etc/services.d/synovpn_port*							rwk,
	/usr/sbin/ifconfig									ix,
	/usr/sbin/ipsec										rix,
	/usr/sbin/ip										rix,
	/usr/sbin/pppd										rix,
	/usr/sbin/pppoe-status									rix,
	/usr/sbin/route										rix,
	/usr/sbin/runlevel									rix,
	/usr/sbin/tc										rix,
	/usr/sbin/xl2tpd									rix,
	/usr/share/samba/codepages/lowcase.dat							r,
	/usr/share/samba/codepages/upcase.dat							r,
	/usr/syno/ipsec/{,**}									rix,
	/usr/syno/sbin/synotimecontrol								rix,
	/usr/syno/etc/synosmtp.conf								r,
	/usr/syno/etc.defaults/iptables_modules_list						r,
	/usr/syno/etc.defaults/iptables_chain_list						r,
	/usr/syno/etc.defaults/iptables_guest_net.sh						ix,
	/usr/syno/etc.defaults/rc.d/*								r,
	/usr/syno/etc/iptables_chain_list							r,
	/usr/syno/etc/iptables_guest_net.sh							ix,
	/usr/syno/etc/iptables_modules_list							r,
	/usr/syno/etc/firewall.d/firewall_settings.json						r,
	/usr/syno/etc/packages/VPNCenter/*.db*							rwk,
	/usr/syno/etc/packages/VPNCenter/l2tp/ipsec.conf*					rwk,
	/usr/syno/etc/packages/VPNCenter/l2tp/ipsec.secrets*					rwk,
	/usr/syno/etc/packages/VPNCenter/l2tp/options.xl2tpd*					rwk,
	/usr/syno/etc/packages/VPNCenter/l2tp/xl2tpd.conf*					rwk,
	/usr/syno/etc/packages/VPNCenter/openvpn/{,**}						rwk,
	/usr/syno/etc/packages/VPNCenter/pptp/accel-pppd.conf*					rwk,
	/usr/syno/etc/packages/VPNCenter/privilege*						rwk,
	/usr/syno/etc/packages/VPNCenter/syno_conf/*						w,
	/usr/syno/etc/packages/VPNCenter/synovpn.conf*						rwk,
	/usr/syno/etc/packages/VPNCenter/synovpn_port*						rwk,
	/usr/syno/etc/preference/{,**}								r,
	/usr/syno/etc/synoshare.db								rwk,
	/usr/syno/etc/synovpnclient/pptp/wvdial							r,
	/usr/syno/etc/wifi/wifi_*								r,
	/usr/syno/etc/www/DSM.json*								rwk,
	/var/cache/samba/{,**}									rwk,
	/var/lib/accel-ppp/{,**}								rwk,
	/var/packages/VPNCenter/INFO								r,
	/volume*/{,**}										r,
	/volume*/@appstore/CMS/db/**								rwk,
	/volume*/@appstore/CMS/lib/**								mr,
	/volume*/@appstore/CMS/tools/synocmsserver						ix,
	/volume*/@appstore/VPNCenter/bin/accel-cmd						ix,
	/volume*/@appstore/VPNCenter/bin/synovpnlog						ix,
	/volume*/@appstore/VPNCenter/bin/synovpnnet						ix,
	/volume*/@appstore/VPNCenter/etc/synovpncon.sql						r,
	/volume*/@appstore/VPNCenter/etc/synovpnlog.sql						r,
	/volume*/@appstore/VPNCenter/etc/openvpn/keys/{,**}					rwk,
	/volume*/@appstore/VPNCenter/etc/openvpn/radiusplugin.cnf				r,
	/volume*/@appstore/VPNCenter/etc/raddb/{,**}						r,
	/volume*/@appstore/VPNCenter/etc/radiusclient/{,**}					r,
	/volume*/@appstore/VPNCenter/lib/{,**}							mr,
	/volume*/@appstore/VPNCenter/sbin/accel-pppd						ix,
	/volume*/@appstore/VPNCenter/sbin/openvpn						ix,
	/volume*/@appstore/VPNCenter/sbin/vpnauthd						ix,
	/volume*/@appstore/VPNCenter/scripts/accel-pppd.sh					rix,
	/volume*/@appstore/VPNCenter/scripts/l2tpd.sh						rix,
	/volume*/@appstore/VPNCenter/scripts/openvpn.sh						rix,
	/volume*/@appstore/VPNCenter/scripts/radiusd.sh 					rix,
	/volume*/@appstore/VPNCenter/var/log/*.db*						rwk,
	/volume*/@appstore/VPNCenter/var/log/radius/{,**}					rwk,
	/volume*/@appstore/VPNCenter/var/run/radiusd/{,**}					rwk,
	/volume*/@appstore/VPNCenter/webapi/settings/SYNO.VPNServer.Settings.so                 mr,
}

^/usr/syno/sbin/synoscgi//SYNO.VPNServer.Settings.Certificate {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/SDKPlugin>

	/volume*/@appstore/VPNCenter/etc/openvpn/keys/ca.crt					r,
	/volume*/@appstore/VPNCenter/etc/openvpn/keys/ca_bundle.crt				r,
	/volume*/@appstore/VPNCenter/etc/openvpn/keys/openvpn.zip*				rwk,
	/volume*/@appstore/VPNCenter/etc/openvpn/keys/VPNConfig.ovpn*			rwk,
	/volume*/@appstore/VPNCenter/etc/openvpn/keys/openvpn.ovpn*				rwk,
	/volume*/@appstore/VPNCenter/etc/openvpn/keys/README.txt				r,
	/volume*/@appstore/VPNCenter/lib/libsynovpn.so						mr,
	/volume*/@appstore/VPNCenter/webapi/settings/SYNO.VPNServer.Settings.so			mr,
}

^/usr/syno/sbin/synoscgi//SYNO.VPNServer.Management.Account {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/SDKPlugin>

	/etc/shadow										r,
	/usr/syno/etc/packages/VPNCenter/privilege*						rwk,
	/volume*/@appstore/VPNCenter/lib/libsynovpn.so						mr,
	/volume*/@appstore/VPNCenter/webapi/management/SYNO.VPNServer.Management.so		mr,
}
^/usr/syno/sbin/synoscgi//SYNO.VPNServer.Management.Connection {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/SDKPlugin>

	/etc/nsswitch.conf									r,
	/usr/syno/etc.defaults/iptables_modules_list						r,
	/volume*/@appstore/VPNCenter/bin/accel-cmd						ix,
	/volume*/@appstore/VPNCenter/lib/libsynovpn.so						mr,
	/volume*/@appstore/VPNCenter/scripts/accel-pppd.sh					rix,
	/volume*/@appstore/VPNCenter/scripts/openvpn.sh						rix,
	/volume*/@appstore/VPNCenter/scripts/l2tpd.sh						rix,
	/volume*/@appstore/VPNCenter/var/log/							r,
	/volume*/@appstore/VPNCenter/var/log/synovpncon.db**					rwk,
	/volume*/@appstore/VPNCenter/webapi/management/SYNO.VPNServer.Management.so		mr,
}
^/usr/syno/sbin/synoscgi//SYNO.VPNServer.Management.Interface {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/SDKPlugin>
	#include <abstractions/authentication>
	#include <abstractions/autoblock>

	capability block_suspend,
	capability sys_resource,
	capability net_bind_service,
	capability mknod,
	network    inet  stream,


	/											r,
	/dev/{,**}										rw,
	/etc/											r,
	/etc/dhclient/{,**}									r,
	/etc/dhcpc/{,**}									r,
	/etc/ipsec.d/{,**}									r,
	/etc/localtime										r,
	/etc/parental/timectrl.conf								r,
	/etc/portforward/routerpf/dnat_rules*							rwk,
	/etc/portforward/routerpf/rule.conf							r,
	/etc/ppp/{,**}										rix,
	/etc/radiusclient									rwk,
	/etc/shells										r,
	/etc/sysconfig/miniupnpd/								r,
	/etc/tc_cmd.sh*										rwkix,
	/etc/tc_rules.dump*									rwk,
	/etc/tc_6_rules.dump*									rwk,
	/etc/tc/{,**}										r,
	/etc/tc/default.cmd									wix,
	/etc/samba/{,**}									rwk,
	/proc/sys/net/ipv4/{,**}								rwk,
	/proc/sys/net/ipv6/{,**}								rwk,
	/run/lock/subsys/									r,
	/run/pluto/pluto.ctl									rwk,
	/run/pluto/pluto.pid									rwk,
	/run/pluto/ipsec.info									rwk,
	/tmp/ovpn_status_2_result								rw,
	/tmp/synotimecontrol									ix,
	/tmp/synovpnnet										rix,
	/usr/bin/bash										ix,
	/usr/bin/pidof										rix,
	/usr/sbin/ifconfig									ix,
	/usr/sbin/ipsec										rix,
	/usr/sbin/ip										rix,
	/usr/sbin/pppd										rix,
	/usr/sbin/route										rix,
	/usr/sbin/runlevel									rix,
	/usr/sbin/tc										rix,
	/usr/sbin/xl2tpd									rix,
	/usr/share/samba/codepages/lowcase.dat							r,
	/usr/share/samba/codepages/upcase.dat							r,
	/usr/syno/ipsec/{,**}									rix,
	/usr/syno/sbin/synotimecontrol								rix,
	/usr/syno/etc.defaults/iptables_modules_list						r,
	/usr/syno/etc.defaults/iptables_chain_list						r,
	/usr/syno/etc.defaults/iptables_guest_net.sh						ix,
	/usr/syno/etc.defaults/rc.d/*								r,
	/usr/syno/etc/iptables_chain_list							r,
	/usr/syno/etc/iptables_guest_net.sh							ix,
	/usr/syno/etc/iptables_modules_list							r,
	/usr/syno/etc/firewall.d/firewall_settings.json						r,
	/usr/syno/etc/packages/VPNCenter/*.db*							rwk,
	/usr/syno/etc/packages/VPNCenter/l2tp/ipsec.conf*					rwk,
	/usr/syno/etc/packages/VPNCenter/l2tp/ipsec.secrets*					rwk,
	/usr/syno/etc/packages/VPNCenter/l2tp/options.xl2tpd*					rwk,
	/usr/syno/etc/packages/VPNCenter/l2tp/xl2tpd.conf*					rwk,
	/usr/syno/etc/packages/VPNCenter/openvpn/{,**}						rwk,
	/usr/syno/etc/packages/VPNCenter/pptp/accel-pppd.conf*					rwk,
	/usr/syno/etc/packages/VPNCenter/privilege*						rwk,
	/usr/syno/etc/packages/VPNCenter/syno_conf/*						w,
	/usr/syno/etc/packages/VPNCenter/synovpn.conf*						rwk,
	/usr/syno/etc/packages/VPNCenter/synovpn_port*						rwk,
	/usr/syno/etc/preference/{,**}								r,
	/usr/syno/etc/synoshare.db								rwk,
	/usr/syno/etc/synovpnclient/pptp/wvdial							r,
	/usr/syno/etc/wifi/wifi_*								r,
	/var/cache/samba/{,**}									rwk,
	/var/lib/accel-ppp/{,**}								rwk,
	/var/packages/VPNCenter/INFO								r,
	/volume*/{,**}										r,
	/volume*/@appstore/VPNCenter/bin/accel-cmd						ix,
	/volume*/@appstore/VPNCenter/bin/synovpnlog						ix,
	/volume*/@appstore/VPNCenter/bin/synovpnnet						ix,
	/volume*/@appstore/VPNCenter/etc/synovpncon.sql						r,
	/volume*/@appstore/VPNCenter/etc/synovpnlog.sql						r,
	/volume*/@appstore/VPNCenter/etc/openvpn/keys/{,**}					rwk,
	/volume*/@appstore/VPNCenter/etc/openvpn/radiusplugin.cnf				r,
	/volume*/@appstore/VPNCenter/etc/raddb/{,**}						r,
	/volume*/@appstore/VPNCenter/etc/radiusclient/{,**}					r,
	/volume*/@appstore/VPNCenter/lib/{,**}							mr,
	/volume*/@appstore/VPNCenter/sbin/accel-pppd						ix,
	/volume*/@appstore/VPNCenter/sbin/openvpn						ix,
	/volume*/@appstore/VPNCenter/sbin/vpnauthd						ix,
	/volume*/@appstore/VPNCenter/scripts/accel-pppd.sh					rix,
	/volume*/@appstore/VPNCenter/scripts/l2tpd.sh						rix,
	/volume*/@appstore/VPNCenter/scripts/openvpn.sh						rix,
	/volume*/@appstore/VPNCenter/scripts/radiusd.sh 					rix,
	/volume*/@appstore/VPNCenter/var/log/*.db*						rwk,
	/volume*/@appstore/VPNCenter/var/log/radius/{,**}					rwk,
	/volume*/@appstore/VPNCenter/var/run/radiusd/{,**}					rwk,
	/volume*/@appstore/VPNCenter/webapi/management/SYNO.VPNServer.Management.so		mr,
}
^/usr/syno/sbin/synoscgi//SYNO.VPNServer.Management.Log {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/SDKPlugin>

	/usr/syno/etc/packages/VPNCenter/synovpnlog.db**					rwk,
	/volume*/@appstore/VPNCenter/app/texts/**						r,
	/volume*/@appstore/VPNCenter/etc/synovpnlog.sql						r,
	/volume*/@appstore/VPNCenter/lib/libsynovpn.so						mr,
	/volume*/@appstore/VPNCenter/var/log/							r,
	/volume*/@appstore/VPNCenter/var/log/synovpncon.db**					rwk,
	/volume*/@appstore/VPNCenter/webapi/management/SYNO.VPNServer.Management.so		mr,
}
