# ----------------------------------------------------------------------------
#
#    Copyright (c) 2020 Synology Inc. All rights reserved.
#
# ----------------------------------------------------------------------------

#include <tunables/global>
#include <abstractions.pkg/sharesync>

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.delete_database {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
	#include<abstractions/storage>

	/usr/syno/etc/packages/SynologyDrive/{,**}				rwk,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.resume_freeze {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
	#include<abstractions/storage>

	/volume*/@appstore/SynologyDrive/bin/updater-svr			ux,
	/volume*/@appstore/SynologyDrive/sbin/cloud-authd		ux,
	/volume*/@appstore/SynologyDrive/sbin/cloud-cleand		ux,
	/volume*/@appstore/SynologyDrive/sbin/cloud-notifyd		ux,
	/volume*/@appstore/SynologyDrive/sbin/cloud-vmtouchd	ux,
	/volume*/@appstore/SynologyDrive/bin/cloud-control		px,
	/volume*/@appstore/SynologyDrive/sbin/syncd				px,
	/volume*/@appstore/SynologyDrive/sbin/syno-cloud-clientd	ux,
	/volume*/@appstore/SynologyDrive/postgres/bin/initdb		ux,
	/volume*/@appstore/SynologyDrive/postgres/bin/pg_ctl		ux,
	/usr/syno/etc/packages/SynologyDrive/{,**}				rwk,

	capability chown,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.get_client_link {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
	#include<abstractions/curl>

	# for curl: bug 3467
	capability block_suspend,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.Node {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>

	capability chown,
	capability fowner,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.Node.Restore {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>

	/volume*/**											rw,
	/volume*/@appstore/SynologyDrive/cloud/RestoreNode		ux,

	capability chown,
	capability fowner,
	# for share quota: bug 2657
	capability sys_resource,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.Node.Download {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>

	/volume*/**											rw,

	capability chown,
	capability fowner,
	# for share quota: bug 2657
	capability sys_resource,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.Node.Delete {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.Profile {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.Share {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.Log {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.Config {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
	#include<abstractions/storage>
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.Config.set {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
	#include<abstractions/storage>
	#include <abstractions.pkg/SynologyDrive/synodrive>

	/volume*/@appstore/SynologyDrive/cloud/CSTNVolChange	ux,
	/usr/syno/etc/packages/SynologyDrive/db-path.conf		rwk,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.Connection {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.Privilege {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Server.DBUsage {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include<abstractions.pkg/SynologyDrive/webapi>
	#include <abstractions.pkg/SynologyDrive/synodrive>

}

/volume*/@appstore/SynologyDrive/sbin/syncd {
	#include<abstractions/base>
	#include<abstractions/nameservice>
	#include<abstractions/share>
	#include<abstractions/openssl>
	#include<abstractions/log>
	#include<abstractions/storage>
	#include<abstractions/btrfs>
	#include<abstractions/SDKPlugin>
	#include<abstractions/webapi-DSM5>
	#include<abstractions.pkg/libsynopersonalnotify>
	#include<abstractions.pkg/SynologyDrive/sus>
	#include<abstractions.pkg/libsynoscim>

	@{PROC}/{,**}								r,
	/usr/syno/etc/{,**}							rwk,
	/usr/syno/etc.defaults/{,**}				r,
	/etc/{,**}									r,
	/etc.defaults/{,**}							r,
	/usr/local/etc/{,**}						r,
	/usr/share/{,**}							r,
	/usr/syno/sbin/{,**}						rpx,
	/var/spool/{,**}							rwk,
	/dev/synobios								rw,

	/usr/syno/etc/packages/SynologyDrive/{,**}					rwkl,
	/var/packages/SynologyDrive/{,**}							mrwkl,
	/volume*/@appstore/SynologyDrive/{,**}						mrwkl,
	/volume*/@synologydrive/{,**}								rwkl,
	/volume*/usbshare*/@sharebin/@synologydrive/{,**}			rwkl,
	/volume*/**													rwkl,
	/usr/syno/synoman/webman/3rdparty/SynologyDrive-Drive		rw,
	/usr/syno/synoman/webman/3rdparty/SynologyDrive-ShareSync	rw,

	/volume*/@appstore/SynologyDrive/bin/cloud-control	px,
	/volume*/@appstore/SynologyDrive/bin/share-link-control	ux,
	/volume*/@appstore/SynologyDrive/bin/webapi-runner ux,
	/volume*/@appstore/SynologyDrive/bin/webhook-runner ux,
	/volume*/@appstore/SynologyDrive/bin/cloud-migration ux,
	/volume*/@appstore/SynologyDrive/sharesync/bin/srvctl ux,

	/var/packages/CodecPack/enabled r,
	/volume*/@appstore/CodecPack/usr/bin/convert rpux,

	network inet  stream,
	network inet6 stream,

	capability dac_override,
	capability dac_read_search,
	capability sys_resource,
	capability chown,
	capability fowner,
	capability setuid,
	capability setgid,
	capability fsetid,
	capability net_raw,
	capability net_admin,
	capability sys_admin,
	capability sys_rawio,
	capability sys_nice,
	capability sys_module,
	capability block_suspend,
	capability sys_resource,
}

/volume*/@appstore/SynologyDrive/bin/cloud-control {
	#include<abstractions/base>
	#include<abstractions/nameservice>
	#include<abstractions/share>
	#include<abstractions/log>
	#include<abstractions/storage>
	#include<abstractions/btrfs>
	#inlcude<abstractions/app-privilege>
	#include<abstractions/SDKPlugin>
	#include<abstractions.pkg/SynologyDrive/sus>

	/usr/syno/etc/{,**}							r,
	/usr/syno/etc.defaults/{,**}				r,
	/usr/syno/etc/package_volume.map*           rw,
	/usr/syno/bin/synodsmnotify					px,
	/etc/{,**}									rw,
	/etc.defaults/{,**}							r,
	/usr/local/etc/{,**}						r,
	/usr/share/{,**}							r,
	/usr/syno/sbin/{,**}						rux,
	/var/spool/{,**}							rwk,
	/usr/local/libexec/{,**}					rix,
	/dev/{,**}									rw,
	@{PROC}/{,**}								rw,

	/usr/syno/etc/packages/SynologyDrive/{,**}			rwkl,
	/var/packages/SynologyDrive/{,**}					mrwkl,
	/volume*/@appstore/SynologyDrive/{,**}				mrwkl,
	/volume*/@appstore/SynologyDrive/hook/{,**}			rux,
	/volume*/@synologydrive/{,**}						rwkl,
	/volume*/usbshare*/@sharebin/@synologydrive/{,**}	rwkl,
	/volume*/**											rwkl,

	/volume*/@appstore/SynologyDrive/bin/updater-svr			ux,
	/volume*/@appstore/SynologyDrive/bin/webapi-runner			ux,
	/volume*/@appstore/SynologyDrive/bin/cloud-control 			px,
	/volume*/@appstore/SynologyDrive/sbin/cloud-cached			ux,
	/volume*/@appstore/SynologyDrive/sbin/cloud-authd			ux,
	/volume*/@appstore/SynologyDrive/sbin/cloud-cleand			ux,
	/volume*/@appstore/SynologyDrive/sbin/cloud-notifyd			ux,
	/volume*/@appstore/SynologyDrive/sbin/cloud-vmtouchd		ux,
	/volume*/@appstore/SynologyDrive/sbin/cloud-workerd 		ux,
	/volume*/@appstore/SynologyDrive/sbin/syncd					px,
	/volume*/@appstore/SynologyDrive/sbin/syno-cloud-clientd	ux,
	/volume*/@appstore/SynologyDrive/postgres/bin/initdb		ux,
	/volume*/@appstore/SynologyDrive/postgres/bin/pg_ctl		ux,
	/volume*/@appstore/SynologyDrive/usr/bin/redis-cli          ux,
	/volume*/@appstore/SynologyDrive/usr/bin/redis-server       ux,
	/volume*/@appstore/SynologyDrive/scripts/{,**}              ux,

	capability dac_override,
	capability dac_read_search,
	capability kill,
	capability block_suspend,
	capability chown,
	capability fowner,
	capability setgid,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.AppIntegration {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/share>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions.pkg/SynologyDrive/webapi>

}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Authentication {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/share>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions.pkg/SynologyDrive/webapi>

}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Trash {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/share>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions.pkg/SynologyDrive/webapi>

}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Info {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/share>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions.pkg/SynologyDrive/synodrive>
	#include <abstractions.pkg/SynologyDrive/webapi>

	/var/packages/SynologyDrive/**		rk,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Files {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/share>
	#include <abstractions/authentication>
	#include <abstractions/webapi-DSM5>
	#include <abstractions.pkg/SynologyDrive/chat>
	#include <abstractions.pkg/SynologyDrive/webapi>

	/volume*/@tmp/**			rwk,
	/volumeUSB*/usbshare*/@sharebin/@tmp/**			rwk,
	/usr/syno/etc.defaults/mimetypes.txt	r,
	/volume*/**					mrwk,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Share.Priv {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/share>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions/libsynosdk/usergroup>
	#include <abstractions.pkg/SynologyDrive/chat>
	#include <abstractions.pkg/SynologyDrive/webapi>
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Labels {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/share>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions.pkg/SynologyDrive/webapi>

	/volume*/@appstore/SynologyApplicationService/lib/libsynoscim.so r,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Shard {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/share>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions.pkg/SynologyDrive/webapi>
	#include <abstractions/libsynoHtmlHandler>
	#include <abstractions/libsynosso>

	/usr/syno/synoman/webapi/lib.def	rwk,
	/usr/syno/synoman/webapi/SYNO.Core.DDNS.lib	rwk,
	/usr/syno/synoman/webapi/SYNO.Core.QuickConnect.lib	rwk,
	/usr/syno/etc/date_time_format	r,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Setting.DSM {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/share>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions.pkg/SynologyDrive/webapi>

	/usr/syno/synoman/webapi/*{.lib,.def}	rwk,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Office.Volume {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/share>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions.pkg/SynologyDrive/synodrive>
	#include <abstractions.pkg/SynologyDrive/webapi>

}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Notifications {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/share>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions.pkg/SynologyDrive/chat>
	#include <abstractions.pkg/SynologyDrive/webapi>

}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.SCIM.Photo {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/authentication>
	#include <abstractions/webapi-DSM5>

	#include <abstractions.pkg/SynologyDrive/webapi>
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.SCIM.User {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>

	#include <abstractions.pkg/SynologyDrive/webapi>
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Photos {
	#include<abstractions/base>
	#include<abstractions/base-cgi>
	#include <abstractions/share>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions.pkg/SynologyDrive/webapi>

	/volume*/**       r,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.Services.SynologyChat {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions.pkg/SynologyDrive/chat>
	#include <abstractions.pkg/SynologyDrive/webapi>
}

/var/packages/SynologyDrive/scripts/backup/import {
	#include <abstractions/base>
	#include <abstractions/share>
	#include <abstractions/btrfs>
	#include <abstractions/storage>
	/usr/syno/etc/packages/SynologyDrive/{,**}          rwkl,
	/var/packages/SynologyDrive/{,**}                   mrwkl,
	/volume*/@appstore/SynologyDrive/{,**}              mrwkl,
	/volume*/@synologydrive/{,**}                        rwkl,

	capability dac_override,
}

^/usr/syno/sbin/synoscgi//SYNO.SynologyDrive.String {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/webapi-DSM5>
	#include <abstractions/authentication>
	#include <abstractions.pkg/SynologyDrive/webapi>

	/usr/syno/synoman/webman/texts/*/strings   r,
	/volume*/@appstore/**/texts/**                          r,
	/usr/local/packages/@appstore/**/texts/**               r,
}

# vim: set ft=apparmor:
# vim:ft=apparmor
