# ----------------------------------------------------------------------------
#
#    Copyright (C) 2000-2016 Synology Inc. All rights reserved.
#
# ----------------------------------------------------------------------------

#include <tunables/global>

/volume*/@appstore/VPNPlusServer/ui/webportal/webportal.cgi {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions/notification>
	#include <abstractions.pkg/base>

	capability chown,
	/etc/																			r,
	/etc/synoappprivilege.db*														rwk,
	/usr/share/ca-certificates/{,**}												r,
	/usr/syno/etc/preference/*/usersettings											r,
	/var/packages/VPNPlusServer/INFO												r,
	/volume*/@appstore/VPNPlusServer/ui/texts/**									r,
	/volume*/@appstore/VPNPlusServer/ui/webportal/views/*							r,
	/volume*/@appstore/VPNPlusServer/ui/webportal/webportal.cgi						r,
}

/volume*/@appstore/VPNPlusServer/tool/synovpnplusd{,/**} {
	#include <abstractions/base>
	#include <abstractions.pkg/base>

	mount,
	umount,
	/etc/ppp/																		r,
	/etc/ppp/pppoe*.conf															r,
	/etc/ppp/syno_pppoe.conf														rw,
	/etc/rc.network																	rix,
	/etc/sysconfig/network-scripts/ifcfg-*											rwk,
	/proc/sys/net/ipv4/{,**}														rwk,
	/run/pkimnt/																	rw,

	# ip cmd
	/sbin/ip																		rix,
	/etc/iproute2/rt_tables															r,

	/usr/sbin/pppoe-status															rix,
	/usr/syno/etc/packages/VPNPlusServer/*											rwk,
	/usr/syno/etc/packages/VPNPlusServer/*											rwk,
	/usr/syno/etc/packages/VPNPlusServer/l2tp/*										rwk,
	/usr/syno/etc/packages/VPNPlusServer/openvpn/*									rwk,
	/usr/syno/etc/packages/VPNPlusServer/pptp/*										rwk,
	/usr/syno/etc/packages/VPNPlusServer/remotedesktop/synoremotedesktop.conf 		r,
	/usr/syno/etc/wan.conf															r,
	/usr/syno/etc/dhcpd/dhcpd-script.sh												rix,
	/usr/syno/etc.defaults/iptables_modules_list									r,
	/usr/syno/sbin/dnsmasq															rix,
	/usr/syno/sbin/synonettool                                   					rix,
	/volume*/@appstore/VPNPlusServer/bin/accel-cmd									ix,
	/volume*/@appstore/VPNPlusServer/var/run/vpnserver.pid       					rwk,
	/sys/kernel/debug/ecm/ecm_db/defunct_all										rwk,
	/sys/kernel/debug/ecm/front_end_ipv4_stop										w,
	/sys/kernel/debug/ecm/front_end_ipv6_stop										w,
	/proc/syno_nss_qdisc/bridge_table												rwk,

	# tuning performance
	/sys/devices/platform/soc/*/net/eth*/queues/rx-*/rps_cpus						rwk,
	/sys/devices/virtual/net/eth*/queues/rx-*/rps_cpus								rwk,
	/proc/irq/*/smp_affinity														rwk,
}

/volume*/@appstore/VPNPlusServer/sbin/vpnplusauthd {
	#include <abstractions/base>
	#include <abstractions/notification>
	#include <abstractions.pkg/base>

	capability sys_ptrace,
	network,
	/etc/																			r,
	/etc/passwd																		r,
	/usr/syno/etc/packages/VPNPlusServer/l2tp/*										r,
	/usr/syno/etc/packages/VPNPlusServer/openvpn/*									r,
	/usr/syno/etc/packages/VPNPlusServer/pptp/*										r,
	/volume*/@appstore/VPNPlusServer/etc/pam.d/*									r,
	/volume*/@appstore/VPNPlusServer/etc/raddb/**									r,
	/volume*/@appstore/VPNPlusServer/share/freeradius/dictionary*					r,
	/volume*/@appstore/VPNPlusServer/var/log/radius/{,**}							rwk,
	/volume*/@appstore/VPNPlusServer/var/run/radiusd/								rwk,
	/volume*/@appstore/VPNPlusServer/var/run/radiusd/radiusd.pid					rwk,
}

/volume*/@appstore/VPNPlusServer/bin/vpnserver {
	#include <abstractions/base>
	#include <abstractions.pkg/base>

	capability sys_nice,
	capability sys_resource,
	network,
	/etc/host.conf																	r,
	/etc/hosts																		r,
	/etc/passwd																		r,
	/etc/resolv.conf																r,
	/etc/services																	r,
	/proc/*/oom_score_adj															rwk,
	/proc/sys/net/ipv4/conf/all/arp_filter											rwk,
	/proc/sys/kernel/threads-max													rwk,
	/usr/syno/etc/private/session/{,**}												rwk,
	/usr/syno/etc/private/.db.domain_user											rwk,
	/usr/syno/etc/packages/VPNPlusServer/certificate/default_ca.crt					r,
	/usr/syno/etc/packages/VPNPlusServer/certificate/default_ca.key					r,
	/usr/syno/etc/packages/VPNPlusServer/certificate/sslvpn/{,*}					r,
	/volume*/@appstore/VPNPlusServer/bin/chain_certs/								rwk,
	/volume*/@appstore/VPNPlusServer/bin/vpnserver									rix,
	/volume*/@appstore/VPNPlusServer/bin/.ctl_*										rwk,
	/volume*/@appstore/VPNPlusServer/bin/.VPN-*										rwk,
	/volume*/@appstore/VPNPlusServer/var/log/sslvpn/{,*}							rwk,
	/volume*/@appstore/VPNPlusServer/var/run/vpnserver.pid							rwk,
}

/volume*/@appstore/VPNPlusServer/bin/node{,/**} {
	#include <abstractions/base>
	#include <abstractions.pkg/base>

	capability block_suspend,
	/bin/busybox																	ix,
	/dev/null																		r,
	/dev/pts/*																		rw,
	/etc/host.conf																	r,
	/etc/hosts																		r,
	/etc/nsswitch.conf																r,
	/etc/resolv.conf																r,
	/lib/																			r,
	/lib/librt.so.1																	mr,
	/usr/sbin/																		r,
	/usr/share/zoneinfo/															r,
	/usr/syno/etc/packages/VPNPlusServer/certificate/*								r,
	/volume*/@appstore/VPNPlusServer/bin/node										ix,
	/volume*/@appstore/VPNPlusServer/synorouterportal/{,**}							mr,
	/volume*/@appstore/VPNPlusServer/var/log/synorouterportal/{,*}					rwk,
	/volume*/@appstore/VPNPlusServer/var/run/vpnportal.pid							rwk,
	/volume*/@appstore/VPNPlusServer/var/run/vpnportal.sock							rwk,
}

/volume*/@appstore/VPNPlusServer/sbin/accel-pppd {
	#include <abstractions/base>
	#include <abstractions.pkg/base>
	#include <abstractions/quickconnect>

	capability net_admin,
	capability sys_resource,
	network,
	/var/lib/accel-ppp/																rwk,
	/dev/ppp																		rw,
	/etc/passwd																		r,
	/etc/ppp/*																		rix,
	/etc/rc.network																	ix,
	/etc/sysconfig/miniupnpd/														r,
	/etc/sysconfig/network															r,
	/etc/sysconfig/networking/ifcfg-*												r,
	/proc/sys/net/ipv4/ip_forward													rwk,
	/usr/syno/etc.defaults/iptables_modules_list									r,
	/usr/syno/etc/packages/VPNPlusServer/pptp/accel-pppd.conf						r,
	/usr/syno/etc/synovpnclient/pptp/wvdial											r,
	/usr/syno/etc/wan.conf															r,
	/usr/syno/sbin/synoswitchvlantool												rix,
	/var/lib/accel-ppp/*															rwk,
	/volume*/@appstore/VPNPlusServer/lib/accel-ppp/*								mr,
	/volume*/@appstore/VPNPlusServer/share/accel-ppp/radius/dictionary*				r,
	/etc/portforward/routerpf/dnat_rules.dump										rwk,
	/etc/portforward/routerpf/rule.conf												r,
	/etc/sysconfig/miniupnpd/upnp-*.conf											rwk,
}

/volume*/@appstore/VPNPlusServer/tool/synoremotedesktopd{,/**} {
	#include <abstractions/base>
	#include <abstractions/session>
	#include <abstractions.pkg/base>

	/volume*/@appstore/VPNPlusServer/var/run/remotedesktopd.sock					rwk,
	/usr/syno/etc/packages/VPNPlusServer/remotedesktop/synoremotedesktop.conf		r,
	/usr/syno/etc/packages/VPNPlusServer/remotedesktop/client*.json					rwk,
	/usr/syno/etc/packages/VPNPlusServer/certificate/*								r,
}

/volume*/@appstore/VPNPlusServer/sbin/guacd{,/**} {
	#include <abstractions/base>
	#include <abstractions.pkg/base>

	/usr/syno/etc/packages/VPNPlusServer/remotedesktop/guacd.conf					r,
	/usr/share/zoneinfo/															r,
	/volume*/@appstore/VPNPlusServer/var/run/guacd.pid								rwk,
}

^/usr/syno/synoman/webapi/entry.cgi//SYNO.VPNPlus.UserData {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/base>

	/volume*/@appstore/VPNPlusServer/webapi/user_data/SYNO.VPNPlus.UserData.so		mr,
}

^/usr/syno/synoman/webapi/entry.cgi//SYNO.VPNPlus.WebPortal.User {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/base>

	/volume*/@appstore/VPNPlusServer/webapi/webportal/SYNO.VPNPlus.WebPortal.so		mr,
}

^/usr/syno/synoman/webapi/entry.cgi//SYNO.VPNPlus.WebPortal.Favorite {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/base>

	/volume*/@appstore/VPNPlusServer/webapi/webportal/SYNO.VPNPlus.WebPortal.so		mr,
}

^/usr/syno/synoman/webapi/entry.cgi//SYNO.VPNPlus.WebPortal.History {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/base>

	/volume*/@appstore/VPNPlusServer/webapi/webportal/SYNO.VPNPlus.WebPortal.so		mr,
}
