treewide: reorganize base ACLs

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

2 files changed, 24 insertions, 11 deletions

diff --git a/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json b/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json
new file mode 100644
index 000000000..0ee29ad21
--- /dev/null
+++ b/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json
@@ -0,0 +1,24 @@
+{
+	"luci-app-firewall": {
+		"description": "Grant access to firewall configuration",
+		"read": {
+			"file": {
+				"/etc/firewall.user": [ "read" ]
+			},
+			"ubus": {
+				"file": [ "read" ],
+				"luci": [ "getConntrackHelpers" ]
+			},
+			"uci": [ "firewall" ],
+		},
+		"write": {
+			"file": {
+				"/etc/firewall.user": [ "write" ]
+			},
+			"ubus": {
+				"file": [ "write" ]
+			},
+			"uci": [ "firewall" ]
+		}
+	}
+}
diff --git a/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-openvpn.json b/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-openvpn.json
deleted file mode 100644
index bc9d8e184..000000000
--- a/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-openvpn.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-	"luci-app-openvpn": {
-		"description": "Grant file upload access to /etc/openvpn",
-		"write": {
-			"cgi-io": [ "upload" ],
-			"file": {
-				"/etc/openvpn/*": [ "write" ]
-			}
-		}
-	}
-}