treewide: reorganize base ACLs

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

4 files changed, 41 insertions, 5 deletions

diff --git a/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json b/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json
new file mode 100644
index 0000000000..0ee29ad217
--- /dev/null
+++ b/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json
@@ -0,0 +1,24 @@
+{
+	"luci-app-firewall": {
+		"description": "Grant access to firewall configuration",
+		"read": {
+			"file": {
+				"/etc/firewall.user": [ "read" ]
+			},
+			"ubus": {
+				"file": [ "read" ],
+				"luci": [ "getConntrackHelpers" ]
+			},
+			"uci": [ "firewall" ],
+		},
+		"write": {
+			"file": {
+				"/etc/firewall.user": [ "write" ]
+			},
+			"ubus": {
+				"file": [ "write" ]
+			},
+			"uci": [ "firewall" ]
+		}
+	}
+}
diff --git a/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-openvpn.json b/applications/luci-app-openvpn/root/usr/share/rpcd/acl.d/luci-app-openvpn.json
index bc9d8e184d..bc9d8e184d 100644
--- a/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-openvpn.json
+++ b/applications/luci-app-openvpn/root/usr/share/rpcd/acl.d/luci-app-openvpn.json
diff --git a/applications/luci-app-opkg/root/usr/share/rpcd/acl.d/luci-app-opkg.json b/applications/luci-app-opkg/root/usr/share/rpcd/acl.d/luci-app-opkg.json
index 37f75fb7c9..d6531a58e4 100644
--- a/applications/luci-app-opkg/root/usr/share/rpcd/acl.d/luci-app-opkg.json
+++ b/applications/luci-app-opkg/root/usr/share/rpcd/acl.d/luci-app-opkg.json
@@ -4,6 +4,8 @@
 		"read": {
 			"cgi-io": [ "exec" ],
 			"file": {
+				"/usr/libexec/opkg-list installed": [ "exec" ],
+				"/usr/libexec/opkg-list available": [ "exec" ],
 				"/usr/libexec/opkg-call list-installed": [ "exec" ],
 				"/usr/libexec/opkg-call list-available": [ "exec" ],
 				"/etc/opkg.conf": [ "read" ],
diff --git a/applications/luci-app-statistics/root/usr/share/rpcd/acl.d/luci-app-statistics.json b/applications/luci-app-statistics/root/usr/share/rpcd/acl.d/luci-app-statistics.json
index 2529fca16d..3168b37400 100644
--- a/applications/luci-app-statistics/root/usr/share/rpcd/acl.d/luci-app-statistics.json
+++ b/applications/luci-app-statistics/root/usr/share/rpcd/acl.d/luci-app-statistics.json
@@ -5,19 +5,29 @@
 			"cgi-io": [ "read", "exec" ],
 			"file": {
 				"/etc/filesystems": [ "read" ],
-				"/etc/group": [ "read" ],
-				"/etc/passwd": [ "read" ],
 				"/proc/filesystems": [ "read" ],
 				"/proc/interrupts": [ "read" ],
 				"/proc/mounts": [ "read" ],
 				"/proc/partitions": [ "read" ],
 				"/proc/sys/kernel/hostname": [ "read" ],
-				"/usr/bin/rrdtool graph - -a PNG *": [ "exec" ],
+				"/tmp/rrd": [ "list" ],
+				"/usr/bin/rrdtool graph - -a PNG -s *": [ "exec" ],
+				"/usr/lib/collectd": [ "list" ],
 				"/usr/sbin/iptables-save": [ "exec" ],
 				"/usr/sbin/ip6tables-save": [ "exec" ],
 				"/usr/sbin/sensors -j": [ "exec" ],
-				"/usr/share/luci/statistics/plugins/*.json": [ "read" ]
-			}
+				"/usr/share/luci/statistics/plugins": [ "list" ],
+				"/usr/share/luci/statistics/plugins/*.json": [ "read" ],
+				"/var/run": [ "list" ],
+				"/www/luci-static/resources/statistics/rrdtool/definitions": [ "list" ]
+			},
+			"ubus": {
+				"file": [ "list", "read" ]
+			},
+			"uci": [ "luci_statistics" ]
+		},
+		"write": {
+			"uci": [ "luci_statistics" ]
 		}
 	}
 }