treewide: reorganize base ACLs

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

1 files changed, 65 insertions, 0 deletions

diff --git a/modules/luci-mod-network/root/usr/share/rpcd/acl.d/luci-mod-network.json b/modules/luci-mod-network/root/usr/share/rpcd/acl.d/luci-mod-network.json
new file mode 100644
index 000000000..d6c84bab2
--- /dev/null
+++ b/modules/luci-mod-network/root/usr/share/rpcd/acl.d/luci-mod-network.json
@@ -0,0 +1,65 @@
+{
+	"luci-mod-network-config": {
+		"description": "Grant access to network configuration",
+		"read": {
+			"cgi-io": [ "exec" ],
+			"file": {
+				"/usr/libexec/luci-peeraddr": [ "exec" ]
+			},
+			"ubus": {
+				"file": [ "exec" ],
+				"iwinfo": [ "assoclist", "countrylist", "freqlist", "txpowerlist" ],
+				"luci": [ "getSwconfigFeatures", "getSwconfigPortState" ]
+			},
+			"uci": [ "dhcp", "firewall", "network", "wireless" ]
+		},
+		"write": {
+			"cgi-io": [ "exec" ],
+			"file": {
+				"/sbin/ifup": [ "exec" ],
+				"/sbin/ifdown": [ "exec" ],
+				"/sbin/wifi": [ "exec" ]
+			},
+			"ubus": {
+				"file": [ "exec" ],
+				"hostapd.*": [ "del_client" ],
+				"iwinfo": [ "scan" ]
+			},
+			"uci": [ "dhcp", "firewall", "network", "wireless" ]
+		}
+	},
+
+	"luci-mod-network-dhcp": {
+		"description": "Grant access to DHCP configuration",
+		"read": {
+			"ubus": {
+				"luci-rpc": [ "getDHCPLeases", "getDUIDHints" ]
+			},
+			"uci": [ "dhcp" ]
+		},
+		"write": {
+			"uci": [ "dhcp" ]
+		}
+	},
+
+	"luci-mod-network-diagnostics": {
+		"description": "Grant access to network diagnostic tools",
+		"read": {
+			"file": {
+				"/bin/ping": [ "exec" ],
+				"/bin/ping6": [ "exec", "list" ],
+				"/bin/traceroute": [ "exec" ],
+				"/bin/traceroute6": [ "exec", "list" ],
+				"/usr/bin/nslookup": [ "exec" ],
+				"/usr/bin/ping": [ "exec" ],
+				"/usr/bin/ping6": [ "exec", "list" ],
+				"/usr/bin/traceroute": [ "exec" ],
+				"/usr/bin/traceroute6": [ "exec", "list" ]
+			},
+			"ubus": {
+				"file": [ "exec", "stat" ]
+			},
+			"uci": [ "luci" ]
+		}
+	}
+}