From c099344013ad72d01a93b99184c72c5eeb792174 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Thu, 9 Apr 2020 22:52:37 +0200
Subject: treewide: reorganize base ACLs

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 .../usr/share/rpcd/acl.d/luci-app-firewall.json    | 24 ++++++++++++++++++++++
 .../usr/share/rpcd/acl.d/luci-app-openvpn.json     | 11 ----------
 .../usr/share/rpcd/acl.d/luci-app-openvpn.json     | 11 ++++++++++
 .../root/usr/share/rpcd/acl.d/luci-app-opkg.json   |  2 ++
 .../usr/share/rpcd/acl.d/luci-app-statistics.json  | 20 +++++++++++++-----
 5 files changed, 52 insertions(+), 16 deletions(-)
 create mode 100644 applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json
 delete mode 100644 applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-openvpn.json
 create mode 100644 applications/luci-app-openvpn/root/usr/share/rpcd/acl.d/luci-app-openvpn.json

(limited to 'applications')

diff --git a/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json b/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json
new file mode 100644
index 0000000000..0ee29ad217
--- /dev/null
+++ b/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-firewall.json
@@ -0,0 +1,24 @@
+{
+	"luci-app-firewall": {
+		"description": "Grant access to firewall configuration",
+		"read": {
+			"file": {
+				"/etc/firewall.user": [ "read" ]
+			},
+			"ubus": {
+				"file": [ "read" ],
+				"luci": [ "getConntrackHelpers" ]
+			},
+			"uci": [ "firewall" ],
+		},
+		"write": {
+			"file": {
+				"/etc/firewall.user": [ "write" ]
+			},
+			"ubus": {
+				"file": [ "write" ]
+			},
+			"uci": [ "firewall" ]
+		}
+	}
+}
diff --git a/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-openvpn.json b/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-openvpn.json
deleted file mode 100644
index bc9d8e184d..0000000000
--- a/applications/luci-app-firewall/root/usr/share/rpcd/acl.d/luci-app-openvpn.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-	"luci-app-openvpn": {
-		"description": "Grant file upload access to /etc/openvpn",
-		"write": {
-			"cgi-io": [ "upload" ],
-			"file": {
-				"/etc/openvpn/*": [ "write" ]
-			}
-		}
-	}
-}
diff --git a/applications/luci-app-openvpn/root/usr/share/rpcd/acl.d/luci-app-openvpn.json b/applications/luci-app-openvpn/root/usr/share/rpcd/acl.d/luci-app-openvpn.json
new file mode 100644
index 0000000000..bc9d8e184d
--- /dev/null
+++ b/applications/luci-app-openvpn/root/usr/share/rpcd/acl.d/luci-app-openvpn.json
@@ -0,0 +1,11 @@
+{
+	"luci-app-openvpn": {
+		"description": "Grant file upload access to /etc/openvpn",
+		"write": {
+			"cgi-io": [ "upload" ],
+			"file": {
+				"/etc/openvpn/*": [ "write" ]
+			}
+		}
+	}
+}
diff --git a/applications/luci-app-opkg/root/usr/share/rpcd/acl.d/luci-app-opkg.json b/applications/luci-app-opkg/root/usr/share/rpcd/acl.d/luci-app-opkg.json
index 37f75fb7c9..d6531a58e4 100644
--- a/applications/luci-app-opkg/root/usr/share/rpcd/acl.d/luci-app-opkg.json
+++ b/applications/luci-app-opkg/root/usr/share/rpcd/acl.d/luci-app-opkg.json
@@ -4,6 +4,8 @@
 		"read": {
 			"cgi-io": [ "exec" ],
 			"file": {
+				"/usr/libexec/opkg-list installed": [ "exec" ],
+				"/usr/libexec/opkg-list available": [ "exec" ],
 				"/usr/libexec/opkg-call list-installed": [ "exec" ],
 				"/usr/libexec/opkg-call list-available": [ "exec" ],
 				"/etc/opkg.conf": [ "read" ],
diff --git a/applications/luci-app-statistics/root/usr/share/rpcd/acl.d/luci-app-statistics.json b/applications/luci-app-statistics/root/usr/share/rpcd/acl.d/luci-app-statistics.json
index 2529fca16d..3168b37400 100644
--- a/applications/luci-app-statistics/root/usr/share/rpcd/acl.d/luci-app-statistics.json
+++ b/applications/luci-app-statistics/root/usr/share/rpcd/acl.d/luci-app-statistics.json
@@ -5,19 +5,29 @@
 			"cgi-io": [ "read", "exec" ],
 			"file": {
 				"/etc/filesystems": [ "read" ],
-				"/etc/group": [ "read" ],
-				"/etc/passwd": [ "read" ],
 				"/proc/filesystems": [ "read" ],
 				"/proc/interrupts": [ "read" ],
 				"/proc/mounts": [ "read" ],
 				"/proc/partitions": [ "read" ],
 				"/proc/sys/kernel/hostname": [ "read" ],
-				"/usr/bin/rrdtool graph - -a PNG *": [ "exec" ],
+				"/tmp/rrd": [ "list" ],
+				"/usr/bin/rrdtool graph - -a PNG -s *": [ "exec" ],
+				"/usr/lib/collectd": [ "list" ],
 				"/usr/sbin/iptables-save": [ "exec" ],
 				"/usr/sbin/ip6tables-save": [ "exec" ],
 				"/usr/sbin/sensors -j": [ "exec" ],
-				"/usr/share/luci/statistics/plugins/*.json": [ "read" ]
-			}
+				"/usr/share/luci/statistics/plugins": [ "list" ],
+				"/usr/share/luci/statistics/plugins/*.json": [ "read" ],
+				"/var/run": [ "list" ],
+				"/www/luci-static/resources/statistics/rrdtool/definitions": [ "list" ]
+			},
+			"ubus": {
+				"file": [ "list", "read" ]
+			},
+			"uci": [ "luci_statistics" ]
+		},
+		"write": {
+			"uci": [ "luci_statistics" ]
 		}
 	}
 }
-- 
cgit v1.2.3