#include <httpd>
#include <abstractions/base>
#include <abstractions/base-cgi>
#include <abstractions/libsynodaemon>

capability setgid,
capability setuid,
capability dac_override,
capability net_admin,
capability net_bind_service,
capability net_raw,
capability sys_module,
capability chown,
capability fowner,
network,
/    r,
/usr/syno/etc/private/session/** mrw,
/usr/syno/synoman/**  mrwk,
/var/spool/webapi**   mrwk,

/usr/syno/synoman/DSFile/queryWebdav.cgi                                         px,
/usr/syno/synoman/redirect.cgi                                                   px,
/usr/syno/synoman/webapi/encryption.cgi                                          px,
/usr/syno/synoman/webapi/entry.cgi                                               px,
/usr/syno/synoman/webman/authenticate.cgi                                        px,
/usr/syno/synoman/webman/dsmtoken.cgi                                            px,
/usr/syno/synoman/webman/error.cgi                                               px,
/usr/syno/synoman/webman/forget_passwd.cgi                                       px,
/usr/syno/synoman/webman/imageSelector.cgi                                       px,
/usr/syno/synoman/webman/index.cgi                                               px,
/usr/syno/synoman/webman/initdata.cgi                                            px,
/usr/syno/synoman/webman/login.cgi                                               px,
/usr/syno/synoman/webman/logout.cgi                                              px,
/usr/syno/synoman/webman/mail_otp.cgi                                            px,
/usr/syno/synoman/webman/mapp/uistrings.cgi                                      px,
/usr/syno/synoman/webman/modules/AudioPlayer/webapi/stream.cgi                   px,
/usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi                         px,
/usr/syno/synoman/webman/modules/DiskMessageHandler/volumeHandler.cgi            px,
/usr/syno/synoman/webman/modules/HelpBrowser/HelpBrowser.cgi                     px,
/usr/syno/synoman/webman/modules/PersonalSettings/personal.cgi                   px,
/usr/syno/synoman/webman/modules/PixlrImageEditor/editor.cgi                     px,
/usr/syno/synoman/webman/modules/PollingTask/polling.cgi                         px,
/usr/syno/synoman/webman/setup_otp.cgi                                           px,
/usr/syno/synoman/webman/synohdpack.cgi                                          px,
/usr/syno/synoman/webman/security.cgi                                            px,
/usr/syno/synoman/webman/wallpaper.cgi                                           px,
/usr/syno/synoman/sharing/sharing.cgi                                            px,
/usr/syno/synoman/sharing/redirect.cgi                                           px,
/usr/syno/synoman/sharing/initdata.cgi                                           px,
/usr/syno/bin/synosearchagent                                                    px,
/usr/syno/synoman{,/**}/*.cgi                                                    ux,

# this rule is left here for httpd-sys to be compatible with third party packages and packages that don't support AppArmor
/volume*/@appstore/**                                                            rkmux,
/usr/local/packages/@appstore/**                                                 rkmux,

/usr/local/timebkp{,/**}/*.cgi                                                   ux,

^DefaultHat flags=(attach_disconnected, mediate_deleted, complain) {
    capability block_suspend,
    capability chown,
    capability dac_override,
    capability dac_read_search,
    capability fowner,
    capability fsetid,
    capability kill,
    capability linux_immutable,
    capability net_admin,
    capability net_bind_service,
    capability net_broadcast,
    capability net_raw,
    capability ipc_lock,
    capability ipc_owner,
    capability setgid,
    capability setuid,
    capability setpcap,
    capability sys_admin,
    capability sys_boot,
    capability sys_chroot,
    capability sys_module,
    capability sys_nice    ,
    capability sys_pacct,
    capability sys_ptrace,
    capability sys_rawio,
    capability sys_resource,
    capability sys_time,
    capability sys_tty_config,
    capability mknod,
    capability lease,
    network,
    mount,
    umount,

    /         r,
    /**     mrwlkux,
    change_profile -> unconfined,
}

^DefaultSharingHat flags=(attach_disconnected, mediate_deleted, complain) {
    #include <abstractions/base>
    #include <abstractions/base-cgi>
    capability setuid,
    capability setgid,
    capability chown,
    /         r,
    /volume*/** mrwlkix,
}
