From 9a1a341121a0b4f789d275b38b0ebd7a392d08c0 Mon Sep 17 00:00:00 2001
From: "Ycarus (Yannick Chabanois)" <ycarus@zugaina.org>
Date: Mon, 20 Apr 2020 16:47:55 +0200
Subject: [PATCH] Add ACL for all apps

---
 .../root/usr/share/rpcd/acl.d/luci-app-dsvpn.json     | 11 +++++++++++
 .../root/usr/share/rpcd/acl.d/luci-app-glorytun.json  | 11 +++++++++++
 .../share/rpcd/acl.d/luci-app-https-dns-proxy.json    | 11 +++++++++++
 .../root/usr/share/rpcd/acl.d/luci-app-iperf.json     | 11 +++++++++++
 .../root/usr/share/rpcd/acl.d/luci-app-macvlan.json   | 11 +++++++++++
 .../root/usr/share/rpcd/acl.d/luci-app-mail.json      | 11 +++++++++++
 .../root/usr/share/rpcd/acl.d/luci-app-mlvpn.json     | 11 +++++++++++
 .../root/usr/share/rpcd/acl.d/luci-app-mptcp.json     | 11 +++++++++++
 .../root/usr/share/rpcd/acl.d/luci-app-nginx-ha.json  | 11 +++++++++++
 .../usr/share/rpcd/acl.d/luci-app-omr-bypass.json     |  6 +++++-
 .../root/usr/share/rpcd/acl.d/luci-app-dscp.json      | 11 +++++++++++
 .../root/usr/share/rpcd/acl.d/luci-app-omr-quota.json | 11 +++++++++++
 .../usr/share/rpcd/acl.d/luci-app-omr-tracker.json    | 11 +++++++++++
 .../share/rpcd/acl.d/luci-app-openmptcprouter.json    | 11 +++++++++++
 .../share/rpcd/acl.d/luci-app-shadowsocks-libev.json  |  6 ++++--
 .../root/usr/share/rpcd/acl.d/luci-app-snmpd.json     | 11 +++++++++++
 16 files changed, 163 insertions(+), 3 deletions(-)
 create mode 100644 luci-app-dsvpn/root/usr/share/rpcd/acl.d/luci-app-dsvpn.json
 create mode 100644 luci-app-glorytun/root/usr/share/rpcd/acl.d/luci-app-glorytun.json
 create mode 100644 luci-app-https-dns-proxy/root/usr/share/rpcd/acl.d/luci-app-https-dns-proxy.json
 create mode 100644 luci-app-iperf/root/usr/share/rpcd/acl.d/luci-app-iperf.json
 create mode 100644 luci-app-macvlan/root/usr/share/rpcd/acl.d/luci-app-macvlan.json
 create mode 100644 luci-app-mail/root/usr/share/rpcd/acl.d/luci-app-mail.json
 create mode 100644 luci-app-mlvpn/root/usr/share/rpcd/acl.d/luci-app-mlvpn.json
 create mode 100644 luci-app-mptcp/root/usr/share/rpcd/acl.d/luci-app-mptcp.json
 create mode 100644 luci-app-nginx-ha/root/usr/share/rpcd/acl.d/luci-app-nginx-ha.json
 create mode 100644 luci-app-omr-dscp/root/usr/share/rpcd/acl.d/luci-app-dscp.json
 create mode 100644 luci-app-omr-quota/root/usr/share/rpcd/acl.d/luci-app-omr-quota.json
 create mode 100644 luci-app-omr-tracker/root/usr/share/rpcd/acl.d/luci-app-omr-tracker.json
 create mode 100644 luci-app-openmptcprouter/root/usr/share/rpcd/acl.d/luci-app-openmptcprouter.json
 create mode 100644 luci-app-snmpd/root/usr/share/rpcd/acl.d/luci-app-snmpd.json

diff --git a/luci-app-dsvpn/root/usr/share/rpcd/acl.d/luci-app-dsvpn.json b/luci-app-dsvpn/root/usr/share/rpcd/acl.d/luci-app-dsvpn.json
new file mode 100644
index 000000000..c4c7f00c9
--- /dev/null
+++ b/luci-app-dsvpn/root/usr/share/rpcd/acl.d/luci-app-dsvpn.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-dsvpn": {
+	"description": "Grant UCI access for luci-app-dsvpn",
+	"read": {
+	    "uci": [ "dsvpn" ]
+	},
+	"write": {
+	    "uci": [ "dsvpn" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-glorytun/root/usr/share/rpcd/acl.d/luci-app-glorytun.json b/luci-app-glorytun/root/usr/share/rpcd/acl.d/luci-app-glorytun.json
new file mode 100644
index 000000000..63a49918f
--- /dev/null
+++ b/luci-app-glorytun/root/usr/share/rpcd/acl.d/luci-app-glorytun.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-glorytun": {
+	"description": "Grant UCI access for luci-app-glorytun",
+	"read": {
+	    "uci": [ "glorytun" ]
+	},
+	"write": {
+	    "uci": [ "glorytun" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-https-dns-proxy/root/usr/share/rpcd/acl.d/luci-app-https-dns-proxy.json b/luci-app-https-dns-proxy/root/usr/share/rpcd/acl.d/luci-app-https-dns-proxy.json
new file mode 100644
index 000000000..b2f1cbc0d
--- /dev/null
+++ b/luci-app-https-dns-proxy/root/usr/share/rpcd/acl.d/luci-app-https-dns-proxy.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-https-dns-proxy": {
+	"description": "Grant UCI access for luci-app-https-dns-proxy",
+	"read": {
+	    "uci": [ "https-dns-proxy" ]
+	},
+	"write": {
+	    "uci": [ "https-dns-proxy" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-iperf/root/usr/share/rpcd/acl.d/luci-app-iperf.json b/luci-app-iperf/root/usr/share/rpcd/acl.d/luci-app-iperf.json
new file mode 100644
index 000000000..c85182859
--- /dev/null
+++ b/luci-app-iperf/root/usr/share/rpcd/acl.d/luci-app-iperf.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-iperf": {
+	"description": "Grant UCI access for luci-app-iperf",
+	"read": {
+	    "uci": [ "iperf" ]
+	},
+	"write": {
+	    "uci": [ "iperf" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-macvlan/root/usr/share/rpcd/acl.d/luci-app-macvlan.json b/luci-app-macvlan/root/usr/share/rpcd/acl.d/luci-app-macvlan.json
new file mode 100644
index 000000000..f2a4fdc9f
--- /dev/null
+++ b/luci-app-macvlan/root/usr/share/rpcd/acl.d/luci-app-macvlan.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-macvlan": {
+	"description": "Grant UCI access for luci-app-macvlan",
+	"read": {
+	    "uci": [ "macvlan" ]
+	},
+	"write": {
+	    "uci": [ "macvlan" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-mail/root/usr/share/rpcd/acl.d/luci-app-mail.json b/luci-app-mail/root/usr/share/rpcd/acl.d/luci-app-mail.json
new file mode 100644
index 000000000..719eead98
--- /dev/null
+++ b/luci-app-mail/root/usr/share/rpcd/acl.d/luci-app-mail.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-mail": {
+	"description": "Grant UCI access for luci-app-mail",
+	"read": {
+	    "uci": [ "mail" ]
+	},
+	"write": {
+	    "uci": [ "mail" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-mlvpn/root/usr/share/rpcd/acl.d/luci-app-mlvpn.json b/luci-app-mlvpn/root/usr/share/rpcd/acl.d/luci-app-mlvpn.json
new file mode 100644
index 000000000..e1727a866
--- /dev/null
+++ b/luci-app-mlvpn/root/usr/share/rpcd/acl.d/luci-app-mlvpn.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-mlvpn": {
+	"description": "Grant UCI access for luci-app-mlvpn",
+	"read": {
+	    "uci": [ "mlvpn" ]
+	},
+	"write": {
+	    "uci": [ "mlvpn" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-mptcp/root/usr/share/rpcd/acl.d/luci-app-mptcp.json b/luci-app-mptcp/root/usr/share/rpcd/acl.d/luci-app-mptcp.json
new file mode 100644
index 000000000..d07f07916
--- /dev/null
+++ b/luci-app-mptcp/root/usr/share/rpcd/acl.d/luci-app-mptcp.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-mptcp": {
+	"description": "Grant UCI access for luci-app-mptcp",
+	"read": {
+	    "uci": [ "openmptcprouter", "network" ]
+	},
+	"write": {
+	    "uci": [ "openmptcprouter", "network" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-nginx-ha/root/usr/share/rpcd/acl.d/luci-app-nginx-ha.json b/luci-app-nginx-ha/root/usr/share/rpcd/acl.d/luci-app-nginx-ha.json
new file mode 100644
index 000000000..b6cab190e
--- /dev/null
+++ b/luci-app-nginx-ha/root/usr/share/rpcd/acl.d/luci-app-nginx-ha.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-nginx-ha": {
+	"description": "Grant UCI access for luci-app-nginx-ha",
+	"read": {
+	    "uci": [ "nginx-ha" ]
+	},
+	"write": {
+	    "uci": [ "nginx-ha" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-omr-bypass/root/usr/share/rpcd/acl.d/luci-app-omr-bypass.json b/luci-app-omr-bypass/root/usr/share/rpcd/acl.d/luci-app-omr-bypass.json
index 8d3d97244..9954a4047 100644
--- a/luci-app-omr-bypass/root/usr/share/rpcd/acl.d/luci-app-omr-bypass.json
+++ b/luci-app-omr-bypass/root/usr/share/rpcd/acl.d/luci-app-omr-bypass.json
@@ -5,7 +5,11 @@
 	    "file": {
 		"/proc/net/xt_ndpi/proto": [ "read" ],
 		"/proc/net/xt_ndpi/host_proto": [ "read" ],
-	    }
+	    },
+	    "uci": [ "omr-bypass" ]
+	}
+	"write": {
+	    "uci": [ "omr-bypass" ]
 	}
     }
 }
\ No newline at end of file
diff --git a/luci-app-omr-dscp/root/usr/share/rpcd/acl.d/luci-app-dscp.json b/luci-app-omr-dscp/root/usr/share/rpcd/acl.d/luci-app-dscp.json
new file mode 100644
index 000000000..4cb8a0bb1
--- /dev/null
+++ b/luci-app-omr-dscp/root/usr/share/rpcd/acl.d/luci-app-dscp.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-dscp": {
+	"description": "Grant UCI access for luci-app-dscp",
+	"read": {
+	    "uci": [ "dscp" ]
+	},
+	"write": {
+	    "uci": [ "dscp" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-omr-quota/root/usr/share/rpcd/acl.d/luci-app-omr-quota.json b/luci-app-omr-quota/root/usr/share/rpcd/acl.d/luci-app-omr-quota.json
new file mode 100644
index 000000000..1fb134623
--- /dev/null
+++ b/luci-app-omr-quota/root/usr/share/rpcd/acl.d/luci-app-omr-quota.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-omr-quota": {
+	"description": "Grant UCI access for luci-app-omr-quota",
+	"read": {
+	    "uci": [ "omr-quota" ]
+	},
+	"write": {
+	    "uci": [ "omr-quota" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-omr-tracker/root/usr/share/rpcd/acl.d/luci-app-omr-tracker.json b/luci-app-omr-tracker/root/usr/share/rpcd/acl.d/luci-app-omr-tracker.json
new file mode 100644
index 000000000..c55ce91d4
--- /dev/null
+++ b/luci-app-omr-tracker/root/usr/share/rpcd/acl.d/luci-app-omr-tracker.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-omr-tracker": {
+	"description": "Grant UCI access for luci-app-omr-tracker",
+	"read": {
+	    "uci": [ "omr-tracker" ]
+	},
+	"write": {
+	    "uci": [ "omr-tracker" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-openmptcprouter/root/usr/share/rpcd/acl.d/luci-app-openmptcprouter.json b/luci-app-openmptcprouter/root/usr/share/rpcd/acl.d/luci-app-openmptcprouter.json
new file mode 100644
index 000000000..934ff1d07
--- /dev/null
+++ b/luci-app-openmptcprouter/root/usr/share/rpcd/acl.d/luci-app-openmptcprouter.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-openmptcprouter": {
+	"description": "Grant UCI access for luci-app-openmptcprouter",
+	"read": {
+	    "uci": [ "'*" ]
+	},
+	"write": {
+	    "uci": [ "'*" ]
+	}
+    }
+}
\ No newline at end of file
diff --git a/luci-app-shadowsocks-libev/root/usr/share/rpcd/acl.d/luci-app-shadowsocks-libev.json b/luci-app-shadowsocks-libev/root/usr/share/rpcd/acl.d/luci-app-shadowsocks-libev.json
index eb56fd12a..d45fab948 100644
--- a/luci-app-shadowsocks-libev/root/usr/share/rpcd/acl.d/luci-app-shadowsocks-libev.json
+++ b/luci-app-shadowsocks-libev/root/usr/share/rpcd/acl.d/luci-app-shadowsocks-libev.json
@@ -4,12 +4,14 @@
 		"read": {
 			"ubus": {
 				"service": [ "list" ]
-			}
+			},
+			"uci": [ "shadowsocks-libev" ]
 		},
 		"write": {
 			"file": {
 				"/etc/shadowsocks-libev/*": [ "write" ]
-			}
+			},
+			"uci": [ "shadowsocks-libev" ]
 		}
 	}
 }
diff --git a/luci-app-snmpd/root/usr/share/rpcd/acl.d/luci-app-snmpd.json b/luci-app-snmpd/root/usr/share/rpcd/acl.d/luci-app-snmpd.json
new file mode 100644
index 000000000..1fc168524
--- /dev/null
+++ b/luci-app-snmpd/root/usr/share/rpcd/acl.d/luci-app-snmpd.json
@@ -0,0 +1,11 @@
+{
+    "luci-app-snmpd": {
+	"description": "Grant UCI access for luci-app-snmpd",
+	"read": {
+	    "uci": [ "snmpd" ]
+	},
+	"write": {
+	    "uci": [ "snmpd" ]
+	}
+    }
+}
\ No newline at end of file