File: //etc.defaults/apparmor.d/abstractions/synoscgi
#include <httpd>
#include <abstractions/base>
#include <abstractions/base-cgi>
#include <abstractions/libsynodaemon>
#include <abstractions/libsynosharing>
capability setgid,
capability setuid,
capability dac_override,
capability net_admin,
capability net_bind_service,
capability net_raw,
capability sys_module,
capability chown,
capability fowner,
network,
/ r,
/usr/syno/etc/private/session/** mrw,
/usr/syno/synoman/** mrwk,
/var/spool/webapi** mrwk,
/usr/syno/synoman/DSFile/queryWebdav.cgi px,
/usr/syno/synoman/redirect.cgi px,
/usr/syno/synoman/webapi/encryption.cgi px,
/usr/syno/synoman/webapi/entry.cgi px,
/usr/syno/synoman/webman/authenticate.cgi px,
/usr/syno/synoman/webman/dsmtoken.cgi px,
/usr/syno/synoman/webman/error.cgi px,
/usr/syno/synoman/webman/forget_passwd.cgi px,
/usr/syno/synoman/webman/imageSelector.cgi px,
/usr/syno/synoman/webman/index.cgi px,
/usr/syno/synoman/webman/initdata.cgi px,
/usr/syno/synoman/webman/login.cgi px,
/usr/syno/synoman/webman/logout.cgi px,
/usr/syno/synoman/webman/mail_otp.cgi px,
/usr/syno/synoman/webman/mapp/uistrings.cgi px,
/usr/syno/synoman/webman/modules/AudioPlayer/webapi/stream.cgi px,
/usr/syno/synoman/webman/modules/DSMNotify/dsmnotify.cgi px,
/usr/syno/synoman/webman/modules/DiskMessageHandler/volumeHandler.cgi px,
/usr/syno/synoman/webman/modules/HelpBrowser/HelpBrowser.cgi px,
/usr/syno/synoman/webman/modules/PersonalSettings/personal.cgi px,
/usr/syno/synoman/webman/modules/PixlrImageEditor/editor.cgi px,
/usr/syno/synoman/webman/modules/PollingTask/polling.cgi px,
/usr/syno/synoman/webman/setup_otp.cgi px,
/usr/syno/synoman/webman/synohdpack.cgi px,
/usr/syno/synoman/webman/security.cgi px,
/usr/syno/synoman/webman/wallpaper.cgi px,
/usr/syno/synoman/sharing/sharing.cgi px,
/usr/syno/synoman/sharing/redirect.cgi px,
/usr/syno/synoman/sharing/initdata.cgi px,
/usr/syno/bin/synosearchagent px,
/usr/syno/synoman{,/**}/*.cgi ux,
# this rule is left here for httpd-sys to be compatible with third party packages and packages that don't support AppArmor
/volume*/@appstore/** rkmux,
/usr/local/packages/@appstore/** rkmux,
/usr/local/timebkp{,/**}/*.cgi ux,
^DefaultHat flags=(attach_disconnected, mediate_deleted, complain) {
capability block_suspend,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability linux_immutable,
capability net_admin,
capability net_bind_service,
capability net_broadcast,
capability net_raw,
capability ipc_lock,
capability ipc_owner,
capability setgid,
capability setuid,
capability setpcap,
capability sys_admin,
capability sys_boot,
capability sys_chroot,
capability sys_module,
capability sys_nice ,
capability sys_pacct,
capability sys_ptrace,
capability sys_rawio,
capability sys_resource,
capability sys_time,
capability sys_tty_config,
capability mknod,
capability lease,
network,
mount,
umount,
/ r,
/** mrwlkux,
change_profile -> unconfined,
}
^DefaultSharingHat flags=(attach_disconnected, mediate_deleted, complain) {
#include <abstractions/base>
#include <abstractions/base-cgi>
capability setuid,
capability setgid,
capability chown,
/ r,
/volume*/** mrwlkix,
}