policy_module(syncthing, 1.1.0)

########################################
#
# Declarations
#

attribute_role syncthing_roles;
role syncthing_roles types syncthing_t;

type syncthing_t;
type syncthing_exec_t;
init_daemon_domain(syncthing_t, syncthing_exec_t)
userdom_user_application_domain(syncthing_t, syncthing_exec_t)

type syncthing_xdg_config_t alias syncthing_config_home_t;
xdg_config_content(syncthing_xdg_config_t)

########################################
#
# Declarations
#

allow syncthing_t self:process { signal_perms setpgid setsched getsched };
allow syncthing_t self:fifo_file rw_fifo_file_perms;
allow syncthing_t self:tcp_socket { listen accept };

can_exec(syncthing_t, syncthing_exec_t)
corecmd_exec_bin(syncthing_t)

manage_dirs_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
manage_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
manage_lnk_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
xdg_config_filetrans(syncthing_t, syncthing_xdg_config_t, dir)

kernel_read_kernel_sysctls(syncthing_t)
kernel_read_net_sysctls(syncthing_t)
kernel_read_system_state(syncthing_t)

corenet_tcp_sendrecv_generic_if(syncthing_t)
corenet_udp_sendrecv_generic_if(syncthing_t)
corenet_tcp_bind_generic_node(syncthing_t)
corenet_tcp_sendrecv_generic_node(syncthing_t)
corenet_tcp_sendrecv_all_ports(syncthing_t)
corenet_udp_bind_generic_node(syncthing_t)
corenet_udp_sendrecv_generic_node(syncthing_t)
corenet_udp_sendrecv_all_ports(syncthing_t)
corenet_tcp_connect_all_ports(syncthing_t)
corenet_tcp_bind_syncthing_port(syncthing_t)
corenet_udp_bind_syncthing_discovery_port(syncthing_t)
corenet_tcp_bind_syncthing_admin_port(syncthing_t)

dev_read_rand(syncthing_t)
dev_read_urand(syncthing_t)

fs_getattr_xattr_fs(syncthing_t)

auth_use_nsswitch(syncthing_t)

miscfiles_read_generic_certs(syncthing_t)
miscfiles_read_localization(syncthing_t)

userdom_user_content_access_template(syncthing, syncthing_t)

userdom_use_user_terminals(syncthing_t)

optional_policy(`
	# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
	networkmanager_read_pid_files(syncthing_t)
')