#include <tunables/global>

^/usr/syno/sbin/synoscgi//SYNO.MediaServer.IndexedFolder {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/mediaserver-base>
	#include <abstractions.pkg/mediaserver-webapi>

	/volume*/@appstore/MediaServer/app/cgi/file_share.cgi		r,

	capability setgid,

	/usr/syno/etc/index_folder.conf								r,
	/usr/syno/etc/synoshare.db									rwk,

	/volume*/**/												r,
	/volume*/@*@/{,**/}											w,
}

^/usr/syno/sbin/synoscgi//SYNO.MediaServer.Setting {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/mediaserver-base>
	#include <abstractions.pkg/mediaserver-webapi>

	network    inet  dgram,
	network    inet  stream,

	/etc/{dhclient,dhcpc}/{,**}										r,
	/usr/syno/etc/packages/MediaServer/dmsinfo.conf{,.*}			rwk,
	/usr/syno/etc/preference/*/usersettings							r,
}

^/usr/syno/sbin/synoscgi//SYNO.MediaServer.Log {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/mediaserver-base>
	#include <abstractions.pkg/mediaserver-webapi>

	capability chown,
	capability fowner,

	/volume1/														r,
	/usr/syno/etc/packages/MediaServer/etc.log						rwk,
	/usr/syno/etc/packages/MediaServer/etc.log						a,
	/usr/syno/etc/packages/MediaServer/dmsinfo.conf{,.*}			rwk,
	/usr/syno/etc.defaults/mimetypes.txt							r,
}

^/usr/syno/sbin/synoscgi//SYNO.MediaServer.Menu {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/mediaserver-base>
	#include <abstractions.pkg/mediaserver-webapi>

	/volume*/@appstore/MediaServer/app/texts/*/strings				r,
	/usr/syno/etc/packages/MediaServer/*.xml						rwk,
}

^/usr/syno/sbin/synoscgi//SYNO.MediaServer.ClientList {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/mediaserver-base>
	#include <abstractions.pkg/mediaserver-webapi>

	/volume*/@appstore/MediaServer/etc/agent.conf					r,
	/usr/syno/etc/packages/MediaServer/client_list.json				rwk,
}

^/usr/syno/sbin/synoscgi//SYNO.MediaServer.VideoCollection {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/mediaserver-base>
	#include <abstractions.pkg/mediaserver-webapi>

	/usr/syno/etc/packages/MediaServer/exposed_collection.json		rwk,
}

/volume*/@appstore/MediaServer/etc/transcoder/genericoder.cgi {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/mediaserver-base>
	#include <abstractions.pkg/mediaserver-ffmpeg>

	/volume*/@appstore/MediaServer/etc/transcoder/genericoder.cgi	r,

	/volume*/@appstore/MediaServer/bin/ffmpeg						px,

	/etc/VERSION													r,
	/lib/libjson-c.so.0.1.0											r,
	/proc/platform_config											w,
	/usr/syno/etc/codec/											rwk,
	/usr/syno/etc/codec/activation.conf								rwk,

	/volume*/**														r,
	/volume*/@*@/{,**}												w,
}

/volume*/@appstore/MediaServer/etc/transcoder/videotranscoding.cgi {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/mediaserver-base>
	#include <abstractions.pkg/mediaserver-ffmpeg>
	#include <abstractions.pkg/mediaserver-gstreamer>

	/volume*/@appstore/MediaServer/etc/transcoder/videotranscoding.cgi r,
	/volume*/@appstore/MediaServer/bin/synocodectool			px,

	capability chown,
	capability fowner,

	/volume*/@appstore/MediaServer/bin/ffmpeg					px,

	/dev/devmem													rw,
	/dev/null													rw,
	/proc/platform_config										w,

	/volume*/**													r,
	/volume*/@*@/{,**}											w,
	/volume1/@appstore/MediaServer/synovte/*					k,
}

/volume*/@appstore/MediaServer/etc/transcoder/jpegtnscaler.cgi {
	#include <abstractions/base>
	#include <abstractions/base-cgi>
	#include <abstractions.pkg/mediaserver-base>
	#include <abstractions.pkg/mediaserver-ffmpeg>
	#include <abstractions/imagemagick>

	/volume*/@appstore/MediaServer/etc/transcoder/jpegtnscaler.cgi	r,

	capability fowner,
	capability chown,

	/proc/platform_config											w,
	/volume*/@appstore/MediaServer/etc/*							r,
	/volume*/**														r,
	/volume*/**/@eaDir/{,**}										rwk,
	/volume*/@tmp/@synovideostation/{,**}							rwk,
	/volume*/@*@/{,**}												w,
}

/volume*/@appstore/MediaServer/scripts/S86synodms.sh {
	#include <abstractions/base>
	#include <abstractions.pkg/mediaserver-base>

	/volume*/@appstore/MediaServer/scripts/S86synodms.sh		r,
	/volume*/@appstore/MediaServer/scripts/S86synodms.sh		ix,

	capability sys_ptrace,
	capability dac_override,
	capability setgid,

	network    inet  dgram,

	/usr/syno/sbin/synoservice								ix,
	/volume*/@appstore/MediaServer/sbin/dms						px,
	/volume*/@appstore/MediaServer/sbin/lighttpd				px,

	/lib/libcrypt.so.1											mr,
	/lib/libm.so.6												r,
	/lib/libcrypt.so.1											r,
	/lib/libsynocore.so.5										mr,
	/lib/libsynosdk.so.5										mr,
	/usr/syno/etc/packages/MediaServer/dmsinfo.conf				r,
	/usr/syno/etc/synoservice.d/pgsql.cfg						r,
	/usr/syno/etc/synoservice.override/pgsql.cfg				r,
	/var/log/synopkg.log										w,
	/var/log/lighttpd/											rwk,
	/etc/passwd													r,
	/dev/pts/0													rw,
	/dev/tty													rw,
	/etc/nsswitch.conf											r,
}

/volume*/@appstore/MediaServer/scripts/sql/video_metadata.sh {
	#include <abstractions/base>
	#include <abstractions.pkg/mediaserver-base>

	/volume*/@appstore/MediaServer/scripts/sql/video_metadata.sh	r,

	capability setgid,
	capability setuid,

	/volume*/@appstore/MediaServer/scripts/sql/upgrade/				r,
	/volume*/@appstore/MediaServer/scripts/sql/upgrade/*			ix,
	/volume*/@appstore/MediaServer/scripts/sql/upgrade/*			r,

	/etc/group														r,
	/etc/nsswitch.conf												r,
	/etc/passwd														r,
	/etc/profile													r,
	/lib/libc.so.6													r,
	/lib/libcrypt.so.1												mr,
	/lib/libm.so.6													mr,
	/var/log/synopkg.log											w,
	/dev/tty														rw,
	/																r,
	/etc/pam.d/*													r,
	/etc/shadow														r,
}

/volume*/@appstore/MediaServer/sbin/dms {
	#include <abstractions/base>
	#include <abstractions.pkg/mediaserver-base>

	capability sys_nice,
	capability setuid,
	capability setgid,
	capability dac_override,
	capability dac_read_search,
	capability chown,
	capability mknod,

	network    inet  dgram,
	network    inet  stream,

	/var/log/dms.log*											rwk,
	/usr/syno/etc/packages/MediaServer/client_list.json			rwk,
	/usr/syno/etc/packages/MediaServer/client_list.tmp.json		rwk,
	/usr/syno/etc/packages/MediaServer/exposed_collection.json	rwk,
	/usr/syno/etc/index_folder.conf								r,
	/usr/syno/etc/synoshare.db									rwk,
	/usr/syno/etc.defaults/mimetypes.txt						r,
	/usr/syno/etc/packages/MediaServer/*						r,
	/etc/nsswitch.conf											r,
	/etc/passwd													r,
	/etc/group													r,
	/usr/syno/etc/radio/{,*.json}								rwk,
	/etc/host.conf												r,
	/etc/hosts													r,
	/etc/resolv.conf											r,
	/etc/shadow													r,
	/usr/syno/etc/packages/VideoStation/folder.conf				rk,
	/usr/share/samba/codepages/lowcase.dat						r,
	/usr/share/samba/codepages/upcase.dat						r,
	/usr/syno/etc/smb.conf										r,
	/etc/mt-daapd.playlist										rwk,
	/etc/{dhclient,dhcpc}/{,**}									r,
	/etc/sysconfig/network-scripts/ifcfg-*						rwk,
	/usr/syno/etc.defaults/www/DSM.json							r,
	/usr/syno/etc/www/DSM.json									r,
	/dev/tty													rw,
	/etc/ssl/openssl.cnf										r,
	/usr/syno/etc/packages/										r,
	/usr/syno/etc/synoservice.d/nslcd.cfg						r,

	/volume*/@appstore/MediaServer/sbin/dms						r,
	/volume*/@appstore/MediaServer/etc/agent.conf				r,
	/volume*/@appstore/MediaServer/app/texts/*/strings			r,
	/volume*/@appstore/MediaServer/etc/*						r,
	/volume*/@appstore/MediaServer/etc/initall.xml				rwk,
	/volume*/@appstore/MediaServer/synovte/{,*}					r,
	/volume*/**													r,
	/volume*/@*@/{,**}												w,
}

/volume*/@appstore/MediaServer/sbin/dmsuser {
	#include <abstractions/base>
	#include <abstractions.pkg/mediaserver-base>

	/usr/syno/etc/packages/MediaServer/exposed_collection.json		rwk,
}

/volume*/@appstore/MediaServer/sbin/lighttpd {
	#include <abstractions/base>
	#include <abstractions.pkg/mediaserver-base>

	/volume*/@appstore/MediaServer/sbin/lighttpd				r,

	capability dac_override,
	capability block_suspend,
	capability setuid,
	capability setgid,
	network    inet  stream,

	/volume*/@appstore/MediaServer/etc/transcoder/genericoder.cgi		px,
	/volume*/@appstore/MediaServer/etc/transcoder/videotranscoding.cgi	r,
	/volume*/@appstore/MediaServer/etc/transcoder/videotranscoding.cgi	px,
	/volume*/@appstore/MediaServer/etc/transcoder/jpegtnscaler.cgi		px,
	/volume*/@appstore/MediaServer/bin/confmimetype						r,
	/volume*/@appstore/MediaServer/bin/confmimetype						px,

	/volume*/@appstore/MediaServer/lib/lighttpd/mod_*			mr,
	/lib/libixml.so.*											mr,
	/lib/libthreadutil.so.*										mr,
	/lib/libupnp.so.*											mr,
	/var/log/lighttpd/											rwk,
	/var/log/lighttpd/access.log*								rwk,
	/var/log/lighttpd/access.log*								a,
	/var/log/lighttpd/error.log*								rwk,
	/var/log/lighttpd/error.log*								a,
	/usr/syno/etc/packages/MediaServer/dmsinfo.conf				r,
	/etc/nsswitch.conf											r,
	/etc/passwd													r,
	/dev/tty													rw,
	/etc/group													r,
	/															r,

	/volume*/**													r,
	/volume*/@appstore/MediaServer/etc/lighttpd.conf			r,
	/volume*/@appstore/MediaServer/etc/lighttpd.debug			r,
	/volume*/@*@/{,**}											w,
}

/volume*/@appstore/MediaServer/sbin/dmsvlan {
	#include <abstractions/base>
	#include <abstractions.pkg/mediaserver-base>
}

/volume*/@appstore/MediaServer/bin/ffmpeg {
	#include <abstractions/base>
	#include <abstractions.pkg/mediaserver-base>
	#include <abstractions.pkg/mediaserver-ffmpeg>

	capability sys_nice,
	capability sys_rawio,
	capability dac_override,

	/volume*/@appstore/MediaServer/bin/synocodectool			px,

	/proc/platform_config										w,
	/lib/libsynosdk.so.5										mr,
	/dev/devmem													rw,
	/dev/smdmsg													rw,
	/dev/dri/renderD128											rw,
	/proc/sven													w,

	/volume*/**													r,
	/volume*/@*@/{,**}											w,
}

/volume*/@appstore/MediaServer/bin/confmimetype {
	#include <abstractions/base>
	#include <abstractions.pkg/mediaserver-base>

	/volume*/@appstore/MediaServer/bin/confmimetype				r,

	/usr/syno/etc.defaults/mimetypes.txt						r,
	/usr/syno/etc/packages/MediaServer/dmsinfo.conf				r,
}

/volume*/@appstore/MediaServer/bin/synocodectool {
	#include <abstractions/base>
	#include <abstractions.pkg/mediaserver-base>
	#include <abstractions/curl>

	capability dac_override,

	network,

	/usr/syno/bin/synodsmnotify									px,

	/volume*/@appstore/MediaServer/bin/synocodectool			r,

	/etc/VERSION												r,
	/etc/ssl/openssl.cnf										r,
	/etc/host.conf												r,
	/etc/nsswitch.conf											r,
	/etc/resolv.conf											r,
	/etc/hosts													r,
	/etc/shadow													r,
	/dev/tty													rw,
	/etc/passwd													r,
	/etc/synosyslog/client.conf									r,
	/usr/syno/etc/extra-admin-CMS								r,
	/usr/syno/etc/smb.conf										r,
	/usr/syno/etc/codec/{,activation.conf}						rwk,
}

/volume*/@appstore/MediaServer/user_data_collector/synouserdata_mediaserver {
	#include <abstractions/base>
	#include <abstractions.pkg/mediaserver-base>

	/usr/syno/etc/packages/MediaServer/client_list.json			r,
	/usr/syno/etc/packages/MediaServer/client_list.tmp.json		r,
	/usr/syno/etc/packages/MediaServer/dmsinfo.conf				r,
	/var/packages/MediaServer/INFO								r,
}

