# Description: Can access the network
# Usage: common
#include <abstractions/nameservice>
#include <abstractions/openssl>

# DownloadManager
dbus (send)
     bus=session
     interface="org.freedesktop.DBus.Introspectable"
     path=/
     member=Introspect,
dbus (send)
     bus=session
     interface="org.freedesktop.DBus.Introspectable"
     path=/com/canonical/applications/download/**
     member=Introspect,
# Allow DownloadManager to send us signals, etc
dbus (receive)
     bus=session
     interface=com.canonical.applications.Download{,er}Manager,
# Restrict apps to just their own downloads
dbus (receive, send)
     bus=session
     path=/com/canonical/applications/download/@{APP_ID_DBUS}/**
     interface=com.canonical.applications.Download,
dbus (receive, send)
     bus=session
     path=/com/canonical/applications/download/@{APP_ID_DBUS}/**
     interface=com.canonical.applications.GroupDownload,
# Be explicit about the allowed members we can send to
dbus (send)
     bus=session
     path=/
     interface=com.canonical.applications.DownloadManager
     member=com.canonical.applications.Downloader.createDownload,
dbus (send)
     bus=session
     path=/
     interface=com.canonical.applications.DownloadManager
     member=com.canonical.applications.Downloader.createDownloadGroup,
dbus (send)
     bus=session
     path=/
     interface=com.canonical.applications.DownloadManager
     member=com.canonical.applications.Downloader.getAllDownloads,
dbus (send)
     bus=session
     path=/
     interface=com.canonical.applications.DownloadManager
     member=com.canonical.applications.Downloader.getAllDownloadsWithMetadata,
dbus (send)
     bus=session
     path=/
     interface=com.canonical.applications.DownloadManager
     member=com.canonical.applications.Downloader.defaultThrottle,
dbus (send)
     bus=session
     path=/
     interface=com.canonical.applications.DownloadManager
     member=com.canonical.applications.Downloader.isGSMDownloadAllowed,
# Explicitly deny DownloadManager APIs apps shouldn't have access to in order
# to make sure they aren't accidentally added in the future (see LP: #1277578
# for details)
audit deny dbus (send)
     bus=session
     member=com.canonical.applications.Downloader.allowGSMDownload,
audit deny dbus (send)
     bus=session
     member=com.canonical.applications.Downloader.createMmsDownload,
audit deny dbus (send)
     bus=session
     member=com.canonical.applications.Downloader.exit,
audit deny dbus (send)
     bus=session
     member=com.canonical.applications.Downloader.setDefaultThrottle,

# We want to explicitly deny access to NetworkManager because its DBus API
# gives away too much
deny dbus (receive, send)
     bus=system
     path=/org/freedesktop/NetworkManager,
deny dbus (receive, send)
     bus=system
     peer=(name=org.freedesktop.NetworkManager),

# Do the same for ofono (LP: #1226844)
deny dbus (receive, send)
     bus=system
     interface="org.ofono.Manager",
