# Description: Can use Online Accounts.
# Usage: common
/usr/share/accounts/** r,

dbus (receive, send)
     bus=session
     path=/com/google/code/AccountsSSO/SingleSignOn
     interface=com.google.code.AccountsSSO.SingleSignOn.AuthService
     peer=(label=unconfined),
dbus (receive, send)
     bus=session
     path=/com/google/code/AccountsSSO/SingleSignOn{,/**}
     interface=org.freedesktop.DBus.Properties
     peer=(label=unconfined),
dbus (receive, send)
     bus=session
     interface=com.google.code.AccountsSSO.SingleSignOn.AuthSession
     peer=(label=unconfined),
dbus (receive, send)
     bus=session
     interface=com.google.code.AccountsSSO.SingleSignOn.Identity
     peer=(label=unconfined),
dbus (receive, send)
     bus=session
     interface=com.ubuntu.OnlineAccountsUi
     peer=(label=unconfined),
dbus (receive)
     bus=session
     interface=com.google.code.AccountsSSO.Accounts
     peer=(label=unconfined),

# p2p support uses a named unix socket, available only to unconfined apps.
deny /{,var/}run/user/*/signond/socket rw,

# read access to accounts.db is ok
owner @{HOME}/.config/libaccounts-glib/accounts.db* rk,
# FIXME: LP: #1220713 - online accounts currently tries rw and falls back to
#        ro. This can go away once an access() LSM hook is implemented. For
#        now, just silence the denial.
deny @{HOME}/.config/libaccounts-glib/accounts.db* w,

# apps will dereference the symlinks in this directory to access their own
# accounts provider (which is in an app-specific directory). This is not an
# information leak on its own because users of this policy group have read
# access to accounts.db.
owner @{HOME}/.local/share/accounts/** r,

# Note: this API should *not* be allowed to normal apps, only the
# webapp-container. As such, we can't explicitly deny access here but it is
# listed as a comment to make sure it isn't accidentally added in the future.
# audit deny dbus (receive, send)
#                 bus=session
#                 interface=com.nokia.singlesignonui
#                 member=cookiesForIdentity,
