<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
  <policy context="default">
    <allow send_destination="net.openvpn.v3.devposture"
           send_path="/net/openvpn/v3/devposture"
           send_interface="org.freedesktop.DBus.Introspectable"
           send_type="method_call"
           send_member="Introspect"/>

    <allow send_destination="net.openvpn.v3.devposture"
           send_path="/net/openvpn/v3/devposture"
           send_interface="org.freedesktop.DBus.Properties"
           send_type="method_call"
           send_member="Get"/>

    <allow send_destination="net.openvpn.v3.devposture"
           send_path="/net/openvpn/v3/devposture"
           send_interface="org.freedesktop.DBus.Peer"
           send_type="method_call"
           send_member="Ping"/>

    <!--
         Only the "@OPENVPN_USERNAME@" user is allowed to
         receive signals from net.openvpn.v3.devposture interfaces.
    -->
    <deny receive_interface="net.openvpn.v3.devposture"
          receive_type="signal"/>
  </policy>

  <policy user="@OPENVPN_USERNAME@">
    <!--                                -->
    <!--  net.openvpn.v3.devposture     -->
    <!--                                -->
    <allow own="net.openvpn.v3.devposture"/>

    <allow receive_interface="net.openvpn.v3.devposture"
           receive_type="signal"
           receive_member="Log"/>

    <allow send_destination="net.openvpn.v3.devposture"
           send_interface="net.openvpn.v3.devposture"
           send_path="/net/openvpn/v3/devposture"
           send_type="method_call"
           send_member="GetRegisteredModules"/>

    <allow send_destination="net.openvpn.v3.devposture"
           send_interface="net.openvpn.v3.devposture"
           send_path="/net/openvpn/v3/devposture"
           send_type="method_call"
           send_member="ProtocolLookup"/>

    <allow send_destination="net.openvpn.v3.devposture"
           send_interface="net.openvpn.v3.devposture"
           send_path="/net/openvpn/v3/devposture"
           send_type="method_call"
           send_member="RunChecks"/>

    <allow send_destination="net.openvpn.v3.devposture"
           send_interface="org.freedesktop.DBus.Peer"
           send_path="/net/openvpn/v3/devposture"
           send_type="method_call"
           send_member="Ping"/>

    <!--
         This method is provided by each device posture check module,
         which is why there is no send_path defined; each module has
         their own path"
    -->
    <allow send_destination="net.openvpn.v3.devposture"
           send_interface="net.openvpn.v3.devicecheck"
           send_type="method_call"
           send_member="Run"/>
  </policy>
</busconfig>
