<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
    <!--
        The bus name scope is shared between the openvpn3-service-backendstart
        and openvpn3-service-client processes.  They all use different
        well-known bus names, but they share the same prefix - starting
        with: net.openvpn.v3.backends

        The -backendstart process uses:  net.openvpn.v3.backends
        while the -client processes uses: net.openvpn.v3.backends.be$PID
    -->

  <policy context="default">
    <allow send_destination="net.openvpn.v3.backends"
           send_path="/net/openvpn/v3/backends"
           send_interface="org.freedesktop.DBus.Introspectable"
           send_type="method_call"
           send_member="Introspect"/>

    <allow send_destination="net.openvpn.v3.backends"
           send_path="/net/openvpn/v3/backends"
           send_interface="org.freedesktop.DBus.Properties"
           send_type="method_call"
           send_member="Get"/>

    <allow send_destination="net.openvpn.v3.backends"
           send_path="/net/openvpn/v3/backends"
           send_interface="org.freedesktop.DBus.Properties"
           send_type="method_call"
           send_member="GetAll"/>

    <allow send_destination="net.openvpn.v3.backends"
           send_interface="org.freedesktop.DBus.Peer"
           send_type="method_call"
           send_member="Ping"/>

    <!--
         Only the "@OPENVPN_USERNAME@" user is allowed to
         receive signals from net.openvpn.v3.backend interfaces.
    -->
    <deny receive_interface="net.openvpn.v3.backends"
          receive_type="signal"/>
  </policy>

  <policy user="@OPENVPN_USERNAME@">
    <!--                                -->
    <!--  net.openvpn.v3.backends       -->
    <!--                                -->
    <allow own="net.openvpn.v3.backends"/>

    <allow send_destination="net.openvpn.v3.backends"
           send_interface="net.openvpn.v3.backends"
           send_path="/net/openvpn/v3/backends"
           send_type="method_call"
           send_member="StartClient"/>

    <allow send_destination="net.openvpn.v3.backends"
           send_interface="org.freedesktop.DBus.Peer"
           send_type="method_call"
           send_member="Ping"/>
  </policy>
</busconfig>
