diff options
| author |  tobi <31960611+tsmethurst@users.noreply.github.com> | 2024-09-28 16:58:39 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2024-09-28 16:58:39 +0200 |
| commit | 7978d88a01c3f868ff49a3510464ee4f5a9b92a7 (patch) | |
| tree | cf27bc41bc58b7d03f3515ff799261157fac8d46 /example/apparmor | |
| parent | update modernc/sqlite to v1.33.1 (with our concurrency workaround) (#3367) (diff) | |
| download | gotosocial-7978d88a01c3f868ff49a3510464ee4f5a9b92a7.tar.xz | |
[chore] Update apparmor example file (#3368)
Diffstat (limited to 'example/apparmor')
| -rw-r--r-- | example/apparmor/gotosocial | 38 |
1 files changed, 30 insertions, 8 deletions
diff --git a/example/apparmor/gotosocial b/example/apparmor/gotosocial index 7f1bfc4bc..a36c83cc7 100644 --- a/example/apparmor/gotosocial +++ b/example/apparmor/gotosocial @@ -7,23 +7,44 @@ profile gotosocial flags=(attach_disconnected, mediate_deleted) { include <abstractions/nameservice> include <abstractions/user-tmp> + # Allow common binary install paths. + # + # You can change or remove these depending on + # where you've installed your GoToSocial binary. /gotosocial/gotosocial mrix, /usr/local/bin/gotosocial mrix, /usr/bin/gotosocial mrix, /usr/sbin/gotosocial mrix, + # Allow access to GoToSocial's storage and database paths. + # Change these depending on your db + storage locations. owner /gotosocial/{,**} r, owner /gotosocial/db/* wk, owner /gotosocial/storage/** wk, - # Allow GoToSocial to write logs - # NOTE: you only need to allow write permissions to /var/log/syslog if you've - # enabled logging to syslog. + # Embedded ffmpeg needs read + # permission on /dev/urandom. + owner /dev/ r, + owner /dev/urandom r, + + # Temp dir access is needed for storing + # files briefly during media processing. + owner /tmp/ r, + owner /tmp/* rwk, + + # If running with GTS_WAZERO_COMPILATION_CACHE set, + # change + uncomment the below lines as appropriate: + # owner /your/wazero/cache/directory/ r, + # owner /your/wazero/cache/directory/** rwk, + + # If you've enabled logging to syslog, allow GoToSocial + # to write logs by uncommenting the following line: # owner /var/log/syslog w, - # These directories are not currently used by any of the recommended - # GoToSocial installation methods, but they may be used in the future and/or - # for custom installations. + # These directories are not currently used by any of + # the recommended GoToSocial installation methods, but + # may be used in the future and/or for custom installs. + # Delete them if you prefer. owner /etc/gotosocial/{,**} r, owner /usr/local/etc/gotosocial/{,**} r, owner /usr/share/gotosocial/{,**} r, @@ -55,9 +76,10 @@ profile gotosocial flags=(attach_disconnected, mediate_deleted) { network inet dgram, network inet6 dgram, - # Allow GoToSocial to receive signals from unconfined processes + # Allow GoToSocial to receive signals from unconfined processes. signal (receive) peer=unconfined, - # Allow GoToSocial to send signals to/receive signals from worker processes + + # Allow GoToSocial to send signals to/receive signals from worker processes. signal (send,receive) peer=gotosocial, } |