diff options
| author |  tux93 <tux93@users.noreply.github.com> | 2024-02-24 09:44:53 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com> | 2024-02-24 09:44:53 +0100 |
| commit | d8956d710e114150dfb422f4d21f0a69e5e5829a (patch) | |
| tree | 743f593caf836ffcd0b15c058949e349fe8a77ef /example | |
| parent | [docs] Add oauth token authentication workflow (#2655) (diff) | |
| download | gotosocial-d8956d710e114150dfb422f4d21f0a69e5e5829a.tar.xz | |
[docs/bugfix] Allow access to TMP directories in example AppArmor config (#2683)
* Remove trailing whitespace from example config
* Update and extend example AppArmor profile
Diffstat (limited to 'example')
| -rw-r--r-- | example/apparmor/gotosocial | 37 | ||||
| -rw-r--r-- | example/config.yaml | 10 |
2 files changed, 30 insertions, 17 deletions
diff --git a/example/apparmor/gotosocial b/example/apparmor/gotosocial index 40686194d..7f1bfc4bc 100644 --- a/example/apparmor/gotosocial +++ b/example/apparmor/gotosocial @@ -1,40 +1,53 @@ #include <tunables/global> profile gotosocial flags=(attach_disconnected, mediate_deleted) { - #include <abstractions/base> - #include <abstractions/nameservice> + include <abstractions/base> + include <abstractions/dbus-session-strict> + include <abstractions/gio-open> + include <abstractions/nameservice> + include <abstractions/user-tmp> /gotosocial/gotosocial mrix, - /usr/bin/gotosocial mrix, /usr/local/bin/gotosocial mrix, + /usr/bin/gotosocial mrix, + /usr/sbin/gotosocial mrix, owner /gotosocial/{,**} r, owner /gotosocial/db/* wk, owner /gotosocial/storage/** wk, # Allow GoToSocial to write logs - # # NOTE: you only need to allow write permissions to /var/log/syslog if you've - # enabled logging to syslog. Otherwise, you can comment out that line. - /var/log/gotosocial/* w, - owner /var/log/syslog w, + # enabled logging to syslog. + # owner /var/log/syslog w, # These directories are not currently used by any of the recommended # GoToSocial installation methods, but they may be used in the future and/or # for custom installations. owner /etc/gotosocial/{,**} r, - owner /usr/lib/gotosocial/{,**} r, - owner /usr/share/gotosocial/{,**} r, owner /usr/local/etc/gotosocial/{,**} r, - owner /usr/local/lib/gotosocial/{,**} r, + owner /usr/share/gotosocial/{,**} r, owner /usr/local/share/gotosocial/{,**} r, + owner /usr/lib/gotosocial/{,**} r, + owner /usr/lib/gotosocial/db/* wk, + owner /usr/lib/gotosocial/storage/** wk, + owner /usr/local/lib/gotosocial/{,**} r, + owner /usr/local/lib/gotosocial/db/* wk, + owner /usr/local/lib/gotosocial/storage/** wk, owner /var/lib/gotosocial/{,**} r, + owner /var/lib/gotosocial/db/* wk, + owner /var/lib/gotosocial/storage/** wk, owner /opt/gotosocial/{,**} r, owner /run/gotosocial/{,**} r, + /etc/mime.types r, + /etc/services r, /proc/sys/net/core/somaxconn r, + /sys/fs/cgroup/system.slice/gotosocial.service/{,*} r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pid}/cpuset r, + owner /proc/*/cgroup r, + owner /proc/*/cpuset r, + owner /proc/*/mountinfo r, # TCP / UDP network access network inet stream, @@ -42,9 +55,9 @@ profile gotosocial flags=(attach_disconnected, mediate_deleted) { network inet dgram, network inet6 dgram, - # Allow GoToSocial to send signals to/receive signals from worker processes # Allow GoToSocial to receive signals from unconfined processes signal (receive) peer=unconfined, + # Allow GoToSocial to send signals to/receive signals from worker processes signal (send,receive) peer=gotosocial, } diff --git a/example/config.yaml b/example/config.yaml index 4b0b42f5b..904ae7a8f 100644 --- a/example/config.yaml +++ b/example/config.yaml @@ -296,7 +296,7 @@ instance-languages: [] # String. Federation mode to use for this instance. # -# "blocklist" -- open federation by default. Only instances that are explicitly +# "blocklist" -- open federation by default. Only instances that are explicitly # blocked will be denied (unless they are also explicitly allowed). # # "allowlist" -- closed federation by default. Only instances that are explicitly @@ -468,7 +468,7 @@ media-remote-cache-days: 7 # String. 24hr time of day formatted as hh:mm. # Examples: ["14:30", "00:00", "04:00"] -# Default: "00:00" (midnight). +# Default: "00:00" (midnight). media-cleanup-from: "00:00" # Duration. Period between media cleanup runs. @@ -871,7 +871,7 @@ http-client: # # THIS SETTING SHOULD BE USED FOR TESTING ONLY! IF YOU TURN THIS # ON WHILE RUNNING IN PRODUCTION YOU ARE LEAVING YOUR SERVER WIDE - # OPEN TO MAN IN THE MIDDLE ATTACKS! DO NOT CHANGE THIS SETTING + # OPEN TO MAN IN THE MIDDLE ATTACKS! DO NOT CHANGE THIS SETTING # UNLESS YOU KNOW EXACTLY WHAT YOU'RE DOING AND WHY YOU'RE DOING IT. # # Default: false @@ -1026,7 +1026,7 @@ advanced-sender-multiplier: 2 # generate a correct Content-Security-Policy, you probably won't need # to ever touch this setting, but it's included in the 'spirit of more # configurable (usually) means more good'. -# +# # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP # # Example: ["s3.example.org", "some-bucket-name.s3.example.org"] @@ -1048,4 +1048,4 @@ advanced-csp-extra-uris: [] # # Options: ["block", "allow", ""] # Default: "" -advanced-header-filter-mode: ""
\ No newline at end of file +advanced-header-filter-mode: "" |