1 files changed, 30 insertions, 8 deletions

diff --git a/example/apparmor/gotosocial b/example/apparmor/gotosocial
index 7f1bfc4bc..a36c83cc7 100644
--- a/example/apparmor/gotosocial
+++ b/example/apparmor/gotosocial
@@ -7,23 +7,44 @@ profile gotosocial flags=(attach_disconnected, mediate_deleted) {
   include <abstractions/nameservice>
   include <abstractions/user-tmp>
 
+  # Allow common binary install paths.
+  #
+  # You can change or remove these depending on
+  # where you've installed your GoToSocial binary.
   /gotosocial/gotosocial mrix,
   /usr/local/bin/gotosocial mrix,
   /usr/bin/gotosocial mrix,
   /usr/sbin/gotosocial mrix,
 
+  # Allow access to GoToSocial's storage and database paths.
+  # Change these depending on your db + storage locations.
   owner /gotosocial/{,**} r,
   owner /gotosocial/db/* wk,
   owner /gotosocial/storage/** wk,
 
-  # Allow GoToSocial to write logs
-  # NOTE: you only need to allow write permissions to /var/log/syslog if you've
-  # enabled logging to syslog.
+  # Embedded ffmpeg needs read
+  # permission on /dev/urandom.
+  owner /dev/ r,
+  owner /dev/urandom r,
+
+  # Temp dir access is needed for storing
+  # files briefly during media processing.
+  owner /tmp/ r,
+  owner /tmp/* rwk,
+
+  # If running with GTS_WAZERO_COMPILATION_CACHE set,
+  # change + uncomment the below lines as appropriate:
+  # owner /your/wazero/cache/directory/ r,
+  # owner /your/wazero/cache/directory/** rwk,
+
+  # If you've enabled logging to syslog, allow GoToSocial
+  # to write logs by uncommenting the following line:
   # owner /var/log/syslog w,
 
-  # These directories are not currently used by any of the recommended
-  # GoToSocial installation methods, but they may be used in the future and/or
-  # for custom installations.
+  # These directories are not currently used by any of
+  # the recommended GoToSocial installation methods, but
+  # may be used in the future and/or for custom installs.
+  # Delete them if you prefer.
   owner /etc/gotosocial/{,**} r,
   owner /usr/local/etc/gotosocial/{,**} r,
   owner /usr/share/gotosocial/{,**} r,
@@ -55,9 +76,10 @@ profile gotosocial flags=(attach_disconnected, mediate_deleted) {
   network inet dgram,
   network inet6 dgram,
 
-  # Allow GoToSocial to receive signals from unconfined processes
+  # Allow GoToSocial to receive signals from unconfined processes.
   signal (receive) peer=unconfined,
-  # Allow GoToSocial to send signals to/receive signals from worker processes
+
+  # Allow GoToSocial to send signals to/receive signals from worker processes.
   signal (send,receive) peer=gotosocial,
 }