diff options
Diffstat (limited to 'example/apparmor')
| -rw-r--r-- | example/apparmor/gotosocial | 37 |
1 files changed, 25 insertions, 12 deletions
diff --git a/example/apparmor/gotosocial b/example/apparmor/gotosocial index 40686194d..7f1bfc4bc 100644 --- a/example/apparmor/gotosocial +++ b/example/apparmor/gotosocial @@ -1,40 +1,53 @@ #include <tunables/global> profile gotosocial flags=(attach_disconnected, mediate_deleted) { - #include <abstractions/base> - #include <abstractions/nameservice> + include <abstractions/base> + include <abstractions/dbus-session-strict> + include <abstractions/gio-open> + include <abstractions/nameservice> + include <abstractions/user-tmp> /gotosocial/gotosocial mrix, - /usr/bin/gotosocial mrix, /usr/local/bin/gotosocial mrix, + /usr/bin/gotosocial mrix, + /usr/sbin/gotosocial mrix, owner /gotosocial/{,**} r, owner /gotosocial/db/* wk, owner /gotosocial/storage/** wk, # Allow GoToSocial to write logs - # # NOTE: you only need to allow write permissions to /var/log/syslog if you've - # enabled logging to syslog. Otherwise, you can comment out that line. - /var/log/gotosocial/* w, - owner /var/log/syslog w, + # enabled logging to syslog. + # owner /var/log/syslog w, # These directories are not currently used by any of the recommended # GoToSocial installation methods, but they may be used in the future and/or # for custom installations. owner /etc/gotosocial/{,**} r, - owner /usr/lib/gotosocial/{,**} r, - owner /usr/share/gotosocial/{,**} r, owner /usr/local/etc/gotosocial/{,**} r, - owner /usr/local/lib/gotosocial/{,**} r, + owner /usr/share/gotosocial/{,**} r, owner /usr/local/share/gotosocial/{,**} r, + owner /usr/lib/gotosocial/{,**} r, + owner /usr/lib/gotosocial/db/* wk, + owner /usr/lib/gotosocial/storage/** wk, + owner /usr/local/lib/gotosocial/{,**} r, + owner /usr/local/lib/gotosocial/db/* wk, + owner /usr/local/lib/gotosocial/storage/** wk, owner /var/lib/gotosocial/{,**} r, + owner /var/lib/gotosocial/db/* wk, + owner /var/lib/gotosocial/storage/** wk, owner /opt/gotosocial/{,**} r, owner /run/gotosocial/{,**} r, + /etc/mime.types r, + /etc/services r, /proc/sys/net/core/somaxconn r, + /sys/fs/cgroup/system.slice/gotosocial.service/{,*} r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pid}/cpuset r, + owner /proc/*/cgroup r, + owner /proc/*/cpuset r, + owner /proc/*/mountinfo r, # TCP / UDP network access network inet stream, @@ -42,9 +55,9 @@ profile gotosocial flags=(attach_disconnected, mediate_deleted) { network inet dgram, network inet6 dgram, - # Allow GoToSocial to send signals to/receive signals from worker processes # Allow GoToSocial to receive signals from unconfined processes signal (receive) peer=unconfined, + # Allow GoToSocial to send signals to/receive signals from worker processes signal (send,receive) peer=gotosocial, } |