[docs/bugfix] Allow access to TMP directories in example AppArmor config (#2683)
* Remove trailing whitespace from example config * Update and extend example AppArmor profile
This commit is contained in:
parent
403f5c0528
commit
d8956d710e
|
@ -1,40 +1,53 @@
|
|||
#include <tunables/global>
|
||||
|
||||
profile gotosocial flags=(attach_disconnected, mediate_deleted) {
|
||||
#include <abstractions/base>
|
||||
#include <abstractions/nameservice>
|
||||
include <abstractions/base>
|
||||
include <abstractions/dbus-session-strict>
|
||||
include <abstractions/gio-open>
|
||||
include <abstractions/nameservice>
|
||||
include <abstractions/user-tmp>
|
||||
|
||||
/gotosocial/gotosocial mrix,
|
||||
/usr/bin/gotosocial mrix,
|
||||
/usr/local/bin/gotosocial mrix,
|
||||
/usr/bin/gotosocial mrix,
|
||||
/usr/sbin/gotosocial mrix,
|
||||
|
||||
owner /gotosocial/{,**} r,
|
||||
owner /gotosocial/db/* wk,
|
||||
owner /gotosocial/storage/** wk,
|
||||
|
||||
# Allow GoToSocial to write logs
|
||||
#
|
||||
# NOTE: you only need to allow write permissions to /var/log/syslog if you've
|
||||
# enabled logging to syslog. Otherwise, you can comment out that line.
|
||||
/var/log/gotosocial/* w,
|
||||
owner /var/log/syslog w,
|
||||
# enabled logging to syslog.
|
||||
# owner /var/log/syslog w,
|
||||
|
||||
# These directories are not currently used by any of the recommended
|
||||
# GoToSocial installation methods, but they may be used in the future and/or
|
||||
# for custom installations.
|
||||
owner /etc/gotosocial/{,**} r,
|
||||
owner /usr/lib/gotosocial/{,**} r,
|
||||
owner /usr/share/gotosocial/{,**} r,
|
||||
owner /usr/local/etc/gotosocial/{,**} r,
|
||||
owner /usr/local/lib/gotosocial/{,**} r,
|
||||
owner /usr/share/gotosocial/{,**} r,
|
||||
owner /usr/local/share/gotosocial/{,**} r,
|
||||
owner /usr/lib/gotosocial/{,**} r,
|
||||
owner /usr/lib/gotosocial/db/* wk,
|
||||
owner /usr/lib/gotosocial/storage/** wk,
|
||||
owner /usr/local/lib/gotosocial/{,**} r,
|
||||
owner /usr/local/lib/gotosocial/db/* wk,
|
||||
owner /usr/local/lib/gotosocial/storage/** wk,
|
||||
owner /var/lib/gotosocial/{,**} r,
|
||||
owner /var/lib/gotosocial/db/* wk,
|
||||
owner /var/lib/gotosocial/storage/** wk,
|
||||
owner /opt/gotosocial/{,**} r,
|
||||
owner /run/gotosocial/{,**} r,
|
||||
|
||||
/etc/mime.types r,
|
||||
/etc/services r,
|
||||
/proc/sys/net/core/somaxconn r,
|
||||
/sys/fs/cgroup/system.slice/gotosocial.service/{,*} r,
|
||||
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||||
owner @{PROC}/@{pid}/cpuset r,
|
||||
owner /proc/*/cgroup r,
|
||||
owner /proc/*/cpuset r,
|
||||
owner /proc/*/mountinfo r,
|
||||
|
||||
# TCP / UDP network access
|
||||
network inet stream,
|
||||
|
@ -42,9 +55,9 @@ profile gotosocial flags=(attach_disconnected, mediate_deleted) {
|
|||
network inet dgram,
|
||||
network inet6 dgram,
|
||||
|
||||
# Allow GoToSocial to send signals to/receive signals from worker processes
|
||||
# Allow GoToSocial to receive signals from unconfined processes
|
||||
signal (receive) peer=unconfined,
|
||||
# Allow GoToSocial to send signals to/receive signals from worker processes
|
||||
signal (send,receive) peer=gotosocial,
|
||||
}
|
||||
|
||||
|
|
|
@ -296,7 +296,7 @@ instance-languages: []
|
|||
|
||||
# String. Federation mode to use for this instance.
|
||||
#
|
||||
# "blocklist" -- open federation by default. Only instances that are explicitly
|
||||
# "blocklist" -- open federation by default. Only instances that are explicitly
|
||||
# blocked will be denied (unless they are also explicitly allowed).
|
||||
#
|
||||
# "allowlist" -- closed federation by default. Only instances that are explicitly
|
||||
|
@ -468,7 +468,7 @@ media-remote-cache-days: 7
|
|||
|
||||
# String. 24hr time of day formatted as hh:mm.
|
||||
# Examples: ["14:30", "00:00", "04:00"]
|
||||
# Default: "00:00" (midnight).
|
||||
# Default: "00:00" (midnight).
|
||||
media-cleanup-from: "00:00"
|
||||
|
||||
# Duration. Period between media cleanup runs.
|
||||
|
@ -871,7 +871,7 @@ http-client:
|
|||
#
|
||||
# THIS SETTING SHOULD BE USED FOR TESTING ONLY! IF YOU TURN THIS
|
||||
# ON WHILE RUNNING IN PRODUCTION YOU ARE LEAVING YOUR SERVER WIDE
|
||||
# OPEN TO MAN IN THE MIDDLE ATTACKS! DO NOT CHANGE THIS SETTING
|
||||
# OPEN TO MAN IN THE MIDDLE ATTACKS! DO NOT CHANGE THIS SETTING
|
||||
# UNLESS YOU KNOW EXACTLY WHAT YOU'RE DOING AND WHY YOU'RE DOING IT.
|
||||
#
|
||||
# Default: false
|
||||
|
@ -1026,7 +1026,7 @@ advanced-sender-multiplier: 2
|
|||
# generate a correct Content-Security-Policy, you probably won't need
|
||||
# to ever touch this setting, but it's included in the 'spirit of more
|
||||
# configurable (usually) means more good'.
|
||||
#
|
||||
#
|
||||
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
|
||||
#
|
||||
# Example: ["s3.example.org", "some-bucket-name.s3.example.org"]
|
||||
|
@ -1048,4 +1048,4 @@ advanced-csp-extra-uris: []
|
|||
#
|
||||
# Options: ["block", "allow", ""]
|
||||
# Default: ""
|
||||
advanced-header-filter-mode: ""
|
||||
advanced-header-filter-mode: ""
|
||||
|
|
Loading…
Reference in New Issue