From d8956d710e114150dfb422f4d21f0a69e5e5829a Mon Sep 17 00:00:00 2001 From: tux93 Date: Sat, 24 Feb 2024 09:44:53 +0100 Subject: [PATCH] [docs/bugfix] Allow access to TMP directories in example AppArmor config (#2683) * Remove trailing whitespace from example config * Update and extend example AppArmor profile --- example/apparmor/gotosocial | 37 +++++++++++++++++++++++++------------ example/config.yaml | 10 +++++----- 2 files changed, 30 insertions(+), 17 deletions(-) diff --git a/example/apparmor/gotosocial b/example/apparmor/gotosocial index 40686194d..7f1bfc4bc 100644 --- a/example/apparmor/gotosocial +++ b/example/apparmor/gotosocial @@ -1,40 +1,53 @@ #include profile gotosocial flags=(attach_disconnected, mediate_deleted) { - #include - #include + include + include + include + include + include /gotosocial/gotosocial mrix, - /usr/bin/gotosocial mrix, /usr/local/bin/gotosocial mrix, + /usr/bin/gotosocial mrix, + /usr/sbin/gotosocial mrix, owner /gotosocial/{,**} r, owner /gotosocial/db/* wk, owner /gotosocial/storage/** wk, # Allow GoToSocial to write logs - # # NOTE: you only need to allow write permissions to /var/log/syslog if you've - # enabled logging to syslog. Otherwise, you can comment out that line. - /var/log/gotosocial/* w, - owner /var/log/syslog w, + # enabled logging to syslog. + # owner /var/log/syslog w, # These directories are not currently used by any of the recommended # GoToSocial installation methods, but they may be used in the future and/or # for custom installations. owner /etc/gotosocial/{,**} r, - owner /usr/lib/gotosocial/{,**} r, - owner /usr/share/gotosocial/{,**} r, owner /usr/local/etc/gotosocial/{,**} r, - owner /usr/local/lib/gotosocial/{,**} r, + owner /usr/share/gotosocial/{,**} r, owner /usr/local/share/gotosocial/{,**} r, + owner /usr/lib/gotosocial/{,**} r, + owner /usr/lib/gotosocial/db/* wk, + owner /usr/lib/gotosocial/storage/** wk, + owner /usr/local/lib/gotosocial/{,**} r, + owner /usr/local/lib/gotosocial/db/* wk, + owner /usr/local/lib/gotosocial/storage/** wk, owner /var/lib/gotosocial/{,**} r, + owner /var/lib/gotosocial/db/* wk, + owner /var/lib/gotosocial/storage/** wk, owner /opt/gotosocial/{,**} r, owner /run/gotosocial/{,**} r, + /etc/mime.types r, + /etc/services r, /proc/sys/net/core/somaxconn r, + /sys/fs/cgroup/system.slice/gotosocial.service/{,*} r, /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, - owner @{PROC}/@{pid}/cpuset r, + owner /proc/*/cgroup r, + owner /proc/*/cpuset r, + owner /proc/*/mountinfo r, # TCP / UDP network access network inet stream, @@ -42,9 +55,9 @@ profile gotosocial flags=(attach_disconnected, mediate_deleted) { network inet dgram, network inet6 dgram, - # Allow GoToSocial to send signals to/receive signals from worker processes # Allow GoToSocial to receive signals from unconfined processes signal (receive) peer=unconfined, + # Allow GoToSocial to send signals to/receive signals from worker processes signal (send,receive) peer=gotosocial, } diff --git a/example/config.yaml b/example/config.yaml index 4b0b42f5b..904ae7a8f 100644 --- a/example/config.yaml +++ b/example/config.yaml @@ -296,7 +296,7 @@ instance-languages: [] # String. Federation mode to use for this instance. # -# "blocklist" -- open federation by default. Only instances that are explicitly +# "blocklist" -- open federation by default. Only instances that are explicitly # blocked will be denied (unless they are also explicitly allowed). # # "allowlist" -- closed federation by default. Only instances that are explicitly @@ -468,7 +468,7 @@ media-remote-cache-days: 7 # String. 24hr time of day formatted as hh:mm. # Examples: ["14:30", "00:00", "04:00"] -# Default: "00:00" (midnight). +# Default: "00:00" (midnight). media-cleanup-from: "00:00" # Duration. Period between media cleanup runs. @@ -871,7 +871,7 @@ http-client: # # THIS SETTING SHOULD BE USED FOR TESTING ONLY! IF YOU TURN THIS # ON WHILE RUNNING IN PRODUCTION YOU ARE LEAVING YOUR SERVER WIDE - # OPEN TO MAN IN THE MIDDLE ATTACKS! DO NOT CHANGE THIS SETTING + # OPEN TO MAN IN THE MIDDLE ATTACKS! DO NOT CHANGE THIS SETTING # UNLESS YOU KNOW EXACTLY WHAT YOU'RE DOING AND WHY YOU'RE DOING IT. # # Default: false @@ -1026,7 +1026,7 @@ advanced-sender-multiplier: 2 # generate a correct Content-Security-Policy, you probably won't need # to ever touch this setting, but it's included in the 'spirit of more # configurable (usually) means more good'. -# +# # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP # # Example: ["s3.example.org", "some-bucket-name.s3.example.org"] @@ -1048,4 +1048,4 @@ advanced-csp-extra-uris: [] # # Options: ["block", "allow", ""] # Default: "" -advanced-header-filter-mode: "" \ No newline at end of file +advanced-header-filter-mode: ""