gotosocial (1615B)
1 #include <tunables/global> 2 3 profile gotosocial flags=(attach_disconnected, mediate_deleted) { 4 #include <abstractions/base> 5 #include <abstractions/nameservice> 6 7 /gotosocial/gotosocial mrix, 8 /usr/bin/gotosocial mrix, 9 /usr/local/bin/gotosocial mrix, 10 11 owner /gotosocial/{,**} r, 12 owner /gotosocial/db/* wk, 13 owner /gotosocial/storage/** wk, 14 15 # Allow GoToSocial to write logs 16 # 17 # NOTE: you only need to allow write permissions to /var/log/syslog if you've 18 # enabled logging to syslog. Otherwise, you can comment out that line. 19 /var/log/gotosocial/* w, 20 owner /var/log/syslog w, 21 22 # These directories are not currently used by any of the recommended 23 # GoToSocial installation methods, but they may be used in the future and/or 24 # for custom installations. 25 owner /etc/gotosocial/{,**} r, 26 owner /usr/lib/gotosocial/{,**} r, 27 owner /usr/share/gotosocial/{,**} r, 28 owner /usr/local/etc/gotosocial/{,**} r, 29 owner /usr/local/lib/gotosocial/{,**} r, 30 owner /usr/local/share/gotosocial/{,**} r, 31 owner /var/lib/gotosocial/{,**} r, 32 owner /opt/gotosocial/{,**} r, 33 owner /run/gotosocial/{,**} r, 34 35 /proc/sys/net/core/somaxconn r, 36 /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, 37 owner @{PROC}/@{pid}/cpuset r, 38 39 # TCP / UDP network access 40 network inet stream, 41 network inet6 stream, 42 network inet dgram, 43 network inet6 dgram, 44 45 # Allow GoToSocial to send signals to/receive signals from worker processes 46 # Allow GoToSocial to receive signals from unconfined processes 47 signal (receive) peer=unconfined, 48 signal (send,receive) peer=gotosocial, 49 } 50 51 # vim:syntax=apparmor