#include <tunables/global>

profile gotosocial flags=(attach_disconnected, mediate_deleted) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/gio-open>
  include <abstractions/nameservice>
  include <abstractions/user-tmp>

  # Allow common binary install paths.
  #
  # You can change or remove these depending on
  # where you've installed your GoToSocial binary.
  /gotosocial/gotosocial mrix,
  /usr/local/bin/gotosocial mrix,
  /usr/bin/gotosocial mrix,
  /usr/sbin/gotosocial mrix,

  # Allow access to GoToSocial's storage and database paths.
  # Change these depending on your db + storage locations.
  owner /gotosocial/{,**} r,
  owner /gotosocial/db/* wk,
  owner /gotosocial/storage/** wk,

  # Embedded ffmpeg needs read
  # permission on /dev/urandom.
  /dev/ r,
  /dev/urandom r,

  # Temp dir access is needed for storing
  # files briefly during media processing.
  /tmp/ r,
  owner /tmp/* rwk,

  # If running with GTS_WAZERO_COMPILATION_CACHE set,
  # change + uncomment the below lines as appropriate:
  # owner /your/wazero/cache/directory/ r,
  # owner /your/wazero/cache/directory/** rwk,

  # If you've enabled logging to syslog, allow GoToSocial
  # to write logs by uncommenting the following line:
  # /var/log/syslog w,

  # These directories are not currently used by any of
  # the recommended GoToSocial installation methods, but
  # may be used in the future and/or for custom installs.
  # Delete them if you prefer.
  owner /etc/gotosocial/{,**} r,
  owner /usr/local/etc/gotosocial/{,**} r,
  owner /usr/share/gotosocial/{,**} r,
  owner /usr/local/share/gotosocial/{,**} r,
  owner /usr/lib/gotosocial/{,**} r,
  owner /usr/lib/gotosocial/db/* wk,
  owner /usr/lib/gotosocial/storage/** wk,
  owner /usr/local/lib/gotosocial/{,**} r,
  owner /usr/local/lib/gotosocial/db/* wk,
  owner /usr/local/lib/gotosocial/storage/** wk,
  owner /var/lib/gotosocial/{,**} r,
  owner /var/lib/gotosocial/db/* wk,
  owner /var/lib/gotosocial/storage/** wk,
  owner /opt/gotosocial/{,**} r,
  owner /run/gotosocial/{,**} r,

  /etc/mime.types r,
  /etc/services r,
  /proc/sys/net/core/somaxconn r,
  /sys/fs/cgroup/system.slice/gotosocial.service/{,*} r,
  /sys/kernel/mm/hugepages/ r,
  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  owner /proc/*/cgroup r,
  owner /proc/*/cpuset r,
  owner /proc/*/mountinfo r,

  # TCP / UDP network access
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,

  # Allow GoToSocial to receive signals from unconfined processes.
  signal (receive) peer=unconfined,

  # Allow GoToSocial to send signals to/receive signals from worker processes.
  signal (send,receive) peer=gotosocial,
}

# vim:syntax=apparmor