#include <tunables/global>

profile gotosocial flags=(attach_disconnected, mediate_deleted) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/gio-open>
  include <abstractions/nameservice>
  include <abstractions/user-tmp>

  /usr/sbin/gotosocial mrix,

  # Embedded ffmpeg needs read permission on /dev/urandom.
  /dev/ r,
  /dev/urandom r,

  # If running with GTS_WAZERO_COMPILATION_CACHE set,
  # change + uncomment the below lines as appropriate:
  owner /var/lib/gotosocial/.cache r,
  owner /var/lib/gotosocial/.cache/** rwk,

  # If you've enabled logging to syslog, allow GoToSocial
  # to write logs by uncommenting the following line:
  # /var/log/syslog w,

  /etc/gotosocial/{,**} r,
  /usr/share/gotosocial/{,**} r,
  owner /var/lib/gotosocial/{,**} r,
  owner /var/lib/gotosocial/db/* wk,
  owner /var/lib/gotosocial/storage/** wk,

  /etc/mime.types r,
  /etc/services r,
  /proc/sys/net/core/somaxconn r,
  /sys/fs/cgroup/system.slice/gotosocial.service/{,*} r,
  /sys/kernel/mm/hugepages/ r,
  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  owner /proc/*/cgroup r,
  owner /proc/*/cpuset r,
  owner /proc/*/mountinfo r,

  # TCP / UDP network access
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,

  # Allow GoToSocial to receive signals from unconfined processes.
  signal (receive) peer=unconfined,

  # Allow GoToSocial to send signals to/receive signals from worker processes.
  signal (send,receive) peer=gotosocial,
}

# vim:syntax=apparmor
