[docs/bugfix] Allow access to TMP directories in example AppArmor config (#2683)

* Remove trailing whitespace from example config

* Update and extend example AppArmor profile

example/apparmor/gotosocial

@@ -1,40 +1,53 @@
 #include <tunables/global>
 
 profile gotosocial flags=(attach_disconnected, mediate_deleted) {
-  #include <abstractions/base>
+  include <abstractions/base>
-  #include <abstractions/nameservice>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/gio-open>
+  include <abstractions/nameservice>
+  include <abstractions/user-tmp>
 
   /gotosocial/gotosocial mrix,
-  /usr/bin/gotosocial mrix,
   /usr/local/bin/gotosocial mrix,
+  /usr/bin/gotosocial mrix,
+  /usr/sbin/gotosocial mrix,
 
   owner /gotosocial/{,**} r,
   owner /gotosocial/db/* wk,
   owner /gotosocial/storage/** wk,
 
   # Allow GoToSocial to write logs
-  #
   # NOTE: you only need to allow write permissions to /var/log/syslog if you've
-  # enabled logging to syslog. Otherwise, you can comment out that line.
+  # enabled logging to syslog.
-  /var/log/gotosocial/* w,
+  # owner /var/log/syslog w,
-  owner /var/log/syslog w,
 
   # These directories are not currently used by any of the recommended
   # GoToSocial installation methods, but they may be used in the future and/or
   # for custom installations.
   owner /etc/gotosocial/{,**} r,
-  owner /usr/lib/gotosocial/{,**} r,
-  owner /usr/share/gotosocial/{,**} r,
   owner /usr/local/etc/gotosocial/{,**} r,
-  owner /usr/local/lib/gotosocial/{,**} r,
+  owner /usr/share/gotosocial/{,**} r,
   owner /usr/local/share/gotosocial/{,**} r,
+  owner /usr/lib/gotosocial/{,**} r,
+  owner /usr/lib/gotosocial/db/* wk,
+  owner /usr/lib/gotosocial/storage/** wk,
+  owner /usr/local/lib/gotosocial/{,**} r,
+  owner /usr/local/lib/gotosocial/db/* wk,
+  owner /usr/local/lib/gotosocial/storage/** wk,
   owner /var/lib/gotosocial/{,**} r,
+  owner /var/lib/gotosocial/db/* wk,
+  owner /var/lib/gotosocial/storage/** wk,
   owner /opt/gotosocial/{,**} r,
   owner /run/gotosocial/{,**} r,
 
+  /etc/mime.types r,
+  /etc/services r,
   /proc/sys/net/core/somaxconn r,
+  /sys/fs/cgroup/system.slice/gotosocial.service/{,*} r,
   /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-  owner @{PROC}/@{pid}/cpuset r,
+  owner /proc/*/cgroup r,
+  owner /proc/*/cpuset r,
+  owner /proc/*/mountinfo r,
 
   # TCP / UDP network access
   network inet stream,
@@ -42,9 +55,9 @@ profile gotosocial flags=(attach_disconnected, mediate_deleted) {
   network inet dgram,
   network inet6 dgram,
 
-  # Allow GoToSocial to send signals to/receive signals from worker processes
   # Allow GoToSocial to receive signals from unconfined processes
   signal (receive) peer=unconfined,
+  # Allow GoToSocial to send signals to/receive signals from worker processes
   signal (send,receive) peer=gotosocial,
 }