Last active
March 26, 2025 23:15
-
-
Save ChekhWasTaken/7e486f562283efae0163b3fa6193fc57 to your computer and use it in GitHub Desktop.
AppArmor profile for Jellyfin running under Podman 5.4.0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is an AppArmor profile designed to limit a running Jellyfin server's | |
| # access to only the resources it requires. | |
| # Profile was tested using Jellyfin 10.10.6, Podman 5.4.0 on Debian Trixie host. | |
| # | |
| # Copyright (C) 2025 Chekhwastaken | |
| # | |
| # This program is free software: you can redistribute it and/or modify | |
| # it under the terms of the GNU General Public License as published by | |
| # the Free Software Foundation, either version 3 of the License, or | |
| # (at your option) any later version. | |
| # | |
| # This program is distributed in the hope that it will be useful, | |
| # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
| # GNU General Public License for more details. | |
| # | |
| # You should have received a copy of the GNU General Public License | |
| # along with this program. If not, see <https://www.gnu.org/licenses/>. | |
| abi <abi/4.0>, | |
| include <tunables/global> | |
| profile jellyfin flags=(enforce) { | |
| include <abstractions/base> | |
| include <abstractions/nameservice> | |
| include <abstractions/fonts> | |
| include <abstractions/dri-enumerate> | |
| include <abstractions/dri-common> | |
| include <abstractions/opencl-pocl> | |
| include <abstractions/user-tmp> | |
| include <abstractions/ssl_certs> | |
| /cache/ rw, | |
| /cache/** rwk, | |
| /config/ rw, | |
| /config/** rwk, | |
| /jellyfin/ r, | |
| /jellyfin/** rmk, | |
| # directory where the media archive is located. | |
| # this grants read-only access to media folder. | |
| # consider using rw if you want to let jellyfin to modify the media folder e.g. save metadata, delete files etc | |
| /media/ r, | |
| /media/** r, | |
| owner @{PROC}/@{pid}/ r, | |
| owner @{PROC}/@{pid}/** r, | |
| owner @{PROC}/@{pid}/task/@{pid}/comm rw, | |
| /proc/sys/net/ipv4/conf/*/forwarding r, | |
| /sys/fs/cgroup/memory.max r, | |
| /sys/fs/cgroup/cpu.max r, | |
| /sys/devices/pci*/*/* r, | |
| /usr/lib{,64}/ r, | |
| /usr/lib/jellyfin-ffmpeg/ffmpeg ix, | |
| /usr/lib/jellyfin-ffmpeg/ffprobe ix, | |
| /usr/share/zoneinfo{,-icu}/ r, | |
| /usr/share/zoneinfo{,-icu}/** r, | |
| /usr/lib/os-release r, | |
| /bin/curl ix, | |
| /usr/bin/curl ix, | |
| signal (read, receive) peer=crun, | |
| # allows jellyfin's rtmin signal. | |
| # NOTE: @{profile_name} doesn't work here. need to find another way to refer to self. | |
| # NOTE: THIS IS CRITICAL, OTHERWISE JELLYFIN INSTANCE WILL RANDOMLY CRASH. | |
| signal (send, receive) peer=crun//&jellyfin, | |
| # allows network traffic for jellyfin. stream for web, dgram for video streaming. | |
| # consider using a proxy for further restricting traffic. see https://gist.github.com/ChekhWasTaken/91de4f2795d44cb0d93a60acff4da725 | |
| # jellyfin only really needs access to .tmdb.org, .themoviedb.org and .omdbapi.com to fetch metadata and images for default installation. | |
| network inet stream, | |
| network inet dgram, | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment