forgejo/forgejo.apparmor

abi <abi/3.0>,

include <tunables/global>

@{APP_DATADIR} = /var/lib/forgejo
@{APP_REPOSITORY_DIRS} = @{APP_DATADIR}/data/forgejo-repositories @{APP_DATADIR}/repositories

profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
  include <abstractions/forgejo>

  network inet  stream,
  network inet6 stream,

  /usr/bin/forgejo Cx -> forgejo-session-exec,

  signal (send) peer=forgejo//*,

  profile forgejo-session-exec {
    include <abstractions/forgejo>

    include if exists <forgejo.d/forgejo-session-exec.d>
    include if exists <local/forgejo-session-exec>
  }

  profile forgejo-hooks {
    include <abstractions/forgejo>

    include if exists <forgejo.d/forgejo-hooks.d>
    include if exists <local/forgejo-hooks>
  }

  profile git {
    include <abstractions/base>
    include <abstractions/nameservice>
    include <abstractions/openssl>
    include <abstractions/ssl_certs>

    signal (receive) peer=forgejo,

    /etc/gitconfig r,
    /usr/lib{,exec}/git/* rmix,
    /usr/share/git-core/** r,

    /usr/bin/bash Px -> forgejo//git-bash,

    owner @{APP_DATADIR}/data/home/.gitconfig rwlk,
    owner @{APP_DATADIR}/data/home/.gitconfig.lock rwlk,

    owner @{APP_REPOSITORY_DIRS}/ r,
    owner @{APP_REPOSITORY_DIRS}/** rwlk,

    owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/pre-receive  Px -> forgejo//hooks-pre-receive,
    owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/post-receive Px -> forgejo//hooks-post-receive,
    owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/proc-receive Px -> forgejo//hooks-proc-receive,

    owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/update Px -> forgejo//hooks-update,

    owner @{APP_DATADIR}/data/tmp/local-repo/pull.*/ r,
    owner @{APP_DATADIR}/data/tmp/local-repo/pull.*/** rwlk,

    owner @{APP_DATADIR}/data/tmp/local-repo/update-wiki*/ r,
    owner @{APP_DATADIR}/data/tmp/local-repo/update-wiki*/** rwlk,

    include if exists <forgejo.d/git.d>
    include if exists <local/forgejo-git>
  }

  profile git-bash {
    include <abstractions/base>
    include <abstractions/bash>
    include <abstractions/consoles>

    /usr/bin/bash rm,

    /usr/lib{,exec}/git/git Px -> forgejo//git,
    /usr/lib{,exec}/git/git-write-tree Px -> forgejo//git,
  }

  profile hooks-pre-receive {
    include <abstractions/forgejo-hooks>

    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive.d/ r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive.d/gitea Px -> forgejo//hooks-gitea,

    include if exists <forgejo.d/hooks-pre-receive.d>
    include if exists <local/forgejo-hooks-pre-receive>
  }

  profile hooks-post-receive {
    include <abstractions/forgejo-hooks>

    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive.d/ r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive.d/gitea Px -> forgejo//hooks-gitea,

    include if exists <forgejo.d/hooks-post-receive.d>
    include if exists <local/forgejo-hooks-post-receive>
  }

  profile hooks-proc-receive {
    include <abstractions/forgejo-hooks>

    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive.d/ r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive.d/gitea Px -> forgejo//hooks-gitea,

    include if exists <forgejo.d/hooks-proc-receive.d>
    include if exists <local/forgejo-hooks-proc-receive>
  }

  profile hooks-update {
    include <abstractions/forgejo-hooks>

    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update.d/ r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update.d/gitea Px -> forgejo//hooks-gitea,

    include if exists <forgejo.d/hooks-update.d>
    include if exists <local/forgejo-hooks-update>
  }

  profile hooks-gitea {
    include <abstractions/forgejo-hooks>

    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/*.d/gitea r,
    /usr/bin/forgejo Px -> forgejo//forgejo-hooks,
  }

  profile simple_tool {
    include <abstractions/base>

    /usr/bin/env      rm,
    /usr/bin/cat      rm,
    /usr/bin/basename rm,
  }

  owner @{APP_DATADIR}/ r,

  owner @{APP_DATADIR}/data/ r,
  owner @{APP_DATADIR}/data/** rwlk,

  owner @{APP_DATADIR}/https/ r,
  owner @{APP_DATADIR}/https/** rwlk,

  owner @{APP_DATADIR}/indexers/ r,
  owner @{APP_DATADIR}/indexers/** rwlk,

  owner @{APP_DATADIR}/queues/ r,
  owner @{APP_DATADIR}/queues/** rwlk,

  owner @{APP_REPOSITORY_DIRS}/ r,
  owner @{APP_REPOSITORY_DIRS}/** rwlk,

  owner /var/log/forgejo/ r,
  owner /var/log/forgejo/gitea.log* rwlk,
}
- move permissions of the log dir and the data dir from forgejo:forgejo u=rwX,g=rwX,o= to forgejo:forgejo u=rwX,g=rX,o= - update apparmor profile to a profile that is less broad. - create all directories before actually installing files - make the HOME dir in the service file the same as the user - migrate existing authorized keys files from %{_datadir}/%{name}/.ssh/authorized_keys to %{_sharedstatedir}/%{name}/data/home/.ssh/authorized_keys - fix file list to lock down permissions more - don't require the apparmor subpackage when apparmor is installed the current profile is rather bad and it should be possible to keep it out. - user should actually use /var/lib/forgejo/data/home OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=53 2025-03-11 12:47:50 +00:00			`abi <abi/3.0>,`

			`include <tunables/global>`

			`@{APP_DATADIR} = /var/lib/forgejo`
			`@{APP_REPOSITORY_DIRS} = @{APP_DATADIR}/data/forgejo-repositories @{APP_DATADIR}/repositories`

			`profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {`
			`include <abstractions/forgejo>`

			`network inet stream,`
			`network inet6 stream,`

			`/usr/bin/forgejo Cx -> forgejo-session-exec,`

			`signal (send) peer=forgejo//*,`

			`profile forgejo-session-exec {`
			`include <abstractions/forgejo>`

			`include if exists <forgejo.d/forgejo-session-exec.d>`
			`include if exists <local/forgejo-session-exec>`
			`}`

			`profile forgejo-hooks {`
			`include <abstractions/forgejo>`

			`include if exists <forgejo.d/forgejo-hooks.d>`
			`include if exists <local/forgejo-hooks>`
			`}`

			`profile git {`
			`include <abstractions/base>`
			`include <abstractions/nameservice>`
			`include <abstractions/openssl>`
			`include <abstractions/ssl_certs>`

			`signal (receive) peer=forgejo,`

			`/etc/gitconfig r,`
			`/usr/lib{,exec}/git/* rmix,`
			`/usr/share/git-core/** r,`

- apparmor: fix wiki editing OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=56 2025-03-14 06:40:13 +00:00			`/usr/bin/bash Px -> forgejo//git-bash,`

- add README.SUSE to explain SUSE specific things - apparmor: /var/lib/forgejo/data/home/.gitconfig needs to be writable for initial setup - apparmor: forgot to rename the profile in the %post scriptlet OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=58 2025-03-16 20:50:15 +00:00			`owner @{APP_DATADIR}/data/home/.gitconfig rwlk,`
- move permissions of the log dir and the data dir from forgejo:forgejo u=rwX,g=rwX,o= to forgejo:forgejo u=rwX,g=rX,o= - update apparmor profile to a profile that is less broad. - create all directories before actually installing files - make the HOME dir in the service file the same as the user - migrate existing authorized keys files from %{_datadir}/%{name}/.ssh/authorized_keys to %{_sharedstatedir}/%{name}/data/home/.ssh/authorized_keys - fix file list to lock down permissions more - don't require the apparmor subpackage when apparmor is installed the current profile is rather bad and it should be possible to keep it out. - user should actually use /var/lib/forgejo/data/home OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=53 2025-03-11 12:47:50 +00:00			`owner @{APP_DATADIR}/data/home/.gitconfig.lock rwlk,`

			`owner @{APP_REPOSITORY_DIRS}/ r,`
			`owner @{APP_REPOSITORY_DIRS}/** rwlk,`

			`owner @{APP_REPOSITORY_DIRS}//.git/hooks/pre-receive Px -> forgejo//hooks-pre-receive,`
			`owner @{APP_REPOSITORY_DIRS}//.git/hooks/post-receive Px -> forgejo//hooks-post-receive,`
			`owner @{APP_REPOSITORY_DIRS}//.git/hooks/proc-receive Px -> forgejo//hooks-proc-receive,`

			`owner @{APP_REPOSITORY_DIRS}//.git/hooks/update Px -> forgejo//hooks-update,`

- apparmor: fix wiki editing OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=56 2025-03-14 06:40:13 +00:00			`owner @{APP_DATADIR}/data/tmp/local-repo/pull.*/ r,`
- move permissions of the log dir and the data dir from forgejo:forgejo u=rwX,g=rwX,o= to forgejo:forgejo u=rwX,g=rX,o= - update apparmor profile to a profile that is less broad. - create all directories before actually installing files - make the HOME dir in the service file the same as the user - migrate existing authorized keys files from %{_datadir}/%{name}/.ssh/authorized_keys to %{_sharedstatedir}/%{name}/data/home/.ssh/authorized_keys - fix file list to lock down permissions more - don't require the apparmor subpackage when apparmor is installed the current profile is rather bad and it should be possible to keep it out. - user should actually use /var/lib/forgejo/data/home OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=53 2025-03-11 12:47:50 +00:00			`owner @{APP_DATADIR}/data/tmp/local-repo/pull./* rwlk,`

- apparmor: fix wiki editing OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=56 2025-03-14 06:40:13 +00:00			`owner @{APP_DATADIR}/data/tmp/local-repo/update-wiki*/ r,`
			`owner @{APP_DATADIR}/data/tmp/local-repo/update-wiki/* rwlk,`

- move permissions of the log dir and the data dir from forgejo:forgejo u=rwX,g=rwX,o= to forgejo:forgejo u=rwX,g=rX,o= - update apparmor profile to a profile that is less broad. - create all directories before actually installing files - make the HOME dir in the service file the same as the user - migrate existing authorized keys files from %{_datadir}/%{name}/.ssh/authorized_keys to %{_sharedstatedir}/%{name}/data/home/.ssh/authorized_keys - fix file list to lock down permissions more - don't require the apparmor subpackage when apparmor is installed the current profile is rather bad and it should be possible to keep it out. - user should actually use /var/lib/forgejo/data/home OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=53 2025-03-11 12:47:50 +00:00			`include if exists <forgejo.d/git.d>`
			`include if exists <local/forgejo-git>`
			`}`

- apparmor: fix wiki editing OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=56 2025-03-14 06:40:13 +00:00			`profile git-bash {`
			`include <abstractions/base>`
			`include <abstractions/bash>`
			`include <abstractions/consoles>`

			`/usr/bin/bash rm,`

			`/usr/lib{,exec}/git/git Px -> forgejo//git,`
			`/usr/lib{,exec}/git/git-write-tree Px -> forgejo//git,`
			`}`

- move permissions of the log dir and the data dir from forgejo:forgejo u=rwX,g=rwX,o= to forgejo:forgejo u=rwX,g=rX,o= - update apparmor profile to a profile that is less broad. - create all directories before actually installing files - make the HOME dir in the service file the same as the user - migrate existing authorized keys files from %{_datadir}/%{name}/.ssh/authorized_keys to %{_sharedstatedir}/%{name}/data/home/.ssh/authorized_keys - fix file list to lock down permissions more - don't require the apparmor subpackage when apparmor is installed the current profile is rather bad and it should be possible to keep it out. - user should actually use /var/lib/forgejo/data/home OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=53 2025-03-11 12:47:50 +00:00			`profile hooks-pre-receive {`
			`include <abstractions/forgejo-hooks>`

			`owner @{APP_REPOSITORY_DIRS}///hooks/pre-receive r,`
			`owner @{APP_REPOSITORY_DIRS}///hooks/pre-receive.d/ r,`
			`owner @{APP_REPOSITORY_DIRS}///hooks/pre-receive.d/gitea Px -> forgejo//hooks-gitea,`

			`include if exists <forgejo.d/hooks-pre-receive.d>`
			`include if exists <local/forgejo-hooks-pre-receive>`
			`}`

			`profile hooks-post-receive {`
			`include <abstractions/forgejo-hooks>`

			`owner @{APP_REPOSITORY_DIRS}///hooks/post-receive r,`
			`owner @{APP_REPOSITORY_DIRS}///hooks/post-receive.d/ r,`
			`owner @{APP_REPOSITORY_DIRS}///hooks/post-receive.d/gitea Px -> forgejo//hooks-gitea,`

			`include if exists <forgejo.d/hooks-post-receive.d>`
			`include if exists <local/forgejo-hooks-post-receive>`
			`}`

			`profile hooks-proc-receive {`
			`include <abstractions/forgejo-hooks>`

			`owner @{APP_REPOSITORY_DIRS}///hooks/proc-receive r,`
			`owner @{APP_REPOSITORY_DIRS}///hooks/proc-receive.d/ r,`
			`owner @{APP_REPOSITORY_DIRS}///hooks/proc-receive.d/gitea Px -> forgejo//hooks-gitea,`

			`include if exists <forgejo.d/hooks-proc-receive.d>`
			`include if exists <local/forgejo-hooks-proc-receive>`
			`}`

			`profile hooks-update {`
			`include <abstractions/forgejo-hooks>`

			`owner @{APP_REPOSITORY_DIRS}///hooks/update r,`
			`owner @{APP_REPOSITORY_DIRS}///hooks/update.d/ r,`
			`owner @{APP_REPOSITORY_DIRS}///hooks/update.d/gitea Px -> forgejo//hooks-gitea,`

			`include if exists <forgejo.d/hooks-update.d>`
			`include if exists <local/forgejo-hooks-update>`
			`}`

			`profile hooks-gitea {`
			`include <abstractions/forgejo-hooks>`

			`owner @{APP_REPOSITORY_DIRS}///hooks/*.d/gitea r,`
			`/usr/bin/forgejo Px -> forgejo//forgejo-hooks,`
			`}`

			`profile simple_tool {`
			`include <abstractions/base>`

			`/usr/bin/env rm,`
			`/usr/bin/cat rm,`
			`/usr/bin/basename rm,`
			`}`

			`owner @{APP_DATADIR}/ r,`

			`owner @{APP_DATADIR}/data/ r,`
			`owner @{APP_DATADIR}/data/** rwlk,`

			`owner @{APP_DATADIR}/https/ r,`
			`owner @{APP_DATADIR}/https/** rwlk,`

			`owner @{APP_DATADIR}/indexers/ r,`
			`owner @{APP_DATADIR}/indexers/** rwlk,`

			`owner @{APP_DATADIR}/queues/ r,`
			`owner @{APP_DATADIR}/queues/** rwlk,`

			`owner @{APP_REPOSITORY_DIRS}/ r,`
			`owner @{APP_REPOSITORY_DIRS}/** rwlk,`

			`owner /var/log/forgejo/ r,`
- apparmor: fix wiki editing OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=56 2025-03-14 06:40:13 +00:00			`owner /var/log/forgejo/gitea.log* rwlk,`
- move permissions of the log dir and the data dir from forgejo:forgejo u=rwX,g=rwX,o= to forgejo:forgejo u=rwX,g=rX,o= - update apparmor profile to a profile that is less broad. - create all directories before actually installing files - make the HOME dir in the service file the same as the user - migrate existing authorized keys files from %{_datadir}/%{name}/.ssh/authorized_keys to %{_sharedstatedir}/%{name}/data/home/.ssh/authorized_keys - fix file list to lock down permissions more - don't require the apparmor subpackage when apparmor is installed the current profile is rather bad and it should be possible to keep it out. - user should actually use /var/lib/forgejo/data/home OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=53 2025-03-11 12:47:50 +00:00			`}`