forgejo/forgejo.apparmor

65 lines
2.0 KiB
Plaintext
Raw Normal View History

abi <abi/3.0>,
- update to 8.0.1: * A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for href in anchor elements to be set to a javascript: URI in the repository description, which will execute the specified script upon clicking (and not upon loading). AllowStandardURLs is now called for the repository description policy, which ensures that URIs in anchor elements are mailto:, http:// or https:// and thereby disallowing the javascript: URI. * Do not include trailing EOL character when counting lines * Add background to reactions on hover * Prevent uppercase in header of dashboard context selector * Fix page layout in admin settings * Ensure all filters are persistent in issue filters * Allow 4 charachter SHA in /src/commit - update to 8.0.0: full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0 Highlights: * remove Microsoft SQL Server support * introduce a branch/tag dropdown in the code search page * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls * API endpoints for managing tag protection. * add Reviewed-on and Reviewed-by variables to the merge template * display an error when an issue comment is edited simultaneously by two users instead of silently overriding one of them * when installing Forgejo through the built-in installer, open (self-) registration is now disabled by default * add support for the reddit and Hubspot OAuth providers. * CERT management was improved when ENABLE_ACME=true * language detection in the repository got additional languages OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=31
2024-08-12 00:22:28 +02:00
include <tunables/global>
profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
- update to 8.0.1: * A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for href in anchor elements to be set to a javascript: URI in the repository description, which will execute the specified script upon clicking (and not upon loading). AllowStandardURLs is now called for the repository description policy, which ensures that URIs in anchor elements are mailto:, http:// or https:// and thereby disallowing the javascript: URI. * Do not include trailing EOL character when counting lines * Add background to reactions on hover * Prevent uppercase in header of dashboard context selector * Fix page layout in admin settings * Ensure all filters are persistent in issue filters * Allow 4 charachter SHA in /src/commit - update to 8.0.0: full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0 Highlights: * remove Microsoft SQL Server support * introduce a branch/tag dropdown in the code search page * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls * API endpoints for managing tag protection. * add Reviewed-on and Reviewed-by variables to the merge template * display an error when an issue comment is edited simultaneously by two users instead of silently overriding one of them * when installing Forgejo through the built-in installer, open (self-) registration is now disabled by default * add support for the reddit and Hubspot OAuth providers. * CERT management was improved when ENABLE_ACME=true * language detection in the repository got additional languages OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=31
2024-08-12 00:22:28 +02:00
include <abstractions/base>
include <abstractions/mysql>
include <abstractions/nameservice>
include <abstractions/opencl-pocl>
include <abstractions/openssl>
include <abstractions/user-tmp>
include if exists <local/usr.bin.forgejo>
- update to 8.0.1: * A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for href in anchor elements to be set to a javascript: URI in the repository description, which will execute the specified script upon clicking (and not upon loading). AllowStandardURLs is now called for the repository description policy, which ensures that URIs in anchor elements are mailto:, http:// or https:// and thereby disallowing the javascript: URI. * Do not include trailing EOL character when counting lines * Add background to reactions on hover * Prevent uppercase in header of dashboard context selector * Fix page layout in admin settings * Ensure all filters are persistent in issue filters * Allow 4 charachter SHA in /src/commit - update to 8.0.0: full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0 Highlights: * remove Microsoft SQL Server support * introduce a branch/tag dropdown in the code search page * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls * API endpoints for managing tag protection. * add Reviewed-on and Reviewed-by variables to the merge template * display an error when an issue comment is edited simultaneously by two users instead of silently overriding one of them * when installing Forgejo through the built-in installer, open (self-) registration is now disabled by default * add support for the reddit and Hubspot OAuth providers. * CERT management was improved when ENABLE_ACME=true * language detection in the repository got additional languages OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=31
2024-08-12 00:22:28 +02:00
network inet stream,
network inet6 stream,
/etc/forgejo/ r,
/etc/forgejo/conf/app.ini r,
/etc/forgejo/public/ r,
/etc/forgejo/public/** r,
- update to 8.0.1: * A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for href in anchor elements to be set to a javascript: URI in the repository description, which will execute the specified script upon clicking (and not upon loading). AllowStandardURLs is now called for the repository description policy, which ensures that URIs in anchor elements are mailto:, http:// or https:// and thereby disallowing the javascript: URI. * Do not include trailing EOL character when counting lines * Add background to reactions on hover * Prevent uppercase in header of dashboard context selector * Fix page layout in admin settings * Ensure all filters are persistent in issue filters * Allow 4 charachter SHA in /src/commit - update to 8.0.0: full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0 Highlights: * remove Microsoft SQL Server support * introduce a branch/tag dropdown in the code search page * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls * API endpoints for managing tag protection. * add Reviewed-on and Reviewed-by variables to the merge template * display an error when an issue comment is edited simultaneously by two users instead of silently overriding one of them * when installing Forgejo through the built-in installer, open (self-) registration is now disabled by default * add support for the reddit and Hubspot OAuth providers. * CERT management was improved when ENABLE_ACME=true * language detection in the repository got additional languages OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=31
2024-08-12 00:22:28 +02:00
/etc/forgejo/{conf,https,mailer}/ r,
/etc/gitconfig r,
- update to 8.0.1: * A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for href in anchor elements to be set to a javascript: URI in the repository description, which will execute the specified script upon clicking (and not upon loading). AllowStandardURLs is now called for the repository description policy, which ensures that URIs in anchor elements are mailto:, http:// or https:// and thereby disallowing the javascript: URI. * Do not include trailing EOL character when counting lines * Add background to reactions on hover * Prevent uppercase in header of dashboard context selector * Fix page layout in admin settings * Ensure all filters are persistent in issue filters * Allow 4 charachter SHA in /src/commit - update to 8.0.0: full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0 Highlights: * remove Microsoft SQL Server support * introduce a branch/tag dropdown in the code search page * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls * API endpoints for managing tag protection. * add Reviewed-on and Reviewed-by variables to the merge template * display an error when an issue comment is edited simultaneously by two users instead of silently overriding one of them * when installing Forgejo through the built-in installer, open (self-) registration is now disabled by default * add support for the reddit and Hubspot OAuth providers. * CERT management was improved when ENABLE_ACME=true * language detection in the repository got additional languages OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=31
2024-08-12 00:22:28 +02:00
/etc/mime.types r,
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
- update to 8.0.1: * A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for href in anchor elements to be set to a javascript: URI in the repository description, which will execute the specified script upon clicking (and not upon loading). AllowStandardURLs is now called for the repository description policy, which ensures that URIs in anchor elements are mailto:, http:// or https:// and thereby disallowing the javascript: URI. * Do not include trailing EOL character when counting lines * Add background to reactions on hover * Prevent uppercase in header of dashboard context selector * Fix page layout in admin settings * Ensure all filters are persistent in issue filters * Allow 4 charachter SHA in /src/commit - update to 8.0.0: full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0 Highlights: * remove Microsoft SQL Server support * introduce a branch/tag dropdown in the code search page * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls * API endpoints for managing tag protection. * add Reviewed-on and Reviewed-by variables to the merge template * display an error when an issue comment is edited simultaneously by two users instead of silently overriding one of them * when installing Forgejo through the built-in installer, open (self-) registration is now disabled by default * add support for the reddit and Hubspot OAuth providers. * CERT management was improved when ENABLE_ACME=true * language detection in the repository got additional languages OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=31
2024-08-12 00:22:28 +02:00
/usr/bin/forgejo mr,
/usr/bin/git mr,
/usr/bin/gzip mr,
/usr/bin/{basename,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
/usr/libexec/git/git-write-tree mrix,
/usr/share/forgejo/** r,
/usr/share/forgejo/.gitconfig rw,
/usr/share/forgejo/.gitconfig.lock rw,
- update to 8.0.1: * A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for href in anchor elements to be set to a javascript: URI in the repository description, which will execute the specified script upon clicking (and not upon loading). AllowStandardURLs is now called for the repository description policy, which ensures that URIs in anchor elements are mailto:, http:// or https:// and thereby disallowing the javascript: URI. * Do not include trailing EOL character when counting lines * Add background to reactions on hover * Prevent uppercase in header of dashboard context selector * Fix page layout in admin settings * Ensure all filters are persistent in issue filters * Allow 4 charachter SHA in /src/commit - update to 8.0.0: full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0 Highlights: * remove Microsoft SQL Server support * introduce a branch/tag dropdown in the code search page * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls * API endpoints for managing tag protection. * add Reviewed-on and Reviewed-by variables to the merge template * display an error when an issue comment is edited simultaneously by two users instead of silently overriding one of them * when installing Forgejo through the built-in installer, open (self-) registration is now disabled by default * add support for the reddit and Hubspot OAuth providers. * CERT management was improved when ENABLE_ACME=true * language detection in the repository got additional languages OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=31
2024-08-12 00:22:28 +02:00
/usr/share/git-core/templates/ r,
/usr/share/git-core/templates/** r,
/usr/share/mime/globs2 r,
/usr/{lib,libexec}/git/git ix,
/usr/{lib,libexec}/git/git-remote-http ix,
/var/ r,
/var/lib/ r,
/var/lib/forgejo/ r,
/var/lib/forgejo/.local/** rw,
/var/lib/forgejo/.ssh/ rw,
/var/lib/forgejo/.ssh/* rw,
/var/log/forgejo/ rw,
/var/log/forgejo/access.log rw,
/var/log/forgejo/access.log.* w,
/var/log/forgejo/doctors-* rw,
- update to 8.0.1: * A change introduced in Forgejo v1.21 allows a Forgejo user with write permission on a repository description to inject a client-side script into the web page viewed by the visitor. This XSS allows for href in anchor elements to be set to a javascript: URI in the repository description, which will execute the specified script upon clicking (and not upon loading). AllowStandardURLs is now called for the repository description policy, which ensures that URIs in anchor elements are mailto:, http:// or https:// and thereby disallowing the javascript: URI. * Do not include trailing EOL character when counting lines * Add background to reactions on hover * Prevent uppercase in header of dashboard context selector * Fix page layout in admin settings * Ensure all filters are persistent in issue filters * Allow 4 charachter SHA in /src/commit - update to 8.0.0: full changelog at https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#8-0-0 Highlights: * remove Microsoft SQL Server support * introduce a branch/tag dropdown in the code search page * added support for fuzzy searching in /user/repo/issues and /user/repo/pulls * API endpoints for managing tag protection. * add Reviewed-on and Reviewed-by variables to the merge template * display an error when an issue comment is edited simultaneously by two users instead of silently overriding one of them * when installing Forgejo through the built-in installer, open (self-) registration is now disabled by default * add support for the reddit and Hubspot OAuth providers. * CERT management was improved when ENABLE_ACME=true * language detection in the repository got additional languages OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=31
2024-08-12 00:22:28 +02:00
@{PROC}/sys/net/core/somaxconn r,
owner /etc/forgejo/conf/app.ini w,
owner /tmp/forgejo** rwl,
owner /tmp/index* rw,
owner /tmp/patch* rw,
owner /usr/share/forgejo/** rw,
owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
owner /var/lib/forgejo/data/forgejo-repositories/** rwlk,
owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
owner /var/lib/forgejo/https/** rwlk,
owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
owner /var/log/forgejo/gitea.log w,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
}