forgejo/apparmor-usr.bin.forgejo

89 lines
2.6 KiB
Plaintext
Raw Normal View History

abi <abi/3.0>,
#include <tunables/global>
profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/user-tmp>
#include <abstractions/mysql>
network inet stream,
network inet6 stream,
/usr/bin/forgejo mr,
/usr/bin/gzip mr,
# Grant read access to config files
/etc/mime.types r,
/usr/share/mime/globs2 r,
/etc/machine-id r,
/etc/forgejo/ r,
/etc/forgejo/{conf,https,mailer}/ r,
/etc/forgejo/https/*.{crt,key,pem} r,
# Access to config file app.ini
/etc/forgejo/conf/app.ini r,
# Config must be writeable for initial setup
# to restrict to read-only access admin can do after setup:
# chown root:gitea /etc/gitea/conf/app.ini
# chmod 0640 /etc/gitea/conf/app.ini
owner /etc/forgejo/conf/app.ini w,
# Grant read access to public custom static content
/etc/forgejo/public/ r,
/etc/forgejo/public/** r,
# allow invoking executables
/usr/bin/{basename,bash,cat,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
/usr/{lib,libexec}/git/git ix,
/usr/{lib,libexec}/git/git-remote-http ix,
/usr/share/git-core/templates/ r,
/usr/share/git-core/templates/** r,
/etc/gitconfig r,
# Grant read access to static content
/usr/share/forgejo/** r,
# Grant read access to some process parameters
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@{PROC}/sys/net/core/somaxconn r,
owner @{PROC}/@{pid}/fd/ r,
owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
# Grant read access to working directory
/var/lib/forgejo/ r,
# Allow TTY access
/dev/tty rw,
# Grant access to various data/repo directories
owner /tmp/patch* rw,
owner /tmp/index* rw,
owner /tmp/forgejo** rwl,
owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
owner /var/lib/forgejo/data/forgejo-repositories/** rwkl,
owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
owner /var/lib/forgejo/https/** rwkl,
# Ugly!
/usr/share/forgejo/.gitconfig rw,
/usr/share/forgejo/.gitconfig.lock rw,
/usr/share/forgejo/.ssh/ rw,
/usr/share/forgejo/.ssh/* rw,
/usr/share/forgejo/.local/** rw,
# for writing access log file
/var/log/forgejo/ rw,
/var/log/forgejo/access.log rw,
/var/log/forgejo/access.log.* w,
/var/log/forgejo/doctors-* rw,
# Site-specific additions and overrides. See local/README for details.
include if exists <local/usr.bin.forgejo>
}