89 lines
2.6 KiB
Plaintext
89 lines
2.6 KiB
Plaintext
|
abi <abi/3.0>,
|
||
|
|
||
|
#include <tunables/global>
|
||
|
|
||
|
profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
|
||
|
|
||
|
#include <abstractions/base>
|
||
|
#include <abstractions/nameservice>
|
||
|
#include <abstractions/openssl>
|
||
|
#include <abstractions/user-tmp>
|
||
|
#include <abstractions/mysql>
|
||
|
|
||
|
network inet stream,
|
||
|
network inet6 stream,
|
||
|
|
||
|
/usr/bin/forgejo mr,
|
||
|
/usr/bin/gzip mr,
|
||
|
|
||
|
# Grant read access to config files
|
||
|
/etc/mime.types r,
|
||
|
/usr/share/mime/globs2 r,
|
||
|
/etc/machine-id r,
|
||
|
/etc/forgejo/ r,
|
||
|
/etc/forgejo/{conf,https,mailer}/ r,
|
||
|
/etc/forgejo/https/*.{crt,key,pem} r,
|
||
|
|
||
|
# Access to config file app.ini
|
||
|
/etc/forgejo/conf/app.ini r,
|
||
|
# Config must be writeable for initial setup
|
||
|
# to restrict to read-only access admin can do after setup:
|
||
|
# chown root:gitea /etc/gitea/conf/app.ini
|
||
|
# chmod 0640 /etc/gitea/conf/app.ini
|
||
|
owner /etc/forgejo/conf/app.ini w,
|
||
|
|
||
|
# Grant read access to public custom static content
|
||
|
/etc/forgejo/public/ r,
|
||
|
/etc/forgejo/public/** r,
|
||
|
|
||
|
# allow invoking executables
|
||
|
/usr/bin/{basename,bash,cat,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
|
||
|
/usr/{lib,libexec}/git/git ix,
|
||
|
/usr/{lib,libexec}/git/git-remote-http ix,
|
||
|
/usr/share/git-core/templates/ r,
|
||
|
/usr/share/git-core/templates/** r,
|
||
|
/etc/gitconfig r,
|
||
|
|
||
|
# Grant read access to static content
|
||
|
/usr/share/forgejo/** r,
|
||
|
|
||
|
# Grant read access to some process parameters
|
||
|
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
||
|
@{PROC}/sys/net/core/somaxconn r,
|
||
|
owner @{PROC}/@{pid}/fd/ r,
|
||
|
owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
|
||
|
|
||
|
# Grant read access to working directory
|
||
|
/var/lib/forgejo/ r,
|
||
|
|
||
|
# Allow TTY access
|
||
|
/dev/tty rw,
|
||
|
|
||
|
# Grant access to various data/repo directories
|
||
|
owner /tmp/patch* rw,
|
||
|
owner /tmp/index* rw,
|
||
|
owner /tmp/forgejo** rwl,
|
||
|
owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
|
||
|
owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
|
||
|
owner /var/lib/forgejo/data/forgejo-repositories/** rwkl,
|
||
|
owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
|
||
|
owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
|
||
|
owner /var/lib/forgejo/https/** rwkl,
|
||
|
|
||
|
# Ugly!
|
||
|
/usr/share/forgejo/.gitconfig rw,
|
||
|
/usr/share/forgejo/.gitconfig.lock rw,
|
||
|
/usr/share/forgejo/.ssh/ rw,
|
||
|
/usr/share/forgejo/.ssh/* rw,
|
||
|
/usr/share/forgejo/.local/** rw,
|
||
|
|
||
|
# for writing access log file
|
||
|
/var/log/forgejo/ rw,
|
||
|
/var/log/forgejo/access.log rw,
|
||
|
/var/log/forgejo/access.log.* w,
|
||
|
/var/log/forgejo/doctors-* rw,
|
||
|
|
||
|
# Site-specific additions and overrides. See local/README for details.
|
||
|
include if exists <local/usr.bin.forgejo>
|
||
|
}
|