Accepting request 1156263 from home:rrahl0:upgrades

add apparmor profile OBS-URL: https://build.opensuse.org/request/show/1156263 OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=4
2024-03-08 07:39:42 +00:00 · 2024-03-08 07:39:42 +00:00 · e5096b53ec
commit e5096b53ec
parent affc28b574
3 changed files with 111 additions and 0 deletions
--- a/apparmor-usr.bin.forgejo
+++ b/apparmor-usr.bin.forgejo
@ -0,0 +1,88 @@
+abi <abi/3.0>,
+
+#include <tunables/global>
+
+profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
+
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/openssl>
+  #include <abstractions/user-tmp>
+  #include <abstractions/mysql>
+
+  network inet  stream,
+  network inet6 stream,
+
+  /usr/bin/forgejo mr,
+  /usr/bin/gzip mr,
+
+  # Grant read access to config files
+  /etc/mime.types r,
+  /usr/share/mime/globs2 r,
+  /etc/machine-id r,
+  /etc/forgejo/ r,
+  /etc/forgejo/{conf,https,mailer}/ r,
+  /etc/forgejo/https/*.{crt,key,pem} r,
+
+  # Access to config file app.ini
+  /etc/forgejo/conf/app.ini r,
+  # Config must be writeable for initial setup
+  # to restrict to read-only access admin can do after setup:
+  # chown root:gitea /etc/gitea/conf/app.ini
+  # chmod 0640 /etc/gitea/conf/app.ini
+  owner /etc/forgejo/conf/app.ini w,
+
+  # Grant read access to public custom static content
+  /etc/forgejo/public/ r,
+  /etc/forgejo/public/** r,
+
+  # allow invoking executables
+  /usr/bin/{basename,bash,cat,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
+  /usr/{lib,libexec}/git/git ix,
+  /usr/{lib,libexec}/git/git-remote-http ix,
+  /usr/share/git-core/templates/ r,
+  /usr/share/git-core/templates/** r,
+  /etc/gitconfig r,
+
+  # Grant read access to static content
+  /usr/share/forgejo/** r,
+
+  # Grant read access to some process parameters
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  @{PROC}/sys/net/core/somaxconn r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
+
+  # Grant read access to working directory
+  /var/lib/forgejo/ r,
+
+  # Allow TTY access
+  /dev/tty rw,
+
+  # Grant access to various data/repo directories
+  owner /tmp/patch* rw,
+  owner /tmp/index* rw,
+  owner /tmp/forgejo** rwl,
+  owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
+  owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
+  owner /var/lib/forgejo/data/forgejo-repositories/** rwkl,
+  owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
+  owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
+  owner /var/lib/forgejo/https/** rwkl,
+
+  # Ugly!
+  /usr/share/forgejo/.gitconfig rw,
+  /usr/share/forgejo/.gitconfig.lock rw,
+  /usr/share/forgejo/.ssh/ rw,
+  /usr/share/forgejo/.ssh/* rw,
+  /usr/share/forgejo/.local/** rw,
+
+  # for writing access log file
+  /var/log/forgejo/ rw,
+  /var/log/forgejo/access.log rw,
+  /var/log/forgejo/access.log.* w,
+  /var/log/forgejo/doctors-* rw,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/usr.bin.forgejo>
+}
--- a/forgejo.changes
+++ b/forgejo.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Mar  8 07:35:29 UTC 2024 - Richard Rahl <rrahl0@proton.me>
+
+- add apparmor profile leeched off of the gitea packaging
+
+- update to 1.21.7-0:
+  * Fix tarball/zipball download bug.
+  * Ensure HasIssueContentHistory takes into account comment_id.
+  * The google.golang.org/protobuf module was bumped to version v1.33.0 to fix
+    a bug in the google.golang.org/protobuf/encoding/protojson package which
+    could cause the Unmarshal function to enter an infinite loop when handling
+    some invalid inputs
+
 -------------------------------------------------------------------
 Fri Feb  9 10:07:58 UTC 2024 - Richard Rahl <rrahl0@proton.me>

--- a/forgejo.spec
+++ b/forgejo.spec
@ -33,6 +33,7 @@ Source4:        node_modules.spec.inc
 %include        %{_sourcedir}/node_modules.spec.inc
 Source5:        forgejo.service
 Source6:        forgejo.sysusers
+Source7:        apparmor-usr.bin.forgejo
 Source99:       get-sources.sh
 Patch0:         custom-app.ini.patch
 BuildRequires:  golang-packaging
@ -48,6 +49,9 @@ BuildRequires:  local-npm-registry
 BuildRequires:  make
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  sysuser-tools
+BuildRequires:  apparmor-abstractions
+BuildRequires:  apparmor-rpm-macros
+Recommends:     apparmor-abstractions
 Requires:       git-core
 Requires:       git-lfs
 Requires(pre):  shadow
@ -70,7 +74,9 @@ export TAGS="bindata timetzdata sqlite sqlite_unlock_notify"

 %install
 install -d %{buildroot}%{_bindir}
+install -d %{buildroot}%{_sysconfdir}/apparmor.d
 install -d %{buildroot}%{_datadir}/forgejo
+install -d %{buildroot}%{_datadir}/forgejo/{conf,https,mailer}
 ln -s %{name} %{buildroot}%{_bindir}/gitea
 install -d %{buildroot}%{_sharedstatedir}/%{name}/{data,https,indexers,queues,repositories}
 install -d %{buildroot}%{_sysconfdir}/%{name}
@ -79,12 +85,14 @@ install -D -m 0644 %{_builddir}/%{name}-src-%{gitea_version}-%{forgejo_version}/
 install -D -m 0755 %{_builddir}/%{name}-src-%{gitea_version}-%{forgejo_version}/gitea %{buildroot}%{_bindir}/forgejo
 install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/forgejo.service
 install -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
+install -m 0644 %{SOURCE7} %{buildroot}%{_sysconfdir}/apparmor.d/usr.bin.forgejo

 %pre -f %{name}.pre
 %service_add_pre forgejo.service

 %post
 %service_add_post forgejo.service
+%apparmor_reload %{_sysconfdir}/apparmor.d/usr.bin.forgejo

 %preun
 %service_del_preun forgejo.service
@ -102,6 +110,8 @@ install -D -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}.conf
 %{_unitdir}/%{name}.service
 %{_bindir}/%{name}
 %{_bindir}/gitea
+%{_sysconfdir}/apparmor.d
+%config %{_sysconfdir}/apparmor.d/usr.bin.forgejo
 %defattr(0660,root,forgejo,770)
 %config(noreplace) %{_sysconfdir}/%{name}/conf/app.ini
 %{_sysconfdir}/%{name}