abi , include @{APP_DATADIR} = /var/lib/forgejo @{APP_REPOSITORY_DIRS} = @{APP_DATADIR}/data/forgejo-repositories @{APP_DATADIR}/repositories profile forgejo /usr/bin/forgejo flags=(attach_disconnected) { include network inet stream, network inet6 stream, /usr/bin/forgejo Cx -> forgejo-session-exec, signal (send) peer=forgejo//*, profile forgejo-session-exec { include include if exists include if exists } profile forgejo-hooks { include include if exists include if exists } profile git { include include include include signal (receive) peer=forgejo, /etc/gitconfig r, /usr/lib{,exec}/git/* rmix, /usr/share/git-core/** r, /usr/bin/bash Px -> forgejo//git-bash, owner @{APP_DATADIR}/data/home/.gitconfig rwlk, owner @{APP_DATADIR}/data/home/.gitconfig.lock rwlk, owner @{APP_REPOSITORY_DIRS}/ r, owner @{APP_REPOSITORY_DIRS}/** rwlk, owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/pre-receive Px -> forgejo//hooks-pre-receive, owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/post-receive Px -> forgejo//hooks-post-receive, owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/proc-receive Px -> forgejo//hooks-proc-receive, owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/update Px -> forgejo//hooks-update, owner @{APP_DATADIR}/data/tmp/local-repo/pull.*/ r, owner @{APP_DATADIR}/data/tmp/local-repo/pull.*/** rwlk, owner @{APP_DATADIR}/data/tmp/local-repo/update-wiki*/ r, owner @{APP_DATADIR}/data/tmp/local-repo/update-wiki*/** rwlk, include if exists include if exists } profile git-bash { include include include /usr/bin/bash rm, /usr/lib{,exec}/git/git Px -> forgejo//git, /usr/lib{,exec}/git/git-write-tree Px -> forgejo//git, } profile hooks-pre-receive { include owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive r, owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive.d/ r, owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive.d/gitea Px -> forgejo//hooks-gitea, include if exists include if exists } profile hooks-post-receive { include owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive r, owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive.d/ r, owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive.d/gitea Px -> forgejo//hooks-gitea, include if exists include if exists } profile hooks-proc-receive { include owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive r, owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive.d/ r, owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive.d/gitea Px -> forgejo//hooks-gitea, include if exists include if exists } profile hooks-update { include owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update r, owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update.d/ r, owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update.d/gitea Px -> forgejo//hooks-gitea, include if exists include if exists } profile hooks-gitea { include owner @{APP_REPOSITORY_DIRS}/*/*/hooks/*.d/gitea r, /usr/bin/forgejo Px -> forgejo//forgejo-hooks, } profile simple_tool { include /usr/bin/env rm, /usr/bin/cat rm, /usr/bin/basename rm, } owner @{APP_DATADIR}/ r, owner @{APP_DATADIR}/data/ r, owner @{APP_DATADIR}/data/** rwlk, owner @{APP_DATADIR}/https/ r, owner @{APP_DATADIR}/https/** rwlk, owner @{APP_DATADIR}/indexers/ r, owner @{APP_DATADIR}/indexers/** rwlk, owner @{APP_DATADIR}/queues/ r, owner @{APP_DATADIR}/queues/** rwlk, owner @{APP_REPOSITORY_DIRS}/ r, owner @{APP_REPOSITORY_DIRS}/** rwlk, owner /var/log/forgejo/ r, owner /var/log/forgejo/gitea.log* rwlk, }