abi , #include profile forgejo /usr/bin/forgejo flags=(attach_disconnected) { #include #include #include #include #include network inet stream, network inet6 stream, /usr/bin/forgejo mr, /usr/bin/gzip mr, # Grant read access to config files /etc/mime.types r, /usr/share/mime/globs2 r, /etc/machine-id r, /etc/forgejo/ r, /etc/forgejo/{conf,https,mailer}/ r, /etc/forgejo/https/*.{crt,key,pem} r, # Access to config file app.ini /etc/forgejo/conf/app.ini r, # Config must be writeable for initial setup # to restrict to read-only access admin can do after setup: # chown root:gitea /etc/gitea/conf/app.ini # chmod 0640 /etc/gitea/conf/app.ini owner /etc/forgejo/conf/app.ini w, # Grant read access to public custom static content /etc/forgejo/public/ r, /etc/forgejo/public/** r, # allow invoking executables /usr/bin/{basename,bash,cat,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix, /usr/{lib,libexec}/git/git ix, /usr/{lib,libexec}/git/git-remote-http ix, /usr/share/git-core/templates/ r, /usr/share/git-core/templates/** r, /etc/gitconfig r, # Grant read access to static content /usr/share/forgejo/** r, # Grant read access to some process parameters /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r, @{PROC}/sys/net/core/somaxconn r, owner @{PROC}/@{pid}/fd/ r, owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r, # Grant read access to working directory /var/lib/forgejo/ r, # Allow TTY access /dev/tty rw, # Grant access to various data/repo directories owner /tmp/patch* rw, owner /tmp/index* rw, owner /tmp/forgejo** rwl, owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r, owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk, owner /var/lib/forgejo/data/forgejo-repositories/** rwkl, owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix, owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw, owner /var/lib/forgejo/https/** rwkl, # Ugly! /usr/share/forgejo/.gitconfig rw, /usr/share/forgejo/.gitconfig.lock rw, /usr/share/forgejo/.ssh/ rw, /usr/share/forgejo/.ssh/* rw, /usr/share/forgejo/.local/** rw, # for writing access log file /var/log/forgejo/ rw, /var/log/forgejo/access.log rw, /var/log/forgejo/access.log.* w, /var/log/forgejo/doctors-* rw, # Site-specific additions and overrides. See local/README for details. include if exists }