b2b5be77cc
* it was possible to use a token sent via email for secondary email validation
to reset the password instead. In other words, a token sent for a given
action (registration, password reset or secondary email validation) could
be used to perform a different action.
* a fork of a public repository would show in the list of forks, even if its
owner was not a public user or organization.
* the members of an organization team with read access to a repository (e.g.
to read issues) but no read access to the code could read the RSS or atom
feeds which include the commit activity. Reading the RSS or atom feeds is
now denied unless the team has read permissions on the code.
* the tokens used when replying by email to issues or pull requests were
weaker than the rfc2104 recommendations.
* a registered user could modify the update frequency of any push mirror.
* it was possible to use basic authorization (i.e. user:password) for requests
to the API even when security keys were enrolled for a user.
* some markup sanitation rules were not as strong as they could be.
* when Forgejo is configured to enable instance wide search (e.g. with bleve),
results found in the repositories of private or limited users were displayed
to anonymous visitors.
* fix: handle renamed dependency for cargo registry.
* support www.github.com for migrations.
* move forgot_password-link to fix login tab order.
* code owners will not be mentioned when a pull request comes from a forked
repository.
* labels are missing in the pull request payload removing a label.
* in a Forgejo Actions workflow, the unlabeled event type for pull requests
was incorrectly mapped to the labeled event type.
* when a Forgejo Actions issue or pull request workflow is triggered by an
labeled or unlabeled event type, it misses information about the label added
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=45
219 lines
4.1 KiB
Plaintext
219 lines
4.1 KiB
Plaintext
|
|
## <summary>policy for forgejo</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute forgejo_exec_t in the forgejo domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`forgejo_domtrans',`
|
|
gen_require(`
|
|
type forgejo_t, forgejo_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, forgejo_exec_t, forgejo_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
## Execute forgejo in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`forgejo_exec',`
|
|
gen_require(`
|
|
type forgejo_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
can_exec($1, forgejo_exec_t)
|
|
')
|
|
########################################
|
|
## <summary>
|
|
## Read forgejo's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`forgejo_read_log',`
|
|
gen_require(`
|
|
type forgejo_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
read_files_pattern($1, forgejo_log_t, forgejo_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Append to forgejo log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`forgejo_append_log',`
|
|
gen_require(`
|
|
type forgejo_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
append_files_pattern($1, forgejo_log_t, forgejo_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage forgejo log files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`forgejo_manage_log',`
|
|
gen_require(`
|
|
type forgejo_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
manage_dirs_pattern($1, forgejo_log_t, forgejo_log_t)
|
|
manage_files_pattern($1, forgejo_log_t, forgejo_log_t)
|
|
manage_lnk_files_pattern($1, forgejo_log_t, forgejo_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Search forgejo lib directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`forgejo_search_lib',`
|
|
gen_require(`
|
|
type forgejo_var_lib_t;
|
|
')
|
|
|
|
allow $1 forgejo_var_lib_t:dir search_dir_perms;
|
|
files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read forgejo lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`forgejo_read_lib_files',`
|
|
gen_require(`
|
|
type forgejo_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
read_files_pattern($1, forgejo_var_lib_t, forgejo_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage forgejo lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`forgejo_manage_lib_files',`
|
|
gen_require(`
|
|
type forgejo_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
manage_files_pattern($1, forgejo_var_lib_t, forgejo_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Manage forgejo lib directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`forgejo_manage_lib_dirs',`
|
|
gen_require(`
|
|
type forgejo_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
manage_dirs_pattern($1, forgejo_var_lib_t, forgejo_var_lib_t)
|
|
')
|
|
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to administrate
|
|
## an forgejo environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`forgejo_admin',`
|
|
gen_require(`
|
|
type forgejo_t;
|
|
type forgejo_log_t;
|
|
type forgejo_var_lib_t;
|
|
')
|
|
|
|
allow $1 forgejo_t:process { signal_perms };
|
|
ps_process_pattern($1, forgejo_t)
|
|
|
|
tunable_policy(`deny_ptrace',`',`
|
|
allow $1 forgejo_t:process ptrace;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
admin_pattern($1, forgejo_log_t)
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, forgejo_var_lib_t)
|
|
optional_policy(`
|
|
systemd_passwd_agent_exec($1)
|
|
systemd_read_fifo_file_passwd_run($1)
|
|
')
|
|
')
|