ce6404f852
* Forgejo generates a token which is used to authenticate web endpoints that
are only meant to be used internally, for instance when the SSH daemon is
used to push a commit with Git. The verification of this token was not done
in constant time and was susceptible to timing attacks.
* Because of a missing permission check, the branch used to propose a pull
request to a repository can always be deleted by the user performing the merge.
* Fix boolean inputs in workflow_dispatch
* package arch database not updating when uploading "any" architecture
* correct SQL query for active issues
* specify default value for EXPLORE_DEFAULT_SORT.
* fix: Add recentupdated as recognized sort option
* Update dependency mermaid to v11.3.0 (v9.0/forgejo)
* Always update expiration time when creating an artifact
* Update scheduled tasks even if changes are pushed by "ActionsUser"
* Fix disable 2fa bug
* i18n: update of translations from Codeberg Translate
* fix: make branch protection work for new branches
* link to security policy in security.txt
* fix: don't show truncated comments in RSS/Atom feeds
* fix: typo on releases for source code downloads
* Revert "add gap between branch dropdown and PR button"
* fix: Don't double escape delete branch text
* fix: Add server logging for OAuth server errors
* forgejo-cli is now a symlink and cannot be used for sanity checks
* fix: correct documentation for non 200 responses in swagger
- forgejo is since 9.0.0 GPL-3.0-or-later
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/forgejo?expand=0&rev=43
65 lines
2.0 KiB
Plaintext
65 lines
2.0 KiB
Plaintext
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
include <abstractions/mysql>
|
|
include <abstractions/nameservice>
|
|
include <abstractions/opencl-pocl>
|
|
include <abstractions/openssl>
|
|
include <abstractions/user-tmp>
|
|
include if exists <local/usr.bin.forgejo>
|
|
|
|
network inet stream,
|
|
network inet6 stream,
|
|
|
|
/etc/forgejo/ r,
|
|
/etc/forgejo/conf/app.ini r,
|
|
/etc/forgejo/public/ r,
|
|
/etc/forgejo/public/** r,
|
|
/etc/forgejo/{conf,https,mailer}/ r,
|
|
/etc/gitconfig r,
|
|
/etc/mime.types r,
|
|
/sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
|
|
/usr/bin/forgejo mr,
|
|
/usr/bin/git mr,
|
|
/usr/bin/gzip mr,
|
|
/usr/bin/{basename,env,git,git-lfs,forgejo,ssh-keygen,gzip} ix,
|
|
/usr/libexec/git/git-write-tree mrix,
|
|
/usr/share/forgejo/** r,
|
|
/usr/share/forgejo/.gitconfig rw,
|
|
/usr/share/forgejo/.gitconfig.lock rw,
|
|
/usr/share/git-core/templates/ r,
|
|
/usr/share/git-core/templates/** r,
|
|
/usr/share/mime/globs2 r,
|
|
/usr/{lib,libexec}/git/git ix,
|
|
/usr/{lib,libexec}/git/git-remote-http ix,
|
|
/var/ r,
|
|
/var/lib/ r,
|
|
/var/lib/forgejo/ r,
|
|
/var/lib/forgejo/.local/** rw,
|
|
/var/lib/forgejo/.ssh/ rw,
|
|
/var/lib/forgejo/.ssh/* rw,
|
|
/var/log/forgejo/ rw,
|
|
/var/log/forgejo/access.log rw,
|
|
/var/log/forgejo/access.log.* w,
|
|
/var/log/forgejo/doctors-* rw,
|
|
@{PROC}/sys/net/core/somaxconn r,
|
|
owner /etc/forgejo/conf/app.ini w,
|
|
owner /tmp/forgejo** rwl,
|
|
owner /tmp/index* rw,
|
|
owner /tmp/patch* rw,
|
|
owner /usr/share/forgejo/** rw,
|
|
owner /var/lib/forgejo/backups/forgejo-dump-*.{zip,tar.gz,tar.xz} rw,
|
|
owner /var/lib/forgejo/data/forgejo-repositories/** rwlk,
|
|
owner /var/lib/forgejo/data/forgejo-repositories/**.git/hooks/** ix,
|
|
owner /var/lib/forgejo/https/** rwlk,
|
|
owner /var/lib/forgejo/{data,indexers,queues,repositories,backups}/ r,
|
|
owner /var/lib/forgejo/{data,indexers,queues,repositories}/** rwk,
|
|
owner /var/log/forgejo/gitea.log w,
|
|
owner @{PROC}/@{pid}/fd/ r,
|
|
owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,
|
|
|
|
}
|