File forgejo.apparmor of Package forgejo

abi <abi/3.0>,

include <tunables/global>

@{APP_DATADIR} = /var/lib/forgejo
@{APP_REPOSITORY_DIRS} = @{APP_DATADIR}/data/forgejo-repositories @{APP_DATADIR}/repositories

profile forgejo /usr/bin/forgejo flags=(attach_disconnected) {
  include <abstractions/forgejo>

  network inet  stream,
  network inet6 stream,

  /usr/bin/forgejo Cx -> forgejo-session-exec,

  signal (send) peer=forgejo//*,

  profile forgejo-session-exec {
    include <abstractions/forgejo>

    include if exists <forgejo.d/forgejo-session-exec.d>
    include if exists <local/forgejo-session-exec>
  }

  profile forgejo-hooks {
    include <abstractions/forgejo>

    include if exists <forgejo.d/forgejo-hooks.d>
    include if exists <local/forgejo-hooks>
  }

  profile git {
    include <abstractions/base>
    include <abstractions/nameservice>
    include <abstractions/openssl>
    include <abstractions/ssl_certs>

    signal (receive) peer=forgejo,

    /etc/gitconfig r,
    /usr/lib{,exec}/git/* rmix,
    /usr/share/git-core/** r,

    /usr/bin/bash Px -> forgejo//git-bash,

    owner @{APP_DATADIR}/data/home/.gitconfig rwlk,
    owner @{APP_DATADIR}/data/home/.gitconfig.lock rwlk,

    owner @{APP_REPOSITORY_DIRS}/ r,
    owner @{APP_REPOSITORY_DIRS}/** rwlk,

    owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/pre-receive  Px -> forgejo//hooks-pre-receive,
    owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/post-receive Px -> forgejo//hooks-post-receive,
    owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/proc-receive Px -> forgejo//hooks-proc-receive,

    owner @{APP_REPOSITORY_DIRS}/*/*.git/hooks/update Px -> forgejo//hooks-update,

    owner @{APP_DATADIR}/data/tmp/local-repo/pull.*/ r,
    owner @{APP_DATADIR}/data/tmp/local-repo/pull.*/** rwlk,

    owner @{APP_DATADIR}/data/tmp/local-repo/update-wiki*/ r,
    owner @{APP_DATADIR}/data/tmp/local-repo/update-wiki*/** rwlk,

    include if exists <forgejo.d/git.d>
    include if exists <local/forgejo-git>
  }

  profile git-bash {
    include <abstractions/base>
    include <abstractions/bash>
    include <abstractions/consoles>

    /usr/bin/bash rm,

    /usr/lib{,exec}/git/git Px -> forgejo//git,
    /usr/lib{,exec}/git/git-write-tree Px -> forgejo//git,
  }

  profile hooks-pre-receive {
    include <abstractions/forgejo-hooks>

    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive.d/ r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/pre-receive.d/gitea Px -> forgejo//hooks-gitea,

    include if exists <forgejo.d/hooks-pre-receive.d>
    include if exists <local/forgejo-hooks-pre-receive>
  }

  profile hooks-post-receive {
    include <abstractions/forgejo-hooks>

    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive.d/ r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/post-receive.d/gitea Px -> forgejo//hooks-gitea,

    include if exists <forgejo.d/hooks-post-receive.d>
    include if exists <local/forgejo-hooks-post-receive>
  }

  profile hooks-proc-receive {
    include <abstractions/forgejo-hooks>

    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive.d/ r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/proc-receive.d/gitea Px -> forgejo//hooks-gitea,

    include if exists <forgejo.d/hooks-proc-receive.d>
    include if exists <local/forgejo-hooks-proc-receive>
  }

  profile hooks-update {
    include <abstractions/forgejo-hooks>

    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update.d/ r,
    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/update.d/gitea Px -> forgejo//hooks-gitea,

    include if exists <forgejo.d/hooks-update.d>
    include if exists <local/forgejo-hooks-update>
  }

  profile hooks-gitea {
    include <abstractions/forgejo-hooks>

    owner @{APP_REPOSITORY_DIRS}/*/*/hooks/*.d/gitea r,
    /usr/bin/forgejo Px -> forgejo//forgejo-hooks,
  }

  profile simple_tool {
    include <abstractions/base>

    /usr/bin/env      rm,
    /usr/bin/cat      rm,
    /usr/bin/basename rm,
  }

  owner @{APP_DATADIR}/ r,

  owner @{APP_DATADIR}/data/ r,
  owner @{APP_DATADIR}/data/** rwlk,

  owner @{APP_DATADIR}/https/ r,
  owner @{APP_DATADIR}/https/** rwlk,

  owner @{APP_DATADIR}/indexers/ r,
  owner @{APP_DATADIR}/indexers/** rwlk,

  owner @{APP_DATADIR}/queues/ r,
  owner @{APP_DATADIR}/queues/** rwlk,

  owner @{APP_REPOSITORY_DIRS}/ r,
  owner @{APP_REPOSITORY_DIRS}/** rwlk,

  owner /var/log/forgejo/ r,
  owner /var/log/forgejo/gitea.log* rwlk,
}