Overview

File apparmor-usr.bin.gitea of Package gitea

abi <abi/3.0>,

#include <tunables/global>

profile gitea /usr/bin/gitea flags=(attach_disconnected) {

  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  #include <abstractions/user-tmp>
  #include <abstractions/mysql>

  network inet  stream,
  network inet6 stream,

  /usr/bin/gitea mr,
  /usr/bin/gzip mr,

  # Grant read access to config files
  /etc/mime.types r,
  /usr/share/mime/globs2 r,
  /etc/machine-id r,
  /etc/gitea/ r,
  /etc/gitea/{conf,https,mailer}/ r,
  /etc/gitea/https/*.{crt,key,pem} r,

  # Access to config file app.ini
  /etc/gitea/conf/app.ini r,
  # Config must be writeable for initial setup
  # to restrict to read-only access admin can do after setup:
  # chown root:gitea /etc/gitea/conf/app.ini
  # chmod 0640 /etc/gitea/conf/app.ini
  owner /etc/gitea/conf/app.ini w,

  # Grant read access to public custom static content
  /etc/gitea/public/ r,
  /etc/gitea/public/** r,

  # allow invoking executables
  /usr/bin/{basename,bash,cat,env,git,git-lfs,gitea,ssh-keygen,gzip} ix,
  /usr/{lib,libexec}/git/git ix,
  /usr/{lib,libexec}/git/git-remote-http ix,
  /usr/share/git-core/templates/ r,
  /usr/share/git-core/templates/** r,
  /etc/gitconfig r,

  # Grant read access to static content
  /usr/share/gitea/** r,

  # Grant read access to some process parameters
  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{PROC}/sys/net/core/somaxconn r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/{cgroup,cpuset,status,stat,limits} r,

  # Grant read access to working directory
  /var/lib/gitea/ r,

  # Allow TTY access
  /dev/tty rw,

  # Grant access to various data/repo directories
  owner /tmp/patch* rw,
  owner /tmp/index* rw,
  owner /tmp/gitea** rwl,
  owner /var/lib/gitea/{data,indexers,queues,repositories,backups}/ r,
  owner /var/lib/gitea/{data,indexers,queues,repositories}/** rwk,
  owner /var/lib/gitea/data/gitea-repositories/** rwkl,
  owner /var/lib/gitea/data/gitea-repositories/**.git/hooks/** ix,
  owner /var/lib/gitea/backups/gitea-dump-*.{zip,tar.gz,tar.xz} rw,
  owner /var/lib/gitea/https/** rwkl,

  # Ugly!
  /usr/share/gitea/.gitconfig rw,
  /usr/share/gitea/.gitconfig.lock rw,
  /usr/share/gitea/.ssh/ rw,
  /usr/share/gitea/.ssh/* rw,
  /usr/share/gitea/.local/** rw,

  # for writing access log file
  /var/log/gitea/ rw,
  /var/log/gitea/access.log rw,
  /var/log/gitea/access.log.* w,
  /var/log/gitea/doctors-* rw,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/usr.bin.gitea>
}
openSUSE Build Service is sponsored by
Places