Prohibit remote pushing to the master branch in git
You should take a look at the sample update hook called update-paranoid in the contrib directory of the git distribution. It allows you to set up per-branch ACLs restricting who is allowed to push to which branches. This way you can restrict updating master to just release owners.
I'm not quite sure what you mean by "only updated via branch merging". I'm assuming that your central repository is bare, in which case branches are usually only updated by a push. There's no conceptual difference in git between pushing a commit that is a merge and one that isn't so I'm not sure what your criteria for restricting the type of update for master is intended to be.
In the case that you are pushing to a non-bare central repository and master is always the checked out branch then you can simply set the config variable receive.denyCurrentBranch to true or refuse.