diff options
| author | Syndamia <kamen@syndamia.com> | 2022-09-06 10:53:34 +0300 |
|---|---|---|
| committer | Syndamia <kamen@syndamia.com> | 2022-09-06 10:53:34 +0300 |
| commit | abdbd80ac4dcc42619ee4ed12c19fb5d71fa2d83 (patch) | |
| tree | ba3e845eefb201676fcc87e964ab5035f3222585 /.b/etc/ImageMagick-7/policy.xml | |
| parent | dd6a62a3c881c0b2e71db5bb923c60a54d2b016d (diff) | |
| download | dotfiles-abdbd80ac4dcc42619ee4ed12c19fb5d71fa2d83.tar dotfiles-abdbd80ac4dcc42619ee4ed12c19fb5d71fa2d83.tar.gz dotfiles-abdbd80ac4dcc42619ee4ed12c19fb5d71fa2d83.zip | |
Added many configs to .b
Diffstat (limited to '.b/etc/ImageMagick-7/policy.xml')
| -rw-r--r-- | .b/etc/ImageMagick-7/policy.xml | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/.b/etc/ImageMagick-7/policy.xml b/.b/etc/ImageMagick-7/policy.xml new file mode 100644 index 0000000..7472ed1 --- /dev/null +++ b/.b/etc/ImageMagick-7/policy.xml @@ -0,0 +1,91 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE policymap [ + <!ELEMENT policymap (policy)*> + <!ATTLIST policymap xmlns CDATA #FIXED ''> + <!ELEMENT policy EMPTY> + <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED + name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED + stealth NMTOKEN #IMPLIED value CDATA #IMPLIED> +]> +<!-- + Configure ImageMagick policies. + + Domains include system, delegate, coder, filter, path, or resource. + + Rights include none, read, write, execute and all. Use | to combine them, + for example: "read | write" to permit read from, or write to, a path. + + Use a glob expression as a pattern. + + Suppose we do not want users to process MPEG video images: + + <policy domain="delegate" rights="none" pattern="mpeg:decode" /> + + Here we do not want users reading images from HTTP: + + <policy domain="coder" rights="none" pattern="HTTP" /> + + The /repository file system is restricted to read only. We use a glob + expression to match all paths that start with /repository: + + <policy domain="path" rights="read" pattern="/repository/*" /> + + Lets prevent users from executing any image filters: + + <policy domain="filter" rights="none" pattern="*" /> + + Any large image is cached to disk rather than memory: + + <policy domain="resource" name="area" value="1GP"/> + + Use the default system font unless overwridden by the application: + + <policy domain="system" name="font" value="/usr/share/fonts/favorite.ttf"/> + + Define arguments for the memory, map, area, width, height and disk resources + with SI prefixes (.e.g 100MB). In addition, resource policies are maximums + for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB + exceeds policy maximum so memory limit is 1GB). + + Rules are processed in order. Here we want to restrict ImageMagick to only + read or write a small subset of proven web-safe image types: + + <policy domain="delegate" rights="none" pattern="*" /> + <policy domain="filter" rights="none" pattern="*" /> + <policy domain="coder" rights="none" pattern="*" /> + <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" /> +--> +<policymap> + <!-- https://www.kb.cert.org/vuls/id/332928 mitigation / https://bugs.gentoo.org/664236 --> + <policy domain="coder" rights="none" pattern="PS" /> + <policy domain="coder" rights="none" pattern="PS2" /> + <policy domain="coder" rights="none" pattern="PS3" /> + <policy domain="coder" rights="none" pattern="EPS" /> + <policy domain="coder" rights="none" pattern="PDF" /> + <policy domain="coder" rights="none" pattern="XPS" /> + <policy domain="coder" rights="read | write" pattern="PDF" /> + + <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> --> + <!-- <policy domain="resource" name="memory" value="2GiB"/> --> + <!-- <policy domain="resource" name="map" value="4GiB"/> --> + <!-- <policy domain="resource" name="width" value="10KP"/> --> + <!-- <policy domain="resource" name="height" value="10KP"/> --> + <!-- <policy domain="resource" name="list-length" value="128"/> --> + <!-- <policy domain="resource" name="area" value="100MP"/> --> + <!-- <policy domain="resource" name="disk" value="16EiB"/> --> + <!-- <policy domain="resource" name="file" value="768"/> --> + <!-- <policy domain="resource" name="thread" value="4"/> --> + <!-- <policy domain="resource" name="throttle" value="0"/> --> + <!-- <policy domain="resource" name="time" value="3600"/> --> + <!-- <policy domain="coder" rights="none" pattern="MVG" /> --> + <!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> --> + <!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> --> + <!-- <policy domain="path" rights="none" pattern="@*" /> --> + <!-- <policy domain="cache" name="memory-map" value="anonymous"/> --> + <!-- <policy domain="cache" name="synchronize" value="True"/> --> + <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> --> + <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> --> + <!-- <policy domain="system" name="shred" value="2"/> --> + <!-- <policy domain="system" name="precision" value="6"/> --> + <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> --> +</policymap> |