baseline security policies

ImageMagick · Aug 13, 2023 · 8f3bdb8 · 8f3bdb8
1 parent 6e1a710
commit 8f3bdb8
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 3 deletions.
diff --git a/config/limited-policy.xml b/config/limited-policy.xml
@@ -91,5 +91,19 @@
   <!-- <policy domain="cache" name="synchronize" value="true"/> -->
   <!-- <policy domain="system" name="shred" value="1"/> -->
   <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> -->
-  <policy domain="Undefined" rights="none"/>
+  <policy domain="resource" name="memory" value="1024MiB"/>
+  <policy domain="resource" name="list-length" value="128"/>
+  <policy domain="resource" name="width" value="16KP"/>
+  <policy domain="resource" name="height" value="16KP"/>
+  <policy domain="resource" name="map" value="2048MiB"/>
+  <policy domain="resource" name="area" value="64KP"/>
+  <policy domain="resource" name="disk" value="4GiB"/>
+  <policy domain="resource" name="file" value="768"/>
+  <policy domain="resource" name="thread" value="8"/>
+  <policy domain="resource" name="time" value="600"/>
+  <policy domain="path" rights="none" pattern="-"/>  <!-- don't read/write from/to stdin/stdout -->
+  <policy domain="path" rights="none" pattern="/etc/*"/>  <!-- don't read sensitive paths -->
+  <policy domain="path" rights="none" pattern="@*"/>  <!-- indirect reads not permitted -->
+  <policy domain="module" rights="none" pattern="URL" /> 
+  <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,XPS}" />
 </policymap>
diff --git a/config/secure-policy.xml b/config/secure-policy.xml
@@ -94,5 +94,23 @@
   <!-- <policy domain="cache" name="synchronize" value="true"/> -->
   <!-- <policy domain="system" name="shred" value="1"/> -->
   <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> -->
-  <policy domain="Undefined" rights="none"/>
+  <policy domain="resource" name="memory" value="512MiB"/>
+  <policy domain="resource" name="list-length" value="64"/>
+  <policy domain="resource" name="width" value="8KP"/>
+  <policy domain="resource" name="height" value="8KP"/>
+  <policy domain="resource" name="map" value="1024MiB"/>
+  <policy domain="resource" name="area" value="32KP"/>
+  <policy domain="resource" name="disk" value="2GiB"/>
+  <policy domain="resource" name="file" value="768"/>
+  <policy domain="resource" name="thread" value="4"/>
+  <policy domain="resource" name="time" value="300"/>
+  <policy domain="filter" rights="none" pattern="*" />
+  <policy domain="path" rights="none" pattern="-"/>  <!-- don't read/write from/to stdin/stdout -->
+  <policy domain="path" rights="none" pattern="/etc/*"/>  <!-- don't read sensitive paths -->
+  <policy domain="path" rights="none" pattern="@*"/>  <!-- indirect reads not permitted -->
+  <policy domain="cache" name="memory-map" value="anonymous"/>
+  <policy domain="cache" name="synchronize" value="true"/>
+  <policy domain="system" name="shred" value="1"/>
+  <policy domain="module" rights="none" pattern="URL" /> 
+  <policy domain="module" rights="write" pattern="{MSL,MVG,PS,SVG,XPS}" />
 </policymap>
diff --git a/config/websafe-policy.xml b/config/websafe-policy.xml
@@ -91,5 +91,24 @@
   <!-- <policy domain="cache" name="synchronize" value="true"/> -->
   <!-- <policy domain="system" name="shred" value="1"/> -->
   <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> -->
-  <policy domain="Undefined" rights="none"/>
+  <policy domain="resource" name="memory" value="256MiB"/>
+  <policy domain="resource" name="list-length" value="32"/>
+  <policy domain="resource" name="width" value="4KP"/>
+  <policy domain="resource" name="height" value="4KP"/>
+  <policy domain="resource" name="map" value="512MiB"/>
+  <policy domain="resource" name="area" value="16KP"/>
+  <policy domain="resource" name="disk" value="1GiB"/>
+  <policy domain="resource" name="file" value="768"/>
+  <policy domain="resource" name="thread" value="2"/>
+  <policy domain="resource" name="time" value="120"/>
+  <policy domain="filter" rights="none" pattern="*" />
+  <policy domain="path" rights="none" pattern="-"/>  <!-- don't read/write from/to stdin/stdout -->
+  <policy domain="path" rights="none" pattern="/etc/*"/>  <!-- don't read sensitive paths -->
+  <policy domain="path" rights="none" pattern="@*"/>  <!-- indirect reads not permitted -->
+  <policy domain="cache" name="memory-map" value="anonymous"/>
+  <policy domain="cache" name="synchronize" value="true"/>
+  <policy domain="system" name="shred" value="1"/>
+  <policy domain="delegate" rights="none" pattern="*" />
+  <policy domain="module" rights="none" pattern="*" />
+  <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
 </policymap>