| @@ -1,39 +1,40 @@ | | | @@ -1,39 +1,40 @@ |
1 | $NetBSD: patch-config_policy.xml,v 1.9 2021/04/23 07:23:29 nia Exp $ | | 1 | $NetBSD: patch-config_policy.xml,v 1.10 2021/05/04 14:31:57 nia Exp $ |
2 | | | 2 | |
3 | Update default policies for better resistance to untrusted input. | | 3 | Update default policies for better resistance to untrusted input. |
4 | | | 4 | |
5 | Discussion: | | 5 | Discussion: |
6 | http://mail-index.netbsd.org/tech-pkg/2021/04/03/msg024740.html | | 6 | http://mail-index.netbsd.org/tech-pkg/2021/04/03/msg024740.html |
7 | | | 7 | |
8 | --- config/policy.xml.orig 2021-04-17 15:26:24.000000000 +0000 | | 8 | --- config/policy.xml.orig 2021-04-29 02:01:58.000000000 +0000 |
9 | +++ config/policy.xml | | 9 | +++ config/policy.xml |
10 | @@ -76,6 +76,29 @@ | | 10 | @@ -76,6 +76,30 @@ |
11 | <!-- <policy domain="cache" name="synchronize" value="True"/> --> | | 11 | <!-- <policy domain="cache" name="synchronize" value="True"/> --> |
12 | <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> --> | | 12 | <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> --> |
13 | <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> --> | | 13 | <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> --> |
14 | + | | 14 | + |
15 | + <!-- | | 15 | + <!-- |
16 | + -- Disable ghostscript decoders as suggested by VU#332928 | | 16 | + -- Disable ghostscript decoders as suggested by VU#332928 |
17 | + -- <https://www.kb.cert.org/vuls/id/332928> | | 17 | + -- <https://www.kb.cert.org/vuls/id/332928> |
18 | + --> | | 18 | + --> |
19 | + <policy domain="coder" rights="write" pattern="PS" /> | | 19 | + <policy domain="coder" rights="write" pattern="PS" /> |
20 | + <policy domain="coder" rights="write" pattern="PS2" /> | | 20 | + <policy domain="coder" rights="write" pattern="PS2" /> |
21 | + <policy domain="coder" rights="write" pattern="PS3" /> | | 21 | + <policy domain="coder" rights="write" pattern="PS3" /> |
22 | + <policy domain="coder" rights="write" pattern="EPS" /> | | 22 | + <policy domain="coder" rights="write" pattern="EPS" /> |
23 | + <policy domain="coder" rights="write" pattern="PDF" /> | | 23 | + <policy domain="coder" rights="write" pattern="PDF" /> |
24 | + <policy domain="coder" rights="write" pattern="XPS" /> | | 24 | + <policy domain="coder" rights="write" pattern="XPS" /> |
25 | + | | 25 | + |
26 | + <!-- Recommended policies from <https://imagetragick.com/> --> | | 26 | + <!-- Recommended policies from <https://imagetragick.com/> --> |
27 | + <policy domain="coder" rights="none" pattern="EPHEMERAL" /> | | 27 | + <policy domain="coder" rights="none" pattern="EPHEMERAL" /> |
28 | + <policy domain="coder" rights="none" pattern="URL" /> | | 28 | + <policy domain="coder" rights="none" pattern="URL" /> |
29 | + <policy domain="coder" rights="none" pattern="HTTPS" /> | | 29 | + <policy domain="coder" rights="none" pattern="HTTPS" /> |
30 | + <policy domain="coder" rights="none" pattern="MVG" /> | | 30 | + <!-- breaks deforaos-icon-theme package --> |
| | | 31 | + <!--<policy domain="coder" rights="none" pattern="MVG" />--> |
31 | + <policy domain="coder" rights="none" pattern="MSL" /> | | 32 | + <policy domain="coder" rights="none" pattern="MSL" /> |
32 | + <policy domain="coder" rights="none" pattern="TEXT" /> | | 33 | + <policy domain="coder" rights="none" pattern="TEXT" /> |
33 | + <policy domain="coder" rights="none" pattern="SHOW" /> | | 34 | + <policy domain="coder" rights="none" pattern="SHOW" /> |
34 | + <policy domain="coder" rights="none" pattern="WIN" /> | | 35 | + <policy domain="coder" rights="none" pattern="WIN" /> |
35 | + <policy domain="coder" rights="none" pattern="PLT" /> | | 36 | + <policy domain="coder" rights="none" pattern="PLT" /> |
36 | + | | 37 | + |
37 | <!-- <policy domain="system" name="shred" value="2"/> --> | | 38 | <!-- <policy domain="system" name="shred" value="2"/> --> |
38 | <!-- <policy domain="system" name="precision" value="6"/> --> | | 39 | <!-- <policy domain="system" name="precision" value="6"/> --> |
39 | <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> --> | | 40 | <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> --> |