block fd: filenames in security policies

Cristy · Cristy · commit 2c2f87de5330 · 2026-01-28T19:19:36.000-05:00
diff --git a/config/policy-secure.xml b/config/policy-secure.xml
@@ -90,6 +90,7 @@
   <policy domain="filter" rights="none" pattern="*"/>
   <!-- Don't read/write from/to stdin/stdout. -->
   <policy domain="path" rights="none" pattern="-"/>
+  <policy domain="path" rights="none" pattern="fd:*"/>
   <!-- don't read sensitive paths. -->
   <policy domain="path" rights="none" pattern="/etc/*"/>
   <!-- Indirect reads are not permitted. -->
diff --git a/config/policy-websafe.xml b/config/policy-websafe.xml
@@ -86,6 +86,7 @@
   <policy domain="filter" rights="none" pattern="*"/>
   <!-- Don't read/write from/to stdin/stdout. -->
   <policy domain="path" rights="none" pattern="-"/>
+  <policy domain="path" rights="none" pattern="fd:*"/>
   <!-- don't read sensitive paths. -->
   <policy domain="path" rights="none" pattern="/etc/*"/>
   <!-- Indirect reads are not permitted. -->
diff --git a/www/security-policy.html b/www/security-policy.html
@@ -329,6 +329,7 @@ <h2><a class="anchor" id="example"></a>Example Security Policy</h2>
   &lt;policy domain="filter" rights="none" pattern="*"/>
   &lt;!-- Don't read/write from/to stdin/stdout. -->
   &lt;policy domain="path" rights="none" pattern="-"/>
+  &lt;policy domain="path" rights="none" pattern="fd:*"/>
   &lt;!-- don't read sensitive paths. -->
   &lt;policy domain="path" rights="none" pattern="/etc/*"/>
   &lt;!-- Indirect reads are not permitted. -->
