@@ -403,6 +403,19 @@ main() {
403403
404404
405405 cat << HERE > "$IMAGE_MAGICK_DIR /policy.xml"
406+ <?xml version="1.0" encoding="UTF-8"?>
407+ <!DOCTYPE policymap [
408+ <!ELEMENT policymap (policy)*>
409+ <!ATTLIST policymap xmlns CDATA #FIXED "">
410+ <!ELEMENT policy EMPTY>
411+ <!ATTLIST policy xmlns CDATA #FIXED "">
412+ <!ATTLIST policy domain NMTOKEN #REQUIRED>
413+ <!ATTLIST policy name NMTOKEN #IMPLIED>
414+ <!ATTLIST policy pattern CDATA #IMPLIED>
415+ <!ATTLIST policy rights NMTOKEN #IMPLIED>
416+ <!ATTLIST policy stealth NMTOKEN #IMPLIED>
417+ <!ATTLIST policy value CDATA #IMPLIED>
418+ ]>
406419<!--
407420 Creating a security policy that fits your specific local environment
408421 before making use of ImageMagick is highly advised. You can find guidance on
@@ -420,87 +433,83 @@ main() {
420433 the public, reducing the risk of exploiting ImageMagick's capabilities
421434 for potential attacks.
422435 -->
423- <policymap xmlns="" >
424- <!-- Set maximum parallel threads. -->
425- <policy xmlns="" domain="resource" name="thread" value="2"/>
426- <!-- Set maximum time to live in seconds or neumonics, e.g. "2 minutes". When
427- this limit is exceeded, an exception is thrown and processing stops. -->
428- <policy xmlns="" domain="resource" name="time" value="60"/>
429- <!-- Set maximum number of open pixel cache files. When this limit is
436+ <policymap>
437+ <!-- Set maximum parallel threads. -->
438+ <policy domain="resource" name="thread" value="2"/>
439+ <!-- Set maximum time to live in seconds or neumonics, e.g. "2 minutes". When
440+ this limit is exceeded, an exception is thrown and processing stops. -->
441+ <policy domain="resource" name="time" value="60"/>
442+ <!-- Set maximum number of open pixel cache files. When this limit is
430443 exceeded, any subsequent pixels cached to disk are closed and reopened
431- on demand. -->
432- <policy xmlns="" domain="resource" name="file" value="768"/>
433- <!-- Set maximum amount of memory in bytes to allocate for the pixel cache
444+ on demand. -->
445+ <policy domain="resource" name="file" value="768"/>
446+ <!-- Set maximum amount of memory in bytes to allocate for the pixel cache
434447 from the heap. When this limit is exceeded, the image pixels are cached
435- to memory-mapped disk. -->
436- <policy xmlns="" domain="resource" name="memory" value="256MiB"/>
437- <!-- Set maximum amount of memory map in bytes to allocate for the pixel
448+ to memory-mapped disk. -->
449+ <policy domain="resource" name="memory" value="256MiB"/>
450+ <!-- Set maximum amount of memory map in bytes to allocate for the pixel
438451 cache. When this limit is exceeded, the image pixels are cached to
439- disk. -->
440- <policy xmlns="" domain="resource" name="map" value="512MiB"/>
441- <!-- Set the maximum width * height of an image that can reside in the pixel
442- cache memory. Images that exceed the area limit are cached to disk. -->
443- <policy xmlns="" domain="resource" name="area" value="16KP"/>
444- <!-- Set maximum amount of disk space in bytes permitted for use by the pixel
452+ disk. -->
453+ <policy domain="resource" name="map" value="512MiB"/>
454+ <!-- Set the maximum width * height of an image that can reside in the pixel
455+ cache memory. Images that exceed the area limit are cached to disk. -->
456+ <policy domain="resource" name="area" value="16KP"/>
457+ <!-- Set maximum amount of disk space in bytes permitted for use by the pixel
445458 cache. When this limit is exceeded, the pixel cache is not be created
446- and an exception is thrown. -->
447- <policy xmlns="" domain="resource" name="disk" value="1GiB"/>
448- <!-- Set the maximum length of an image sequence. When this limit is
449- exceeded, an exception is thrown. -->
450- <policy xmlns="" domain="resource" name="list-length" value="16"/>
451- <!-- Set the maximum width of an image. When this limit is exceeded, an
452- exception is thrown. -->
453- <policy xmlns="" domain="resource" name="width" value="4KP"/>
454- <!-- Set the maximum height of an image. When this limit is exceeded, an
455- exception is thrown. -->
456- <policy xmlns="" domain="resource" name="height" value="4KP"/>
457- <!-- Periodically yield the CPU for at least the time specified in
458- milliseconds. -->
459- <policy xmlns="" domain="resource" name="throttle" value="2"/>
460- <!-- Do not create temporary files in the default shared directories, instead
461- specify a private area to store only ImageMagick temporary files. -->
462- <!-- <policy domain="resource" name="temporary-path" value="/magick/tmp/"/> -->
463- <!-- Force memory initialization by memory mapping select memory
464- allocations. -->
465- <policy xmlns="" domain="cache" name="memory-map" value="anonymous"/>
466- <!-- Ensure all image data is fully flushed and synchronized to disk. -->
467- <policy xmlns="" domain="cache" name="synchronize" value="true"/>
468- <!-- Replace passphrase for secure distributed processing -->
469- <!-- <policy domain="cache" name="shared-secret" value="secret-passphrase" stealth="true"/> -->
470- <!-- Do not permit any delegates to execute. -->
471- <policy xmlns="" domain="delegate" rights="none" pattern="*"/>
472- <!-- Do not permit any image filters to load. -->
473- <policy xmlns="" domain="filter" rights="none" pattern="*"/>
474-
475- <!-- Don't read/write from/to stdin/stdout. -->
476- <policy xmlns="" domain="path" rights="none" pattern="-"/>
477-
478- <!-- Indirect reads are not permitted. -->
479- <policy xmlns="" domain="path" rights="none" pattern="@*"/>
480-
481- <!-- don't read sensitive paths. -->
482- <policy domain="path" rights="none" pattern="/*"/>
483-
484- <!-- allow access to required paths. -->
485- <policy domain="path" rights="read|write" pattern="/var/bigbluebutton/*"/>
486- <policy domain="path" rights="read|write" pattern="/tmp/*"/>
487-
488- <!-- Deny all image modules and specifically exempt reading or writing
489- web-safe image formats. -->
490- <policy xmlns="" domain="module" rights="none" pattern="*"/>
491- <policy domain="module" rights="read | write" pattern="{BMP,GIF,JPEG,PDF,PNG,TIFF,WEBP}"/>
492- <policy xmlns="" domain="module" rights="read | write" pattern="{MPC}" stealth="true"/>
493- <policy domain="module" rights="write" pattern="{JSON,INFO,PNM,PS,SVG}"/>
494- <!-- This policy sets the number of times to replace content of certain
495- memory buffers and temporary files before they are freed or deleted. -->
496- <policy xmlns="" domain="system" name="shred" value="1"/>
497- <!-- Enable the initialization of buffers with zeros, resulting in a minor
498- performance penalty but with improved security. -->
499- <policy xmlns="" domain="system" name="memory-map" value="anonymous"/>
500- <!-- Set the maximum amount of memory in bytes that are permitted for
501- allocation requests. -->
502- <policy xmlns="" domain="system" name="max-memory-request" value="256MiB"/>
459+ and an exception is thrown. -->
460+ <policy domain="resource" name="disk" value="1GiB"/>
461+ <!-- Set the maximum length of an image sequence. When this limit is
462+ exceeded, an exception is thrown. -->
463+ <policy domain="resource" name="list-length" value="16"/>
464+ <!-- Set the maximum width of an image. When this limit is exceeded, an
465+ exception is thrown. -->
466+ <policy domain="resource" name="width" value="4KP"/>
467+ <!-- Set the maximum height of an image. When this limit is exceeded, an
468+ exception is thrown. -->
469+ <policy domain="resource" name="height" value="4KP"/>
470+ <!-- Periodically yield the CPU for at least the time specified in
471+ milliseconds. -->
472+ <policy domain="resource" name="throttle" value="2"/>
473+ <!-- Do not create temporary files in the default shared directories, instead
474+ specify a private area to store only ImageMagick temporary files. -->
475+ <!-- <policy domain="resource" name="temporary-path" value="/magick/tmp/"/> -->
476+ <!-- Force memory initialization by memory mapping select memory
477+ allocations. -->
478+ <policy domain="cache" name="memory-map" value="anonymous"/>
479+ <!-- Ensure all image data is fully flushed and synchronized to disk. -->
480+ <policy domain="cache" name="synchronize" value="true"/>
481+ <!-- Replace passphrase for secure distributed processing -->
482+ <!-- <policy domain="cache" name="shared-secret" value="secret-passphrase" stealth="true"/> -->
483+ <!-- Do not permit any delegates to execute. -->
484+ <policy domain="delegate" rights="none" pattern="*"/>
485+ <!-- Do not permit any image filters to load. -->
486+ <policy domain="filter" rights="none" pattern="*"/>
487+ <!-- Don't read/write from/to stdin/stdout. -->
488+ <policy domain="path" rights="none" pattern="-"/>
489+ <!-- don't read sensitive paths. -->
490+ <policy domain="path" rights="none" pattern="/*"/>
491+ <!-- allow access to required paths. -->
492+ <policy domain="path" rights="read|write" pattern="/var/bigbluebutton/*"/>
493+ <policy domain="path" rights="read|write" pattern="/tmp/*"/>
494+ <!-- Indirect reads are not permitted. -->
495+ <policy domain="path" rights="none" pattern="@*"/>
496+ <!-- Deny all image modules and specifically exempt reading or writing
497+ web-safe image formats. -->
498+ <policy domain="module" rights="none" pattern="*" />
499+ <policy domain="module" rights="read | write" pattern="{BMP,GIF,JPEG,PDF,PNG,TIFF,WEBP}"/>
500+ <policy domain="module" rights="read | write" pattern="{MPC}" stealth="true"/>
501+ <policy domain="module" rights="write" pattern="{JSON,INFO,PNM,PS,SVG}"/>
502+ <!-- This policy sets the number of times to replace content of certain
503+ memory buffers and temporary files before they are freed or deleted. -->
504+ <policy domain="system" name="shred" value="1"/>
505+ <!-- Enable the initialization of buffers with zeros, resulting in a minor
506+ performance penalty but with improved security. -->
507+ <policy domain="system" name="memory-map" value="anonymous"/>
508+ <!-- Set the maximum amount of memory in bytes that are permitted for
509+ allocation requests. -->
510+ <policy domain="system" name="max-memory-request" value="256MiB"/>
503511</policymap>
512+
504513HERE
505514 fi
506515
0 commit comments