Implement ImageMagick policy

conf/policy.xml

@@ -0,0 +1,26 @@
+<policymap>
+  <!-- temporary path must be a preexisting writable directory -->
+  <policy domain="resource" name="temporary-path" value="__DATA_DIR__/magick"/>
+  <policy domain="resource" name="memory" value="256MiB"/>
+  <policy domain="resource" name="list-length" value="32"/>
+  <policy domain="resource" name="width" value="8KP"/>
+  <policy domain="resource" name="height" value="8KP"/>
+  <policy domain="resource" name="map" value="512MiB"/>
+  <policy domain="resource" name="area" value="16KP"/>
+  <policy domain="resource" name="disk" value="1GiB"/>
+  <policy domain="resource" name="file" value="768"/>
+  <policy domain="resource" name="thread" value="2"/>
+  <policy domain="resource" name="time" value="120"/>
+  <policy domain="module" rights="none" pattern="URL" />
+  <policy domain="coder" rights="write" pattern="{MSVG,MVG,PS,PDF,RSVG,SVG,XPS}" />
+  <policy domain="filter" rights="none" pattern="*" />
+<!--Seems needed to send the pictures to Pict-RS server
+  <policy domain="path" rights="none" pattern="-"/>  <!-- don't read/write from/to stdin/stdout -->
+  <policy domain="path" rights="none" pattern="/etc/*"/>  <!-- don't read sensitive paths -->
+  <policy domain="path" rights="none" pattern="@*"/>  <!-- indirect reads not permitted -->
+  <policy domain="cache" name="memory-map" value="anonymous"/>
+  <policy domain="cache" name="synchronize" value="true"/>
+<!-- Only needed in case of distributed pixel cache
+  <policy domain="cache" name="shared-secret" value="__IMAGEMAGICK_CACHE_SECRET__" stealth="True"/> -->
+  <policy domain="system" name="shred" value="1"/>
+</policymap>

scripts/install

@@ -100,17 +100,23 @@ chown $app:$app "$install_dir/pict-rs/magick"
 #=================================================
 ynh_script_progression --message="Adding a configuration file..." --weight=1
 
+# Lemmy configuration
 mkdir -p "$install_dir/config/"
 ynh_add_config --template="../conf/lemmy.hjson" --destination="$install_dir/config/config.hjson"
-
 chmod 400 "$install_dir/config/config.hjson"
 chown $app:$app "$install_dir/config/config.hjson"
 
+# Pict-RS configuration
 ynh_add_config --template="../conf/pict-rs.toml" --destination="$install_dir/pict-rs/pict-rs.toml"
-
 chmod 400 "$install_dir/pict-rs/pict-rs.toml"
 chown $app:$app "$install_dir/pict-rs/pict-rs.toml"
 
+# ImageMagick configuration
+mkdir -p "$install_dir/.config/ImageMagick"
+ynh_add_config --template="../conf/policy.xml" --destination="$install_dir/.config/ImageMagick/policy.xml"
+chmod 400 "$install_dir/.config/ImageMagick/policy.xml"
+chown -R $app:$app "$install_dir/.config"
+
 #=================================================
 # SETUP SYSTEMD
 #=================================================

scripts/upgrade

@@ -145,17 +145,23 @@ chown -R $app:$app "$install_dir"
 #=================================================
 ynh_script_progression --message="Updating a configuration file..." --weight=1
 
+# Lemmy configuration
 mkdir -p "$install_dir/lemmy/"
 ynh_add_config --template="../conf/lemmy.hjson" --destination="$install_dir/config/config.hjson"
-
 chmod 400 "$install_dir/config/config.hjson"
 chown $app:$app "$install_dir/config/config.hjson"
 
+# Pict-RS configuration
 ynh_add_config --template="../conf/pict-rs.toml" --destination="$install_dir/pict-rs/pict-rs.toml"
-
 chmod 400 "$install_dir/pict-rs/pict-rs.toml"
 chown $app:$app "$install_dir/pict-rs/pict-rs.toml"
 
+# ImageMagick configuration
+mkdir -p "$install_dir/.config/ImageMagick"
+ynh_add_config --template="../conf/policy.xml" --destination="$install_dir/.config/ImageMagick/policy.xml"
+chmod 400 "$install_dir/.config/ImageMagick/policy.xml"
+chown -R $app:$app "$install_dir/.config"
+
 #=================================================
 # CREATE EXTENSION IF NOT EXISTS pgcrypto
 #=================================================