YunoHost-Apps/paperless-ngx_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/paperless-ngx_ynh.git synced 2024-09-03 19:56:33 +02:00
Code Issues Activity Actions 1

Implement imagemagick policy for convert calls

Browse source
This commit is contained in:
tituspijean 2024-02-15 18:19:54 +00:00
parent 5d15ed7abc
commit 731ed07a25
4 changed files with 36 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
conf/policy.xml Normal file
View file

@ -0,0 +1,23 @@
<policymap>
<!-- temporary path must be a preexisting writable directory -->
<policy domain="resource" name="temporary-path" value="__DATA_DIR__/imagemagick"/>
<policy domain="resource" name="memory" value="256MiB"/>
<policy domain="resource" name="list-length" value="32"/>
<policy domain="resource" name="width" value="8KP"/>
<policy domain="resource" name="height" value="8KP"/>
<policy domain="resource" name="map" value="512MiB"/>
<policy domain="resource" name="area" value="16KP"/>
<policy domain="resource" name="disk" value="1GiB"/>
<policy domain="resource" name="file" value="768"/>
<policy domain="resource" name="thread" value="2"/>
<policy domain="resource" name="time" value="120"/>
<policy domain="module" rights="none" pattern="URL" />
<policy domain="coder" rights="read | write" pattern="{MSVG,MVG,PS,PDF,RSVG,SVG,XPS}" />
<policy domain="filter" rights="none" pattern="*" />
<policy domain="path" rights="none" pattern="-"/> <!-- don't read/write from/to stdin/stdout -->
<policy domain="path" rights="none" pattern="/etc/*"/> <!-- don't read sensitive paths -->
<policy domain="path" rights="none" pattern="@*"/> <!-- indirect reads not permitted -->
<policy domain="cache" name="memory-map" value="anonymous"/>
<policy domain="cache" name="synchronize" value="true"/>
<policy domain="system" name="shred" value="1"/>
</policymap>

2
manifest.toml
View file

@ -70,7 +70,7 @@ ram.runtime = "350M"
[resources.install_dir] [resources.install_dir]
[resources.data_dir] [resources.data_dir]
subdirs = ["consume", "data", "media"] subdirs = ["consume", "data", "media", "imagemagick"]
[resources.permissions] [resources.permissions]
main.url = "/" main.url = "/"

6
scripts/install
View file

@ -103,6 +103,12 @@ ynh_add_config --template="paperless.conf.example" --destination="$install_dir/p
chmod 400 "$install_dir/paperless.conf" chmod 400 "$install_dir/paperless.conf"
chown $app:$app "$install_dir/paperless.conf" chown $app:$app "$install_dir/paperless.conf"
# ImageMagick configuration
mkdir -p "$install_dir/.config/ImageMagick"
ynh_add_config --template="policy.xml" --destination="$install_dir/.config/ImageMagick/policy.xml"
chmod 400 "$install_dir/.config/ImageMagick/policy.xml"
chown -R $app:$app "$install_dir/.config"
#================================================= #=================================================
# SETUP THE DATABASE # SETUP THE DATABASE
#================================================= #=================================================

6
scripts/upgrade
View file

@ -128,6 +128,12 @@ ynh_add_config --template="paperless.conf.example" --destination="$install_dir/p
chmod 400 "$install_dir/paperless.conf" chmod 400 "$install_dir/paperless.conf"
chown $app:$app "$install_dir/paperless.conf" chown $app:$app "$install_dir/paperless.conf"
# ImageMagick configuration
mkdir -p "$install_dir/.config/ImageMagick"
ynh_add_config --template="policy.xml" --destination="$install_dir/.config/ImageMagick/policy.xml"
chmod 400 "$install_dir/.config/ImageMagick/policy.xml"
chown -R $app:$app "$install_dir/.config"
#================================================= #=================================================
# SETUP THE DATABASE # SETUP THE DATABASE
#================================================= #=================================================