Add imagemagick policy file for docker

Add note about imagemagick policy to readme
This commit is contained in:
asonix 2021-03-10 15:43:47 -06:00
parent 468103a7cc
commit b73dce91b2
6 changed files with 56 additions and 2 deletions

View file

@ -9,7 +9,7 @@ _a simple image hosting service_
## Usage
### Running
```
pict-rs 0.3.0-alpha.5
pict-rs 0.3.0-alpha.8
USAGE:
pict-rs [FLAGS] [OPTIONS] --path <path>
@ -59,7 +59,9 @@ $ wget https://git.asonix.dog/asonix/pict-rs/raw/branch/master/docker/prod/docke
$ sudo docker-compose up -d
```
###### Note
pict-rs makes use of the system's temporary folder. This is generally `/tmp` on linux
- pict-rs makes use of the system's temporary folder. This is generally `/tmp` on linux
- pict-rs makes use of a default imagemagick security policy at
`/usr/local/lib/ImageMagick-$VERSION/config-Q16HDRI/policy.xml`
#### Docker Development
The development system loads a rust environment inside a docker container with the neccessary

View file

@ -0,0 +1,23 @@
<policymap>
<policy domain="resource" name="memory" value="256MiB" />
<policy domain="resource" name="list-length" value="32" />
<policy domain="resource" name="width" value="10KP" />
<policy domain="resource" name="height" value="10KP" />
<policy domain="resource" name="map" value="512MiB" />
<policy domain="resource" name="area" value="16KP" />
<policy domain="resource" name="disk" value="1GiB" />
<policy domain="resource" name="file" value="768" />
<policy domain="resource" name="thread" value="2" />
<policy domain="coder" rights="none" pattern="*" />
<policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
<policy domain="filter" rights="none" pattern="*" />
<policy domain="path" rights="none" pattern="@*" />
<policy domain="delegate" rights="none" pattern="*" />
<policy domain="module" rights="none" pattern="*" />
<policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
<!-- indirect reads not permitted -->
<policy domain="cache" name="memory-map" value="anonymous" />
<policy domain="cache" name="synchronize" value="true" />
<policy domain="system" name="precision" value="6" />
<policy domain="system" name="shred" value="1" />
</policymap>

View file

@ -219,6 +219,8 @@ ENV \
RUN \
chown pictrs:pictrs /mnt
COPY root/ /
VOLUME /mnt
WORKDIR /opt/pict-rs
USER pictrs

View file

@ -220,6 +220,8 @@ ENV \
RUN \
chown pictrs:pictrs /mnt
COPY root/ /
VOLUME /mnt
WORKDIR /opt/pict-rs
USER pictrs

View file

@ -220,6 +220,8 @@ ENV \
RUN \
chown pictrs:pictrs /mnt
COPY root/ /
VOLUME /mnt
WORKDIR /opt/pict-rs
USER pictrs

View file

@ -0,0 +1,23 @@
<policymap>
<policy domain="resource" name="memory" value="256MiB" />
<policy domain="resource" name="list-length" value="32" />
<policy domain="resource" name="width" value="10KP" />
<policy domain="resource" name="height" value="10KP" />
<policy domain="resource" name="map" value="512MiB" />
<policy domain="resource" name="area" value="16KP" />
<policy domain="resource" name="disk" value="1GiB" />
<policy domain="resource" name="file" value="768" />
<policy domain="resource" name="thread" value="2" />
<policy domain="coder" rights="none" pattern="*" />
<policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
<policy domain="filter" rights="none" pattern="*" />
<policy domain="path" rights="none" pattern="@*" />
<policy domain="delegate" rights="none" pattern="*" />
<policy domain="module" rights="none" pattern="*" />
<policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
<!-- indirect reads not permitted -->
<policy domain="cache" name="memory-map" value="anonymous" />
<policy domain="cache" name="synchronize" value="true" />
<policy domain="system" name="precision" value="6" />
<policy domain="system" name="shred" value="1" />
</policymap>