Add imagemagick policy file for docker

Add note about imagemagick policy to readme

README.md

@@ -4,7 +4,7 @@ _a simple image hosting service_
 ## Usage
 ### Running
 ```
-pict-rs 0.2.0-alpha.3
+pict-rs 0.2.6
 
 USAGE:
     pict-rs [FLAGS] [OPTIONS] --path <path>
@@ -54,6 +54,11 @@ $ wget https://git.asonix.dog/asonix/pict-rs/raw/branch/master/docker/prod/docke
 $ sudo docker-compose up -d
 ```
 
+###### Note
+- pict-rs makes use of the system's temporary folder. This is generally `/tmp` on linux
+- pict-rs makes use of a default imagemagick security policy at
+    `/usr/local/lib/ImageMagick-$VERSION/config-Q16HDRI/policy.xml`
+
 #### Docker Development
 The development system loads a rust environment inside a docker container with the neccessary
 dependencies already present

docker/dev/root/usr/local/lib/ImageMagick-7.0.11/config-Q16HDRI/policy.xml

@@ -0,0 +1,23 @@
+<policymap>
+    <policy domain="resource" name="memory" value="256MiB" />
+    <policy domain="resource" name="list-length" value="32" />
+    <policy domain="resource" name="width" value="10KP" />
+    <policy domain="resource" name="height" value="10KP" />
+    <policy domain="resource" name="map" value="512MiB" />
+    <policy domain="resource" name="area" value="16KP" />
+    <policy domain="resource" name="disk" value="1GiB" />
+    <policy domain="resource" name="file" value="768" />
+    <policy domain="resource" name="thread" value="2" />
+    <policy domain="coder" rights="none" pattern="*" />
+    <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
+    <policy domain="filter" rights="none" pattern="*" />
+    <policy domain="path" rights="none" pattern="@*" />
+    <policy domain="delegate" rights="none" pattern="*" />
+    <policy domain="module" rights="none" pattern="*" />
+    <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
+        <!-- indirect reads not permitted -->
+    <policy domain="cache" name="memory-map" value="anonymous" />
+    <policy domain="cache" name="synchronize" value="true" />
+    <policy domain="system" name="precision" value="6" />
+    <policy domain="system" name="shred" value="1" />
+</policymap>

docker/prod/Dockerfile.amd64

@@ -219,6 +219,8 @@ ENV \
 RUN \
  chown pictrs:pictrs /mnt
 
+COPY root/ /
+
 VOLUME /mnt
 WORKDIR /opt/pict-rs
 USER pictrs

docker/prod/Dockerfile.arm32v7

@@ -220,6 +220,8 @@ ENV \
 RUN \
  chown pictrs:pictrs /mnt
 
+COPY root/ /
+
 VOLUME /mnt
 WORKDIR /opt/pict-rs
 USER pictrs

docker/prod/Dockerfile.arm64v8

@@ -220,6 +220,8 @@ ENV \
 RUN \
  chown pictrs:pictrs /mnt
 
+COPY root/ /
+
 VOLUME /mnt
 WORKDIR /opt/pict-rs
 USER pictrs

docker/prod/root/usr/local/lib/ImageMagick-7.0.11/config-Q16HDRI/policy.xml

@@ -0,0 +1,23 @@
+<policymap>
+    <policy domain="resource" name="memory" value="256MiB" />
+    <policy domain="resource" name="list-length" value="32" />
+    <policy domain="resource" name="width" value="10KP" />
+    <policy domain="resource" name="height" value="10KP" />
+    <policy domain="resource" name="map" value="512MiB" />
+    <policy domain="resource" name="area" value="16KP" />
+    <policy domain="resource" name="disk" value="1GiB" />
+    <policy domain="resource" name="file" value="768" />
+    <policy domain="resource" name="thread" value="2" />
+    <policy domain="coder" rights="none" pattern="*" />
+    <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
+    <policy domain="filter" rights="none" pattern="*" />
+    <policy domain="path" rights="none" pattern="@*" />
+    <policy domain="delegate" rights="none" pattern="*" />
+    <policy domain="module" rights="none" pattern="*" />
+    <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
+        <!-- indirect reads not permitted -->
+    <policy domain="cache" name="memory-map" value="anonymous" />
+    <policy domain="cache" name="synchronize" value="true" />
+    <policy domain="system" name="precision" value="6" />
+    <policy domain="system" name="shred" value="1" />
+</policymap>