From 949698f8d1244f59b028aae502002aafb6b450c6 Mon Sep 17 00:00:00 2001
From: asonix <asonix@asonix.dog>
Date: Wed, 10 Mar 2021 15:43:47 -0600
Subject: [PATCH] Add imagemagick policy file for docker

Add note about imagemagick policy to readme
---
 README.md                                     |  7 +++++-
 .../config-Q16HDRI/policy.xml                 | 23 +++++++++++++++++++
 docker/prod/Dockerfile.amd64                  |  2 ++
 docker/prod/Dockerfile.arm32v7                |  2 ++
 docker/prod/Dockerfile.arm64v8                |  2 ++
 .../config-Q16HDRI/policy.xml                 | 23 +++++++++++++++++++
 6 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 docker/dev/root/usr/local/lib/ImageMagick-7.0.11/config-Q16HDRI/policy.xml
 create mode 100644 docker/prod/root/usr/local/lib/ImageMagick-7.0.11/config-Q16HDRI/policy.xml

diff --git a/README.md b/README.md
index ab9f783..23dab1b 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@ _a simple image hosting service_
 ## Usage
 ### Running
 ```
-pict-rs 0.2.0-alpha.3
+pict-rs 0.2.6
 
 USAGE:
     pict-rs [FLAGS] [OPTIONS] --path <path>
@@ -54,6 +54,11 @@ $ wget https://git.asonix.dog/asonix/pict-rs/raw/branch/master/docker/prod/docke
 $ sudo docker-compose up -d
 ```
 
+###### Note
+- pict-rs makes use of the system's temporary folder. This is generally `/tmp` on linux
+- pict-rs makes use of a default imagemagick security policy at
+    `/usr/local/lib/ImageMagick-$VERSION/config-Q16HDRI/policy.xml`
+
 #### Docker Development
 The development system loads a rust environment inside a docker container with the neccessary
 dependencies already present
diff --git a/docker/dev/root/usr/local/lib/ImageMagick-7.0.11/config-Q16HDRI/policy.xml b/docker/dev/root/usr/local/lib/ImageMagick-7.0.11/config-Q16HDRI/policy.xml
new file mode 100644
index 0000000..141b546
--- /dev/null
+++ b/docker/dev/root/usr/local/lib/ImageMagick-7.0.11/config-Q16HDRI/policy.xml
@@ -0,0 +1,23 @@
+<policymap>
+    <policy domain="resource" name="memory" value="256MiB" />
+    <policy domain="resource" name="list-length" value="32" />
+    <policy domain="resource" name="width" value="10KP" />
+    <policy domain="resource" name="height" value="10KP" />
+    <policy domain="resource" name="map" value="512MiB" />
+    <policy domain="resource" name="area" value="16KP" />
+    <policy domain="resource" name="disk" value="1GiB" />
+    <policy domain="resource" name="file" value="768" />
+    <policy domain="resource" name="thread" value="2" />
+    <policy domain="coder" rights="none" pattern="*" />
+    <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
+    <policy domain="filter" rights="none" pattern="*" />
+    <policy domain="path" rights="none" pattern="@*" />
+    <policy domain="delegate" rights="none" pattern="*" />
+    <policy domain="module" rights="none" pattern="*" />
+    <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
+        <!-- indirect reads not permitted -->
+    <policy domain="cache" name="memory-map" value="anonymous" />
+    <policy domain="cache" name="synchronize" value="true" />
+    <policy domain="system" name="precision" value="6" />
+    <policy domain="system" name="shred" value="1" />
+</policymap>
diff --git a/docker/prod/Dockerfile.amd64 b/docker/prod/Dockerfile.amd64
index 2e89682..cb81101 100644
--- a/docker/prod/Dockerfile.amd64
+++ b/docker/prod/Dockerfile.amd64
@@ -219,6 +219,8 @@ ENV \
 RUN \
  chown pictrs:pictrs /mnt
 
+COPY root/ /
+
 VOLUME /mnt
 WORKDIR /opt/pict-rs
 USER pictrs
diff --git a/docker/prod/Dockerfile.arm32v7 b/docker/prod/Dockerfile.arm32v7
index 5c143cc..2f514c2 100644
--- a/docker/prod/Dockerfile.arm32v7
+++ b/docker/prod/Dockerfile.arm32v7
@@ -220,6 +220,8 @@ ENV \
 RUN \
  chown pictrs:pictrs /mnt
 
+COPY root/ /
+
 VOLUME /mnt
 WORKDIR /opt/pict-rs
 USER pictrs
diff --git a/docker/prod/Dockerfile.arm64v8 b/docker/prod/Dockerfile.arm64v8
index 0dcb760..8805fe0 100644
--- a/docker/prod/Dockerfile.arm64v8
+++ b/docker/prod/Dockerfile.arm64v8
@@ -220,6 +220,8 @@ ENV \
 RUN \
  chown pictrs:pictrs /mnt
 
+COPY root/ /
+
 VOLUME /mnt
 WORKDIR /opt/pict-rs
 USER pictrs
diff --git a/docker/prod/root/usr/local/lib/ImageMagick-7.0.11/config-Q16HDRI/policy.xml b/docker/prod/root/usr/local/lib/ImageMagick-7.0.11/config-Q16HDRI/policy.xml
new file mode 100644
index 0000000..141b546
--- /dev/null
+++ b/docker/prod/root/usr/local/lib/ImageMagick-7.0.11/config-Q16HDRI/policy.xml
@@ -0,0 +1,23 @@
+<policymap>
+    <policy domain="resource" name="memory" value="256MiB" />
+    <policy domain="resource" name="list-length" value="32" />
+    <policy domain="resource" name="width" value="10KP" />
+    <policy domain="resource" name="height" value="10KP" />
+    <policy domain="resource" name="map" value="512MiB" />
+    <policy domain="resource" name="area" value="16KP" />
+    <policy domain="resource" name="disk" value="1GiB" />
+    <policy domain="resource" name="file" value="768" />
+    <policy domain="resource" name="thread" value="2" />
+    <policy domain="coder" rights="none" pattern="*" />
+    <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
+    <policy domain="filter" rights="none" pattern="*" />
+    <policy domain="path" rights="none" pattern="@*" />
+    <policy domain="delegate" rights="none" pattern="*" />
+    <policy domain="module" rights="none" pattern="*" />
+    <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
+        <!-- indirect reads not permitted -->
+    <policy domain="cache" name="memory-map" value="anonymous" />
+    <policy domain="cache" name="synchronize" value="true" />
+    <policy domain="system" name="precision" value="6" />
+    <policy domain="system" name="shred" value="1" />
+</policymap>