apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-27 20:29:39 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss/grind] deferred session-0003 (20260517T044708Z-e058)

Browse source
This commit is contained in:
pitboss 2026-05-17 01:18:54 -05:00
parent 6698eb96eb
commit 2544e5d9da
7 changed files with 257 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/dynamic/sandbox_profiles/deserialize.sb
View file

@ -9,6 +9,9 @@
(version 1)
(allow default)
;; The `/Users` denylist uses regex matches on specific secret-bearing
;; subpaths instead of a blanket `(subpath "/Users")` deny. See the
;; matching comment in `cmdi.sb` for the cold-start rationale.
(deny file-read*
(literal "/etc/passwd")
(literal "/etc/master.passwd")
@ -18,5 +21,16 @@
(literal "/private/etc/master.passwd")
(literal "/private/etc/shadow")
(literal "/private/etc/sudoers")
(subpath "/Users")
(regex #"^/Users/[^/]+/\.ssh(/|$)")
(regex #"^/Users/[^/]+/\.aws(/|$)")
(regex #"^/Users/[^/]+/\.gnupg(/|$)")
(regex #"^/Users/[^/]+/\.netrc$")
(regex #"^/Users/[^/]+/\.docker(/|$)")
(regex #"^/Users/[^/]+/\.kube(/|$)")
(regex #"^/Users/[^/]+/\.config/gh(/|$)")
(regex #"^/Users/[^/]+/Library/Keychains(/|$)")
(regex #"^/Users/[^/]+/Library/Cookies(/|$)")
(regex #"^/Users/[^/]+/Library/Mail(/|$)")
(regex #"^/Users/[^/]+/Library/Application Support/com\.apple\.TCC(/|$)")
(regex #"^/Users/[^/]+/Library/Application Support/Slack(/|$)")
(subpath "/Library/Keychains"))