mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-15 20:05:13 +02:00
36 lines
1.5 KiB
Text
36 lines
1.5 KiB
Text
;; Phase 18 (Track E.2) — DESERIALIZE profile.
|
|
;;
|
|
;; Unsafe-deserialise gadgets (pickle / Marshal / unserialize /
|
|
;; ObjectInputStream) commonly chain to `exec()` or filesystem reads
|
|
;; once a gadget object lands. `allow default` keeps the gadget paths
|
|
;; runnable; the filesystem denylist prevents the gadget from
|
|
;; exfiltrating host secrets.
|
|
|
|
(version 1)
|
|
(allow default)
|
|
|
|
;; The `/Users` denylist uses regex matches on specific secret-bearing
|
|
;; subpaths instead of a blanket `(subpath "/Users")` deny. See the
|
|
;; matching comment in `cmdi.sb` for the cold-start rationale.
|
|
(deny file-read*
|
|
(literal "/etc/passwd")
|
|
(literal "/etc/master.passwd")
|
|
(literal "/etc/shadow")
|
|
(literal "/etc/sudoers")
|
|
(literal "/private/etc/passwd")
|
|
(literal "/private/etc/master.passwd")
|
|
(literal "/private/etc/shadow")
|
|
(literal "/private/etc/sudoers")
|
|
(regex #"^/Users/[^/]+/\.ssh(/|$)")
|
|
(regex #"^/Users/[^/]+/\.aws(/|$)")
|
|
(regex #"^/Users/[^/]+/\.gnupg(/|$)")
|
|
(regex #"^/Users/[^/]+/\.netrc$")
|
|
(regex #"^/Users/[^/]+/\.docker(/|$)")
|
|
(regex #"^/Users/[^/]+/\.kube(/|$)")
|
|
(regex #"^/Users/[^/]+/\.config/gh(/|$)")
|
|
(regex #"^/Users/[^/]+/Library/Keychains(/|$)")
|
|
(regex #"^/Users/[^/]+/Library/Cookies(/|$)")
|
|
(regex #"^/Users/[^/]+/Library/Mail(/|$)")
|
|
(regex #"^/Users/[^/]+/Library/Application Support/com\.apple\.TCC(/|$)")
|
|
(regex #"^/Users/[^/]+/Library/Application Support/Slack(/|$)")
|
|
(subpath "/Library/Keychains"))
|