34 lines
704 B
Plaintext
34 lines
704 B
Plaintext
|
abi <abi/3.0>,
|
||
|
|
||
|
include <tunables/global>
|
||
|
include <dnsmanager>
|
||
|
include <boilerplate>
|
||
|
|
||
|
/usr/local/bin/authd flags=(enforce) {
|
||
|
# See the file `boilerplate`.
|
||
|
@{BASE_LIBS} mr,
|
||
|
@{BASE_RO} r,
|
||
|
@{BASE_RW} rw,
|
||
|
|
||
|
# Allow IPC-related unix sockets.
|
||
|
owner @{LIBIPC_DIR}/* rwk,
|
||
|
|
||
|
# Enable all unix socket operations. TODO: restrict this even further?
|
||
|
unix,
|
||
|
|
||
|
# Deny networking (udp and tcp).
|
||
|
deny network tcp,
|
||
|
deny network udp,
|
||
|
|
||
|
# Enable to read the configuration (and the database key).
|
||
|
owner @{AUTHD_CONFIG} r,
|
||
|
owner @{AUTHD_DB_KEY} r,
|
||
|
|
||
|
# Database and logs.
|
||
|
owner @{AUTHD_DB_PATH}/** rwkl,
|
||
|
owner @{AUTHD_LOGS} w,
|
||
|
|
||
|
# Enable authd to send mails.
|
||
|
@{MAILER} ux,
|
||
|
}
|