37 lines
768 B
Plaintext
37 lines
768 B
Plaintext
#include <tunables/global>
|
|
|
|
profile threegate-monty flags=(attach_disconnected,mediate_deleted) {
|
|
# Start from "deny by default" posture for dangerous areas.
|
|
# NOTE: This is a conservative template; paths may need adjustment per base image.
|
|
|
|
capability deny,
|
|
network deny,
|
|
|
|
# Allow basic process operation
|
|
/usr/bin/python3 ixr,
|
|
/usr/bin/python3.* ixr,
|
|
|
|
# Allow shared libs and python stdlib reads
|
|
/usr/lib/** r,
|
|
/lib/** r,
|
|
/usr/local/lib/** r,
|
|
/usr/share/** r,
|
|
/etc/** r,
|
|
|
|
# Allow temporary runtime dirs
|
|
/tmp/** rw,
|
|
/var/tmp/** rw,
|
|
/dev/null rw,
|
|
/dev/urandom r,
|
|
/dev/random r,
|
|
|
|
# Deny writes elsewhere
|
|
deny /** wklx,
|
|
|
|
# Deny mounts/ptrace explicitly
|
|
mount deny,
|
|
ptrace deny,
|
|
|
|
# Allow stdout/stderr via inherited fds
|
|
}
|