From 167618930bc0970a7823716260b893efce814428 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Sun, 15 Sep 2024 01:14:01 -0400 Subject: [PATCH] update for pacman 7.0.0 download sandbox --- nftables/nftables-attestation.conf | 4 ++-- nftables/nftables-discuss.conf | 4 ++-- nftables/nftables-mail.conf | 4 ++-- nftables/nftables-matrix.conf | 4 ++-- nftables/nftables-network.conf | 4 ++-- nftables/nftables-ns1.conf | 4 ++-- nftables/nftables-ns2.conf | 4 ++-- nftables/nftables-social.conf | 4 ++-- nftables/nftables-web.conf | 4 ++-- pacman.conf | 2 ++ 10 files changed, 20 insertions(+), 18 deletions(-) diff --git a/nftables/nftables-attestation.conf b/nftables/nftables-attestation.conf index a6cf4eb..816d7dc 100644 --- a/nftables/nftables-attestation.conf +++ b/nftables/nftables-attestation.conf @@ -103,13 +103,13 @@ table inet filter { type filter hook output priority raw oif lo goto output-raw-loopback - skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto graceful-reject + skuid != { root, systemd-network, unbound, alpm, chrony, http, attestation } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } chain output-raw-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8080 notrack accept - skuid { chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 notrack accept + skuid { alpm, chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 notrack accept skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 notrack accept skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 notrack accept diff --git a/nftables/nftables-discuss.conf b/nftables/nftables-discuss.conf index 3495321..fd112e4 100644 --- a/nftables/nftables-discuss.conf +++ b/nftables/nftables-discuss.conf @@ -103,13 +103,13 @@ table inet filter { type filter hook output priority raw oif lo goto output-raw-loopback - skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject + skuid != { root, systemd-network, unbound, alpm, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } chain output-raw-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept - skuid { chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept + skuid { alpm, chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid != root counter goto graceful-reject notrack accept diff --git a/nftables/nftables-mail.conf b/nftables/nftables-mail.conf index 2d3287b..d7d4805 100644 --- a/nftables/nftables-mail.conf +++ b/nftables/nftables-mail.conf @@ -115,13 +115,13 @@ table inet filter { type filter hook output priority raw oif lo goto output-raw-loopback - skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject + skuid != { root, systemd-network, unbound, alpm, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } chain output-raw-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept - skuid { chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept + skuid { alpm, chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid != root counter goto graceful-reject notrack accept diff --git a/nftables/nftables-matrix.conf b/nftables/nftables-matrix.conf index 135b66a..dd3692f 100644 --- a/nftables/nftables-matrix.conf +++ b/nftables/nftables-matrix.conf @@ -103,13 +103,13 @@ table inet filter { type filter hook output priority raw oif lo goto output-raw-loopback - skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject + skuid != { root, systemd-network, unbound, alpm, chrony, http, synapse, matterbridge } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } chain output-raw-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 notrack accept - skuid { chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 notrack accept + skuid { alpm, chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 notrack accept skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 notrack accept diff --git a/nftables/nftables-network.conf b/nftables/nftables-network.conf index c501a65..dfc0d3d 100644 --- a/nftables/nftables-network.conf +++ b/nftables/nftables-network.conf @@ -113,14 +113,14 @@ table inet filter { type filter hook output priority raw oif lo goto output-raw-loopback - skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject + skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject udp sport 123 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } chain output-raw-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept - skuid { chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept + skuid { alpm, chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid != root counter goto graceful-reject notrack accept diff --git a/nftables/nftables-ns1.conf b/nftables/nftables-ns1.conf index c076b5b..12b74c2 100644 --- a/nftables/nftables-ns1.conf +++ b/nftables/nftables-ns1.conf @@ -105,14 +105,14 @@ table inet filter { type filter hook output priority raw oif lo goto output-raw-loopback - skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject + skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, geoipupdate } counter goto graceful-reject udp sport 53 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } chain output-raw-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept - skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept + skuid { alpm, chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept diff --git a/nftables/nftables-ns2.conf b/nftables/nftables-ns2.conf index e811486..18ec1f5 100644 --- a/nftables/nftables-ns2.conf +++ b/nftables/nftables-ns2.conf @@ -117,14 +117,14 @@ table inet filter { type filter hook output priority raw oif lo goto output-raw-loopback - skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject + skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, geoipupdate } counter goto graceful-reject udp sport 53 notrack accept meta l4proto { icmp, ipv6-icmp } notrack accept } chain output-raw-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept - skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept + skuid { alpm, chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept diff --git a/nftables/nftables-social.conf b/nftables/nftables-social.conf index 14be9e7..5418eec 100644 --- a/nftables/nftables-social.conf +++ b/nftables/nftables-social.conf @@ -103,13 +103,13 @@ table inet filter { type filter hook output priority raw oif lo goto output-raw-loopback - skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto graceful-reject + skuid != { root, systemd-network, unbound, alpm, chrony, http, mastodon } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } chain output-raw-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept - skuid { chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept + skuid { alpm, chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid postgres udp sport >= 1024 udp dport >= 1024 notrack accept diff --git a/nftables/nftables-web.conf b/nftables/nftables-web.conf index acbde51..81951f7 100644 --- a/nftables/nftables-web.conf +++ b/nftables/nftables-web.conf @@ -113,13 +113,13 @@ table inet filter { type filter hook output priority raw oif lo goto output-raw-loopback - skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject + skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject meta l4proto { icmp, ipv6-icmp } notrack accept } chain output-raw-loopback { skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept - skuid chrony meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept + skuid { alpm, chrony } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept skuid != root counter goto graceful-reject notrack accept diff --git a/pacman.conf b/pacman.conf index b4a5536..68c8b6c 100644 --- a/pacman.conf +++ b/pacman.conf @@ -35,6 +35,8 @@ Color CheckSpace VerbosePkgLists #ParallelDownloads = 5 +DownloadUser = alpm +#DisableSandbox ILoveCandy # By default, pacman accepts packages signed by keys that its local keyring