update for pacman 7.0.0 download sandbox

2025-01-02 10:36:11 -05:00 · 2024-09-15 01:14:01 -04:00 · 2024-09-15 01:14:01 -04:00 · 167618930b
commit 167618930b
parent ea3d577ac6
10 changed files with 20 additions and 18 deletions
--- a/nftables/nftables-attestation.conf
+++ b/nftables/nftables-attestation.conf
@ -103,13 +103,13 @@ table inet filter {
        type filter hook output priority raw
        oif lo goto output-raw-loopback
-        skuid != { root, systemd-network, unbound, chrony, http, attestation } counter goto graceful-reject
+        skuid != { root, systemd-network, unbound, alpm, chrony, http, attestation } counter goto graceful-reject
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
    chain output-raw-loopback {
        skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8080 notrack accept
-        skuid { chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 notrack accept
+        skuid { alpm, chrony, attestation } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8080 th dport 53 notrack accept
        skuid attestation tcp sport 8080 tcp dport >= 1024 tcp dport != 8080 notrack accept
        skuid http tcp sport >= 1024 tcp sport != 8080 tcp dport 8080 notrack accept
--- a/nftables/nftables-discuss.conf
+++ b/nftables/nftables-discuss.conf
@ -103,13 +103,13 @@ table inet filter {
        type filter hook output priority raw
        oif lo goto output-raw-loopback
-        skuid != { root, systemd-network, unbound, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject
+        skuid != { root, systemd-network, unbound, alpm, chrony, http, flarum, flarum-admin, geoipupdate } counter goto graceful-reject
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
    chain output-raw-loopback {
        skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
-        skuid { chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
+        skuid { alpm, chrony, http, flarum, flarum-admin, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
        skuid != root counter goto graceful-reject
        notrack accept
--- a/nftables/nftables-mail.conf
+++ b/nftables/nftables-mail.conf
@ -115,13 +115,13 @@ table inet filter {
        type filter hook output priority raw
        oif lo goto output-raw-loopback
-        skuid != { root, systemd-network, unbound, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject
+        skuid != { root, systemd-network, unbound, alpm, chrony, postfix, dovecot, dovenull, http } counter goto graceful-reject
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
    chain output-raw-loopback {
        skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
-        skuid { chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
+        skuid { alpm, chrony, postfix, opendkim, opendmarc, policyd-spf } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
        skuid != root counter goto graceful-reject
        notrack accept
--- a/nftables/nftables-matrix.conf
+++ b/nftables/nftables-matrix.conf
@ -103,13 +103,13 @@ table inet filter {
        type filter hook output priority raw
        oif lo goto output-raw-loopback
-        skuid != { root, systemd-network, unbound, chrony, http, synapse, matterbridge } counter goto graceful-reject
+        skuid != { root, systemd-network, unbound, alpm, chrony, http, synapse, matterbridge } counter goto graceful-reject
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
    chain output-raw-loopback {
        skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 th dport != 8008 notrack accept
-        skuid { chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 notrack accept
+        skuid { alpm, chrony, synapse, matterbridge } meta l4proto { tcp, udp } th sport >= 1024 th sport != 8008 th dport 53 notrack accept
        skuid postgres udp sport >= 1024 udp sport != 8008 udp dport >= 1024 udp dport != 8008 notrack accept
--- a/nftables/nftables-network.conf
+++ b/nftables/nftables-network.conf
@ -113,14 +113,14 @@ table inet filter {
        type filter hook output priority raw
        oif lo goto output-raw-loopback
-        skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
+        skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject
        udp sport 123 notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
    chain output-raw-loopback {
        skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
-        skuid { chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
+        skuid { alpm, chrony, http } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
        skuid != root counter goto graceful-reject
        notrack accept
--- a/nftables/nftables-ns1.conf
+++ b/nftables/nftables-ns1.conf
@ -105,14 +105,14 @@ table inet filter {
        type filter hook output priority raw
        oif lo goto output-raw-loopback
-        skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
+        skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
        udp sport 53 notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
    chain output-raw-loopback {
        skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
-        skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
+        skuid { alpm, chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
        skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept
        skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept
--- a/nftables/nftables-ns2.conf
+++ b/nftables/nftables-ns2.conf
@ -117,14 +117,14 @@ table inet filter {
        type filter hook output priority raw
        oif lo goto output-raw-loopback
-        skuid != { root, systemd-network, unbound, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
+        skuid != { root, systemd-network, unbound, alpm, chrony, http, powerdns, geoipupdate } counter goto graceful-reject
        udp sport 53 notrack accept
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
    chain output-raw-loopback {
        skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
-        skuid { chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
+        skuid { alpm, chrony, geoipupdate } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
        skuid powerdns meta l4proto tcp th sport 54 th dport >= 1024 notrack accept
        skuid http meta l4proto tcp th sport >= 1024 th dport 54 notrack accept
--- a/nftables/nftables-social.conf
+++ b/nftables/nftables-social.conf
@ -103,13 +103,13 @@ table inet filter {
        type filter hook output priority raw
        oif lo goto output-raw-loopback
-        skuid != { root, systemd-network, unbound, chrony, http, mastodon } counter goto graceful-reject
+        skuid != { root, systemd-network, unbound, alpm, chrony, http, mastodon } counter goto graceful-reject
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
    chain output-raw-loopback {
        skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
-        skuid { chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
+        skuid { alpm, chrony, mastodon } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
        skuid postgres udp sport >= 1024 udp dport >= 1024 notrack accept
--- a/nftables/nftables-web.conf
+++ b/nftables/nftables-web.conf
@ -113,13 +113,13 @@ table inet filter {
        type filter hook output priority raw
        oif lo goto output-raw-loopback
-        skuid != { root, systemd-network, unbound, chrony, http } counter goto graceful-reject
+        skuid != { root, systemd-network, unbound, alpm, chrony, http } counter goto graceful-reject
        meta l4proto { icmp, ipv6-icmp } notrack accept
    }
    chain output-raw-loopback {
        skuid unbound meta l4proto { tcp, udp } th sport 53 th dport >= 1024 notrack accept
-        skuid chrony meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
+        skuid { alpm, chrony } meta l4proto { tcp, udp } th sport >= 1024 th dport 53 notrack accept
        skuid != root counter goto graceful-reject
        notrack accept
--- a/pacman.conf
+++ b/pacman.conf
@ -35,6 +35,8 @@ Color
 CheckSpace
 VerbosePkgLists
 #ParallelDownloads = 5
 DownloadUser = alpm
 #DisableSandbox
 ILoveCandy
 # By default, pacman accepts packages signed by keys that its local keyring