media-gfx/imagemagick: extend hardening

- PS2 and PS3 coders are now disabled by default, too.

- Instead of patching, we now use sed which should make it
  easier to extend policy.xml in future.

Bug: https://bugs.gentoo.org/664236
Package-Manager: Portage-2.3.48, Repoman-2.3.10
RepoMan-Options: --force

2 files changed, 9 insertions, 15 deletions

diff --git a/media-gfx/imagemagick/files/policy-hardening.patch b/media-gfx/imagemagick/files/policy-hardening.patch
deleted file mode 100644
index 9bb8529d191a..000000000000
--- a/media-gfx/imagemagick/files/policy-hardening.patch
+++ /dev/null
@@ -1,15 +0,0 @@
---- a/config/policy.xml
-+++ b/config/policy.xml
-@@ -52,6 +52,12 @@
-     <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
- -->
- <policymap>
-+  <!-- https://www.kb.cert.org/vuls/id/332928 mitigation -->
-+  <policy domain="coder" rights="none" pattern="PS" />
-+  <policy domain="coder" rights="none" pattern="EPS" />
-+  <policy domain="coder" rights="none" pattern="PDF" />
-+  <policy domain="coder" rights="none" pattern="XPS" />
-+
-   <!-- <policy domain="system" name="shred" value="2"/> -->
-   <!-- <policy domain="system" name="precision" value="6"/> -->
-   <!-- <policy domain="system" name="memory-map" value="anonymous"/> -->
diff --git a/media-gfx/imagemagick/files/policy-hardening.snippet b/media-gfx/imagemagick/files/policy-hardening.snippet
new file mode 100644
index 000000000000..c1a91b0b8744
--- /dev/null
+++ b/media-gfx/imagemagick/files/policy-hardening.snippet
@@ -0,0 +1,9 @@
+<policymap>
+  <!-- https://www.kb.cert.org/vuls/id/332928 mitigation / https://bugs.gentoo.org/664236 -->
+  <policy domain="coder" rights="none" pattern="PS" />
+  <policy domain="coder" rights="none" pattern="PS2" />
+  <policy domain="coder" rights="none" pattern="PS3" />
+  <policy domain="coder" rights="none" pattern="EPS" />
+  <policy domain="coder" rights="none" pattern="PDF" />
+  <policy domain="coder" rights="none" pattern="XPS" />
+