container: Add workarounds for Podman Desktop support on Windows

In case we run on Windows and use Podman Desktop (for which we currently offer experimental support), we must not pass some Podman flags in order to avoid conversion errors. Refs #1127
2025-04-28 01:42:38 +02:00 · 2025-04-07 16:53:34 +03:00 · 2025-04-07 16:53:34 +03:00 · 10be85b9f2
commit 10be85b9f2
parent 47d732e603
1 changed files with 17 additions and 2 deletions
--- a/dangerzone/isolation_provider/container.py
+++ b/dangerzone/isolation_provider/container.py
@ -56,7 +56,14 @@ class Container(IsolationProvider):
            security_args = ["--log-driver", "none"]
            security_args += ["--security-opt", "no-new-privileges"]
            if container_utils.get_runtime_version() >= (4, 1):
-                security_args += ["--userns", "nomap"]
+                # We perform a platform check to avoid the following Podman Desktop
+                # error on Windows:
+                #
+                #   Error: nomap is only supported in rootless mode
+                #
+                # See also: https://github.com/freedomofpress/dangerzone/issues/1127
+                if platform.system() != "Windows":
+                    security_args += ["--userns", "nomap"]
        else:
            security_args = ["--security-opt=no-new-privileges:true"]

@ -67,7 +74,15 @@ class Container(IsolationProvider):
        # [1] https://github.com/freedomofpress/dangerzone/issues/846
        # [2] https://github.com/containers/common/blob/d3283f8401eeeb21f3c59a425b5461f069e199a7/pkg/seccomp/seccomp.json
        seccomp_json_path = str(get_resource_path("seccomp.gvisor.json"))
-        security_args += ["--security-opt", f"seccomp={seccomp_json_path}"]
+        # We perform a platform check to avoid the following Podman Desktop
+        # error on Windows:
+        #
+        #   Error: opening seccomp profile failed: open
+        #   C:\[...]\dangerzone\share\seccomp.gvisor.json: no such file or directory
+        #
+        # See also: https://github.com/freedomofpress/dangerzone/issues/1127
+        if runtime.name == "podman" and platform.system() != "Windows":
+            security_args += ["--security-opt", f"seccomp={seccomp_json_path}"]

        security_args += ["--cap-drop", "all"]
        security_args += ["--cap-add", "SYS_CHROOT"]