From 10be85b9f249780a408123f36a37664f027a1977 Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Mon, 7 Apr 2025 16:53:34 +0300
Subject: [PATCH] container: Add workarounds for Podman Desktop support on
 Windows

In case we run on Windows and use Podman Desktop (for which we currently
offer experimental support), we must not pass some Podman flags in order
to avoid conversion errors.

Refs #1127
---
 dangerzone/isolation_provider/container.py | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/dangerzone/isolation_provider/container.py b/dangerzone/isolation_provider/container.py
index 4976732..520375f 100644
--- a/dangerzone/isolation_provider/container.py
+++ b/dangerzone/isolation_provider/container.py
@@ -56,7 +56,14 @@ class Container(IsolationProvider):
             security_args = ["--log-driver", "none"]
             security_args += ["--security-opt", "no-new-privileges"]
             if container_utils.get_runtime_version() >= (4, 1):
-                security_args += ["--userns", "nomap"]
+                # We perform a platform check to avoid the following Podman Desktop
+                # error on Windows:
+                #
+                #   Error: nomap is only supported in rootless mode
+                #
+                # See also: https://github.com/freedomofpress/dangerzone/issues/1127
+                if platform.system() != "Windows":
+                    security_args += ["--userns", "nomap"]
         else:
             security_args = ["--security-opt=no-new-privileges:true"]
 
@@ -67,7 +74,15 @@ class Container(IsolationProvider):
         # [1] https://github.com/freedomofpress/dangerzone/issues/846
         # [2] https://github.com/containers/common/blob/d3283f8401eeeb21f3c59a425b5461f069e199a7/pkg/seccomp/seccomp.json
         seccomp_json_path = str(get_resource_path("seccomp.gvisor.json"))
-        security_args += ["--security-opt", f"seccomp={seccomp_json_path}"]
+        # We perform a platform check to avoid the following Podman Desktop
+        # error on Windows:
+        #
+        #   Error: opening seccomp profile failed: open
+        #   C:\[...]\dangerzone\share\seccomp.gvisor.json: no such file or directory
+        #
+        # See also: https://github.com/freedomofpress/dangerzone/issues/1127
+        if runtime.name == "podman" and platform.system() != "Windows":
+            security_args += ["--security-opt", f"seccomp={seccomp_json_path}"]
 
         security_args += ["--cap-drop", "all"]
         security_args += ["--cap-add", "SYS_CHROOT"]