almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

WIP: HWPX conversion works

Browse source
This commit is contained in:
Alex Pyrgiotis 2025-01-07 19:16:56 +02:00
parent 40242ba51b
commit 29d3552cce
No known key found for this signature in database
GPG key ID: B6C15EBA0357C9AA
3 changed files with 38 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
Dockerfile
View file

@ -3,20 +3,32 @@ ARG DEBIAN_DATE=20241202
########################################### ###########################################
# Build Dangerzone container image (inner) # Build Dangerzone container image (inner)
FROM debian:bookworm-${DEBIAN_DATE}-slim as dangerzone-image FROM debian:bookworm-${DEBIAN_DATE}-slim
ENV DEBIAN_FRONTEND=noninteractive ENV DEBIAN_FRONTEND=noninteractive
ARG GVISOR_DATE=20241202
RUN \ RUN \
--mount=type=cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \ --mount=type=cache,target=/var/lib/apt,sharing=locked \
--mount=type=bind,source=./oci/repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \ --mount=type=bind,source=./oci/repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \
--mount=type=bind,source=./oci/gvisor.key,target=/tmp/gvisor.key \
repro-sources-list.sh && \ repro-sources-list.sh && \
: "Setup APT to install gVisor from its separate APT repo" && \
apt-get update && \
apt-get install -y --no-install-recommends apt-transport-https ca-certificates gnupg && \
gpg -o /usr/share/keyrings/gvisor-archive-keyring.gpg --dearmor /tmp/gvisor.key && \
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases ${GVISOR_DATE} main" > /etc/apt/sources.list.d/gvisor.list && \
: "Install gVisor and Dangerzone dependencies" && \
apt-get update && \ apt-get update && \
apt-get install -y --no-install-recommends \ apt-get install -y --no-install-recommends \
python3-fitz libreoffice-nogui libreoffice-java-common python3 \ python3 python3-fitz libreoffice-nogui libreoffice-java-common \
python3-magic default-jdk-headless fonts-noto-cjk fonts-dejavu \ python3 python3-magic default-jre-headless fonts-noto-cjk fonts-dejavu \
unzip wget && \ runsc unzip wget && \
: "Clean up programs that are no longer necessary" && \
#apt-get remove -y apt-transport-https ca-certificates gnupg && \
: "Clean up for improving reproducibility (optional)" && \ : "Clean up for improving reproducibility (optional)" && \
apt-get autoremove -y && \
rm -rf /var/cache/fontconfig/ && \ rm -rf /var/cache/fontconfig/ && \
rm -rf /etc/ssl/certs/java/cacerts && \ rm -rf /etc/ssl/certs/java/cacerts && \
rm -rf /var/log/* /var/cache/ldconfig/aux-cache rm -rf /var/log/* /var/cache/ldconfig/aux-cache
@ -38,46 +50,18 @@ RUN mkdir -p /opt/dangerzone/dangerzone && \
addgroup --gid 1000 dangerzone && \ addgroup --gid 1000 dangerzone && \
adduser --uid 1000 --ingroup dangerzone --shell /bin/true --home /home/dangerzone dangerzone adduser --uid 1000 --ingroup dangerzone --shell /bin/true --home /home/dangerzone dangerzone
COPY conversion/doc_to_pixels.py conversion/common.py conversion/errors.py conversion/__init__.py /opt/dangerzone/dangerzone/conversion COPY conversion/doc_to_pixels.py \
conversion/common.py \
conversion/errors.py \
conversion/__init__.py \
/opt/dangerzone/dangerzone/conversion
#################################### RUN touch /config.json
# Build gVisor wrapper image (outer) RUN chown dangerzone:dangerzone /config.json
FROM debian:bookworm-${DEBIAN_DATE}-slim
ARG GVISOR_DATE=20241202
ENV DEBIAN_FRONTEND=noninteractive
RUN \
--mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
--mount=type=bind,source=./oci/repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \
--mount=type=bind,source=./oci/gvisor.key,target=/tmp/gvisor.key \
repro-sources-list.sh && \
: "Setup APT to install gVisor from its separate APT repo" && \
apt-get update && \
apt-get install -y --no-install-recommends apt-transport-https ca-certificates gnupg && \
gpg -o /usr/share/keyrings/gvisor-archive-keyring.gpg --dearmor /tmp/gvisor.key && \
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases ${GVISOR_DATE} main" > /etc/apt/sources.list.d/gvisor.list && \
: "Install Pthon3 and gVisor" && \
apt-get update && \
apt-get install -y --no-install-recommends python3 runsc && \
: "Clean up for improving reproducibility (optional)" && \
apt-get remove -y apt-transport-https ca-certificates gnupg && \
apt-get autoremove -y && \
rm -rf /var/log/* /var/cache/ldconfig/aux-cache
RUN addgroup --gid 1000 dangerzone && \
adduser --uid 1000 --ingroup dangerzone --shell /bin/true --home /home/dangerzone dangerzone
# Switch to the dangerzone user for the rest of the script. # Switch to the dangerzone user for the rest of the script.
USER dangerzone USER dangerzone
# Copy the Dangerzone image, as created by the previous steps, into the home
# directory of the `dangerzone` user.
RUN mkdir /home/dangerzone/dangerzone-image
COPY --from=dangerzone-image / /home/dangerzone/dangerzone-image/rootfs
# Create a directory that will be used by gVisor as the place where it will # Create a directory that will be used by gVisor as the place where it will
# store the state of its containers. # store the state of its containers.
RUN mkdir /home/dangerzone/.containers RUN mkdir /home/dangerzone/.containers

15
dangerzone/oci/entrypoint.py
View file

@ -56,7 +56,7 @@ oci_config: dict[str, typing.Any] = {
{"type": "RLIMIT_NOFILE", "hard": 4096, "soft": 4096}, {"type": "RLIMIT_NOFILE", "hard": 4096, "soft": 4096},
], ],
}, },
"root": {"path": "rootfs", "readonly": True}, "root": {"path": "/", "readonly": True},
"hostname": "dangerzone", "hostname": "dangerzone",
"mounts": [ "mounts": [
{ {
@ -98,6 +98,15 @@ oci_config: dict[str, typing.Any] = {
"source": "tmpfs", "source": "tmpfs",
"options": ["nosuid", "noexec", "nodev"], "options": ["nosuid", "noexec", "nodev"],
}, },
# Mask the OCI config, just in case.
# TODO: Is this necessary? Can the attacker somehow trick gVisor to write to it,
# and therefore change the config of the running container?
{
"destination": "/config.json",
"type": "tmpfs",
"source": "tmpfs",
"options": ["nosuid", "noexec", "nodev"],
},
], ],
"linux": { "linux": {
"namespaces": [ "namespaces": [
@ -133,7 +142,7 @@ if os.environ.get("RUNSC_DEBUG"):
json.dump(oci_config, sys.stderr, indent=2, sort_keys=True) json.dump(oci_config, sys.stderr, indent=2, sort_keys=True)
# json.dump doesn't print a trailing newline, so print one here: # json.dump doesn't print a trailing newline, so print one here:
log("") log("")
with open("/home/dangerzone/dangerzone-image/config.json", "w") as oci_config_out: with open("/config.json", "w") as oci_config_out:
json.dump(oci_config, oci_config_out, indent=2, sort_keys=True) json.dump(oci_config, oci_config_out, indent=2, sort_keys=True)
# Run gVisor. # Run gVisor.
@ -150,7 +159,7 @@ if os.environ.get("RUNSC_DEBUG"):
runsc_argv += ["--debug=true", "--alsologtostderr=true"] runsc_argv += ["--debug=true", "--alsologtostderr=true"]
if os.environ.get("RUNSC_FLAGS"): if os.environ.get("RUNSC_FLAGS"):
runsc_argv += [x for x in shlex.split(os.environ.get("RUNSC_FLAGS", "")) if x] runsc_argv += [x for x in shlex.split(os.environ.get("RUNSC_FLAGS", "")) if x]
runsc_argv += ["run", "--bundle=/home/dangerzone/dangerzone-image", "dangerzone"] runsc_argv += ["run", "--bundle=/", "dangerzone"]
log( log(
"Running gVisor with command line: {}", " ".join(shlex.quote(s) for s in runsc_argv) "Running gVisor with command line: {}", " ".join(shlex.quote(s) for s in runsc_argv)
) )

16
install/common/build-image.py
View file

@ -51,9 +51,9 @@ def main():
"--use-cache", "--use-cache",
type=str2bool, type=str2bool,
nargs="?", nargs="?",
default=False, default=True,
const=True, const=True,
help="Use the builder's cache to speed up the builds (not suitable for release builds)", help="Use the builder's cache to speed up the builds",
) )
args = parser.parse_args() args = parser.parse_args()
@ -82,18 +82,6 @@ def main():
with open(image_id_path, "w") as f: with open(image_id_path, "w") as f:
f.write(tag) f.write(tag)
print("Exporting container pip dependencies")
if not args.use_cache:
print("Pulling base image")
subprocess.run(
[
args.runtime,
"pull",
"alpine:latest",
],
check=True,
)
# Build the container image, and tag it with the calculated tag # Build the container image, and tag it with the calculated tag
print("Building container image") print("Building container image")
cache_args = [] if args.use_cache else ["--no-cache"] cache_args = [] if args.use_cache else ["--no-cache"]