WIP: HWPX conversion works

2025-04-28 18:02:38 +02:00 · 2025-01-07 19:16:56 +02:00 · 2025-01-07 19:16:56 +02:00 · 29d3552cce
commit 29d3552cce
parent 40242ba51b
3 changed files with 38 additions and 57 deletions
--- a/64
+++ b/64
@ -3,20 +3,32 @@ ARG DEBIAN_DATE=20241202
 ###########################################
 # Build Dangerzone container image (inner)

-FROM debian:bookworm-${DEBIAN_DATE}-slim as dangerzone-image
+FROM debian:bookworm-${DEBIAN_DATE}-slim
+
 ENV DEBIAN_FRONTEND=noninteractive
+
+ARG GVISOR_DATE=20241202
+
 RUN \
  --mount=type=cache,target=/var/cache/apt,sharing=locked \
  --mount=type=cache,target=/var/lib/apt,sharing=locked \
  --mount=type=bind,source=./oci/repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \
+  --mount=type=bind,source=./oci/gvisor.key,target=/tmp/gvisor.key \
  repro-sources-list.sh && \
+  : "Setup APT to install gVisor from its separate APT repo" && \
+  apt-get update && \
+  apt-get install -y --no-install-recommends apt-transport-https ca-certificates gnupg && \
+  gpg -o /usr/share/keyrings/gvisor-archive-keyring.gpg --dearmor /tmp/gvisor.key && \
+  echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases ${GVISOR_DATE} main" > /etc/apt/sources.list.d/gvisor.list && \
+  : "Install gVisor and Dangerzone dependencies" && \
  apt-get update && \
  apt-get install -y --no-install-recommends \
-      python3-fitz libreoffice-nogui libreoffice-java-common python3 \
-      python3-magic default-jdk-headless fonts-noto-cjk fonts-dejavu \
-      unzip wget && \
+      python3 python3-fitz libreoffice-nogui libreoffice-java-common \
+      python3 python3-magic default-jre-headless fonts-noto-cjk fonts-dejavu \
+      runsc unzip wget && \
+  : "Clean up programs that are no longer necessary" && \
+  #apt-get remove -y apt-transport-https ca-certificates gnupg && \
  : "Clean up for improving reproducibility (optional)" && \
-  apt-get autoremove -y && \
  rm -rf /var/cache/fontconfig/ && \
  rm -rf /etc/ssl/certs/java/cacerts && \
  rm -rf /var/log/* /var/cache/ldconfig/aux-cache
@ -38,46 +50,18 @@ RUN mkdir -p /opt/dangerzone/dangerzone && \
  addgroup --gid 1000 dangerzone && \
  adduser --uid 1000 --ingroup dangerzone --shell /bin/true --home /home/dangerzone dangerzone

-COPY conversion/doc_to_pixels.py conversion/common.py conversion/errors.py conversion/__init__.py /opt/dangerzone/dangerzone/conversion
+COPY conversion/doc_to_pixels.py \
+    conversion/common.py \
+    conversion/errors.py \
+    conversion/__init__.py \
+    /opt/dangerzone/dangerzone/conversion

-####################################
-# Build gVisor wrapper image (outer)
-
-FROM debian:bookworm-${DEBIAN_DATE}-slim
-
-ARG GVISOR_DATE=20241202
-
-ENV DEBIAN_FRONTEND=noninteractive
-RUN \
-  --mount=type=cache,target=/var/cache/apt,sharing=locked \
-  --mount=type=cache,target=/var/lib/apt,sharing=locked \
-  --mount=type=bind,source=./oci/repro-sources-list.sh,target=/usr/local/bin/repro-sources-list.sh \
-  --mount=type=bind,source=./oci/gvisor.key,target=/tmp/gvisor.key \
-  repro-sources-list.sh && \
-  : "Setup APT to install gVisor from its separate APT repo" && \
-  apt-get update && \
-  apt-get install -y --no-install-recommends apt-transport-https ca-certificates gnupg && \
-  gpg -o /usr/share/keyrings/gvisor-archive-keyring.gpg --dearmor /tmp/gvisor.key && \
-  echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/gvisor-archive-keyring.gpg] https://storage.googleapis.com/gvisor/releases ${GVISOR_DATE} main" > /etc/apt/sources.list.d/gvisor.list && \
-  : "Install Pthon3 and gVisor" && \
-  apt-get update && \
-  apt-get install -y --no-install-recommends python3 runsc && \
-  : "Clean up for improving reproducibility (optional)" && \
-  apt-get remove -y apt-transport-https ca-certificates gnupg && \
-  apt-get autoremove -y && \
-  rm -rf /var/log/* /var/cache/ldconfig/aux-cache
-
-RUN addgroup --gid 1000 dangerzone && \
-  adduser --uid 1000 --ingroup dangerzone --shell /bin/true --home /home/dangerzone dangerzone
+RUN touch /config.json
+RUN chown dangerzone:dangerzone /config.json

 # Switch to the dangerzone user for the rest of the script.
 USER dangerzone

-# Copy the Dangerzone image, as created by the previous steps, into the home
-# directory of the `dangerzone` user.
-RUN mkdir /home/dangerzone/dangerzone-image
-COPY --from=dangerzone-image / /home/dangerzone/dangerzone-image/rootfs
-
 # Create a directory that will be used by gVisor as the place where it will
 # store the state of its containers.
 RUN mkdir /home/dangerzone/.containers
--- a/dangerzone/oci/entrypoint.py
+++ b/dangerzone/oci/entrypoint.py
@ -56,7 +56,7 @@ oci_config: dict[str, typing.Any] = {
            {"type": "RLIMIT_NOFILE", "hard": 4096, "soft": 4096},
        ],
    },
-    "root": {"path": "rootfs", "readonly": True},
+    "root": {"path": "/", "readonly": True},
    "hostname": "dangerzone",
    "mounts": [
        {
@ -98,6 +98,15 @@ oci_config: dict[str, typing.Any] = {
            "source": "tmpfs",
            "options": ["nosuid", "noexec", "nodev"],
        },
+        # Mask the OCI config, just in case.
+        # TODO: Is this necessary? Can the attacker somehow trick gVisor to write to it,
+        # and therefore change the config of the running container?
+        {
+            "destination": "/config.json",
+            "type": "tmpfs",
+            "source": "tmpfs",
+            "options": ["nosuid", "noexec", "nodev"],
+        },
    ],
    "linux": {
        "namespaces": [
@ -133,7 +142,7 @@ if os.environ.get("RUNSC_DEBUG"):
    json.dump(oci_config, sys.stderr, indent=2, sort_keys=True)
    # json.dump doesn't print a trailing newline, so print one here:
    log("")
-with open("/home/dangerzone/dangerzone-image/config.json", "w") as oci_config_out:
+with open("/config.json", "w") as oci_config_out:
    json.dump(oci_config, oci_config_out, indent=2, sort_keys=True)

 # Run gVisor.
@ -150,7 +159,7 @@ if os.environ.get("RUNSC_DEBUG"):
    runsc_argv += ["--debug=true", "--alsologtostderr=true"]
 if os.environ.get("RUNSC_FLAGS"):
    runsc_argv += [x for x in shlex.split(os.environ.get("RUNSC_FLAGS", "")) if x]
-runsc_argv += ["run", "--bundle=/home/dangerzone/dangerzone-image", "dangerzone"]
+runsc_argv += ["run", "--bundle=/", "dangerzone"]
 log(
    "Running gVisor with command line: {}", " ".join(shlex.quote(s) for s in runsc_argv)
 )
--- a/install/common/build-image.py
+++ b/install/common/build-image.py
@ -51,9 +51,9 @@ def main():
        "--use-cache",
        type=str2bool,
        nargs="?",
-        default=False,
+        default=True,
        const=True,
-        help="Use the builder's cache to speed up the builds (not suitable for release builds)",
+        help="Use the builder's cache to speed up the builds",
    )
    args = parser.parse_args()

@ -82,18 +82,6 @@ def main():
    with open(image_id_path, "w") as f:
        f.write(tag)

-    print("Exporting container pip dependencies")
-    if not args.use_cache:
-        print("Pulling base image")
-        subprocess.run(
-            [
-                args.runtime,
-                "pull",
-                "alpine:latest",
-            ],
-            check=True,
-        )
-
    # Build the container image, and tag it with the calculated tag
    print("Building container image")
    cache_args = [] if args.use_cache else ["--no-cache"]