almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-30 18:52:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

podman run with --userns=keep-id to mount volumes

Browse source 
Moving to /dangerzone was failing with insuficient permissions:

    Invalid JSON returned from container: PermissionError: [Errno
    13] Permission denied: '/dangerzone/page-3.rgb'

A previous approach was removed in commit 805222. It started with
root at first in a wrapper script and then dropped these
priviledges which running the script.

`--userns=keep-id` solves the mountpoint issues as it maps the user
starting the container is mapped in the container [1].

[1]: https://www.redhat.com/sysadmin/user-flag-rootless-containers
This commit is contained in:
deeplow 2022-08-15 13:08:37 +01:00
parent 21a9a6c98c
commit 345ac8a396
No known key found for this signature in database
GPG key ID: 577982871529A52A
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
dangerzone/container.py
View file

@ -81,6 +81,7 @@ def convert(input_filename, output_filename, ocr_lang, stdout_callback):
else:
platform_args = []
security_args = ["--security-opt", "no-new-privileges"]
security_args += ["--userns", "keep-id"]
# drop all linux kernel capabilities
security_args += ["--cap-drop", "all"]