From 8b22cdb81fe504fce01c60d2b97de0288285b72f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= <alexis@freedom.press>
Date: Sat, 9 Nov 2024 21:38:32 +0100
Subject: [PATCH 1/2] Unpin gVisor, now that upstream is able to support Linux
 Yama Mode 2

Fixes #298
---
 Dockerfile | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 83896eb..c89c5a4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -74,9 +74,7 @@ FROM alpine:latest
 RUN apk --no-cache -U upgrade && \
     apk --no-cache add python3
 
-# Temporarily pin gVisor to the latest working version (release-20240826.0).
-# See: https://github.com/freedomofpress/dangerzone/issues/928
-RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/20240826/$(uname -m)"; \
+RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/latest/$(uname -m)"; \
     wget "${GVISOR_URL}/runsc" "${GVISOR_URL}/runsc.sha512" && \
     sha512sum -c runsc.sha512 && \
     rm -f runsc.sha512 && \

From af13e316aa9993f88de2dbd9592f348f7a3d19be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= <alexis@freedom.press>
Date: Sat, 9 Nov 2024 21:42:05 +0100
Subject: [PATCH 2/2] Reapply "Disable gVisor's DirectFS feature.""

This reverts commit 68f8338d2032dd90b17e9b7c5d400fb532c5f20f.

Fixes #982
---
 dangerzone/gvisor_wrapper/entrypoint.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/dangerzone/gvisor_wrapper/entrypoint.py b/dangerzone/gvisor_wrapper/entrypoint.py
index f9941ed..8d09eb2 100755
--- a/dangerzone/gvisor_wrapper/entrypoint.py
+++ b/dangerzone/gvisor_wrapper/entrypoint.py
@@ -142,6 +142,9 @@ runsc_argv = [
     "--rootless=true",
     "--network=none",
     "--root=/home/dangerzone/.containers",
+    # Disable DirectFS for to make the seccomp filter even stricter,
+    # at some performance cost.
+    "--directfs=false",
 ]
 if os.environ.get("RUNSC_DEBUG"):
     runsc_argv += ["--debug=true", "--alsologtostderr=true"]