almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 09:52:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 7

Disable gVisor's DirectFS feature.

Browse source 
DirectFS is enabled by default in gVisor to improve I/O performance,
but comes at the cost of enabling the `openat(2)` syscall (with severe
restrictions, but still). As Dangerzone is not performance-sensitive,
and that it is desirable to guarantee for the document conversion
process to not open any files (to mimic some of what SELinux provides),
might as well disable it by default.

See #226.
This commit is contained in:
Etienne Perot 2024-08-09 17:17:57 -07:00 committed by Alex Pyrgiotis
parent 2237f76219
commit 73b0f8b7d4
No known key found for this signature in database
GPG key ID: B6C15EBA0357C9AA
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
dangerzone/gvisor_wrapper/entrypoint.py
View file

@ -142,6 +142,9 @@ runsc_argv = [
"--rootless=true",
"--network=none",
"--root=/home/dangerzone/.containers",
# Disable DirectFS for to make the seccomp filter even stricter,
# at some performance cost.
"--directfs=false",
]
if os.environ.get("RUNSC_DEBUG"):
runsc_argv += ["--debug=true", "--alsologtostderr=true"]