almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

deduplicate container_args

Browse source 
The container arguments was duplicated. This could potentially lead
to refactor errors. For example security arg could be added in one
container call but forgotten to be added in a second one.
This commit is contained in:
deeplow 2022-08-22 09:24:40 +01:00
parent 345ac8a396
commit bd51947fca
No known key found for this signature in database
GPG key ID: 577982871529A52A
1 changed files with 40 additions and 52 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

92
dangerzone/container.py
View file

@ -48,11 +48,30 @@ def exec(args, stdout_callback=None):
return p.returncode return p.returncode
def exec_container(args, stdout_callback=None): def exec_container(command, extra_args=[], stdout_callback=None):
if container_tech == "podman": if container_tech == "podman":
container_runtime = shutil.which("podman") container_runtime = shutil.which("podman")
platform_args = []
security_args = ["--security-opt", "no-new-privileges"]
security_args += ["--userns", "keep-id"]
else: else:
container_runtime = shutil.which("docker") container_runtime = shutil.which("docker")
platform_args = ["--platform", "linux/amd64"]
security_args = ["--security-opt=no-new-privileges:true"]
# drop all linux kernel capabilities
security_args += ["--cap-drop", "all"]
user_args = ["-u", "dangerzone"]
args = (
["run", "--network", "none"]
+ platform_args
+ user_args
+ security_args
+ extra_args
+ [container_name]
+ command
)
args = [container_runtime] + args args = [container_runtime] + args
return exec(args, stdout_callback) return exec(args, stdout_callback)
@ -75,64 +94,33 @@ def convert(input_filename, output_filename, ocr_lang, stdout_callback):
os.makedirs(pixel_dir, exist_ok=True) os.makedirs(pixel_dir, exist_ok=True)
os.makedirs(safe_dir, exist_ok=True) os.makedirs(safe_dir, exist_ok=True)
if container_tech == "docker":
platform_args = ["--platform", "linux/amd64"]
security_args = ["--security-opt=no-new-privileges:true"]
else:
platform_args = []
security_args = ["--security-opt", "no-new-privileges"]
security_args += ["--userns", "keep-id"]
# drop all linux kernel capabilities
security_args += ["--cap-drop", "all"]
user_args = ["-u", "dangerzone"]
# Convert document to pixels # Convert document to pixels
args = ( command = ["/usr/bin/python3", "/usr/local/bin/dangerzone.py", "document-to-pixels"]
["run", "--network", "none"] extra_args = [
+ platform_args "-v",
+ user_args f"{input_filename}:/tmp/input_file",
+ security_args "-v",
+ [ f"{pixel_dir}:/dangerzone",
"-v", ]
f"{input_filename}:/tmp/input_file", ret = exec_container(command, extra_args, stdout_callback)
"-v",
f"{pixel_dir}:/dangerzone",
container_name,
"/usr/bin/python3",
"/usr/local/bin/dangerzone.py",
"document-to-pixels",
]
)
ret = exec_container(args, stdout_callback)
if ret != 0: if ret != 0:
log.error("documents-to-pixels failed") log.error("documents-to-pixels failed")
else: else:
# TODO: validate convert to pixels output # TODO: validate convert to pixels output
# Convert pixels to safe PDF # Convert pixels to safe PDF
args = ( command = ["/usr/bin/python3", "/usr/local/bin/dangerzone.py", "pixels-to-pdf"]
["run", "--network", "none"] extra_args = [
+ platform_args "-v",
+ security_args f"{pixel_dir}:/dangerzone",
+ user_args "-v",
+ [ f"{safe_dir}:/safezone",
"-v", "-e",
f"{pixel_dir}:/dangerzone", f"OCR={ocr}",
"-v", "-e",
f"{safe_dir}:/safezone", f"OCR_LANGUAGE={ocr_lang}",
"-e", ]
f"OCR={ocr}", ret = exec_container(command, extra_args, stdout_callback)
"-e",
f"OCR_LANGUAGE={ocr_lang}",
container_name,
"/usr/bin/python3",
"/usr/local/bin/dangerzone.py",
"pixels-to-pdf",
]
)
ret = exec_container(args, stdout_callback)
if ret != 0: if ret != 0:
log.error("pixels-to-pdf failed") log.error("pixels-to-pdf failed")
else: else: