Use a custom seccomp policy for older Docker Desktop releases

We are aware that some Docker Desktop releases before 25.0.0 ship with a seccomp policy which disables the `ptrace(2)` system call. In such cases, we opt to use our own seccomp policy which allows this system call. This seccomp policy is the default one in the latest releases of Podman, and we use it in Linux distributions where Podman version is < 4.0. Fixes #846
2025-04-28 18:02:38 +02:00 · 2024-06-25 19:08:40 +02:00 · 2024-06-25 19:08:40 +02:00 · e7e3430ca1
commit e7e3430ca1
parent 19ab0cb615
1 changed files with 18 additions and 5 deletions
--- a/dangerzone/isolation_provider/container.py
+++ b/dangerzone/isolation_provider/container.py
@ -56,7 +56,12 @@ class Container(IsolationProvider):
        """
        # Get the Docker/Podman version, using a Go template.
        runtime = Container.get_runtime_name()
-        cmd = [runtime, "version", "-f", "{{.Client.Version}}"]
+        if runtime == "podman":
+            query = "{{.Client.Version}}"
+        else:
+            query = "{{.Server.Version}}"
+
+        cmd = [runtime, "version", "-f", query]
        try:
            version = subprocess.run(
                cmd, capture_output=True, check=True
@ -104,6 +109,11 @@ class Container(IsolationProvider):
          - This particular argument is specified in `start_doc_to_pixels_proc()`, but
            should move here once #748 is merged.
        """
+        # This file has been copied as is [1] from the official Podman repo. See:
+        #
+        # [1] https://github.com/containers/common/blob/d3283f8401eeeb21f3c59a425b5461f069e199a7/pkg/seccomp/seccomp.json
+        seccomp_json_path = get_resource_path("seccomp.gvisor.json")
+        custom_seccomp_policy_arg = ["--security-opt", f"seccomp={seccomp_json_path}"]
        if Container.get_runtime_name() == "podman":
            security_args = ["--log-driver", "none"]
            security_args += ["--security-opt", "no-new-privileges"]
@ -111,14 +121,17 @@ class Container(IsolationProvider):
            # NOTE: Ubuntu Focal/Jammy have Podman version 3, and their seccomp policy
            # does not include the `ptrace()` syscall. This system call is required for
            # running gVisor, so we enforce a newer seccomp policy file in that case.
-            # This file has been copied as is [1] from the official Podman repo.
            #
-            # [1] https://github.com/containers/common/blob/d3283f8401eeeb21f3c59a425b5461f069e199a7/pkg/seccomp/seccomp.json
+            # See also https://github.com/freedomofpress/dangerzone/issues/846
            if Container.get_runtime_version() < (4, 0):
-                seccomp_json_path = get_resource_path("seccomp.gvisor.json")
-                security_args += ["--security-opt", f"seccomp={seccomp_json_path}"]
+                security_args += custom_seccomp_policy_arg
        else:
            security_args = ["--security-opt=no-new-privileges:true"]
+            # Older Docker Desktop versions may have a seccomp policy that does not
+            # allow `ptrace(2)`. In these cases, we specify our own. See:
+            # https://github.com/freedomofpress/dangerzone/issues/846
+            if Container.get_runtime_version() < (25, 0):
+                security_args += custom_seccomp_policy_arg

        security_args += ["--cap-drop", "all"]
        security_args += ["--cap-add", "SYS_CHROOT"]