From e7e3430ca11ef768485b2d27e069ea76e9923fec Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Tue, 25 Jun 2024 19:08:40 +0200
Subject: [PATCH] Use a custom seccomp policy for older Docker Desktop releases

We are aware that some Docker Desktop releases before 25.0.0 ship with a
seccomp policy which disables the `ptrace(2)` system call. In such
cases, we opt to use our own seccomp policy which allows this system
call. This seccomp policy is the default one in the latest releases of
Podman, and we use it in Linux distributions where Podman version is <
4.0.

Fixes #846
---
 dangerzone/isolation_provider/container.py | 23 +++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/dangerzone/isolation_provider/container.py b/dangerzone/isolation_provider/container.py
index 24947ca..5ae8072 100644
--- a/dangerzone/isolation_provider/container.py
+++ b/dangerzone/isolation_provider/container.py
@@ -56,7 +56,12 @@ class Container(IsolationProvider):
         """
         # Get the Docker/Podman version, using a Go template.
         runtime = Container.get_runtime_name()
-        cmd = [runtime, "version", "-f", "{{.Client.Version}}"]
+        if runtime == "podman":
+            query = "{{.Client.Version}}"
+        else:
+            query = "{{.Server.Version}}"
+
+        cmd = [runtime, "version", "-f", query]
         try:
             version = subprocess.run(
                 cmd, capture_output=True, check=True
@@ -104,6 +109,11 @@ class Container(IsolationProvider):
           - This particular argument is specified in `start_doc_to_pixels_proc()`, but
             should move here once #748 is merged.
         """
+        # This file has been copied as is [1] from the official Podman repo. See:
+        #
+        # [1] https://github.com/containers/common/blob/d3283f8401eeeb21f3c59a425b5461f069e199a7/pkg/seccomp/seccomp.json
+        seccomp_json_path = get_resource_path("seccomp.gvisor.json")
+        custom_seccomp_policy_arg = ["--security-opt", f"seccomp={seccomp_json_path}"]
         if Container.get_runtime_name() == "podman":
             security_args = ["--log-driver", "none"]
             security_args += ["--security-opt", "no-new-privileges"]
@@ -111,14 +121,17 @@ class Container(IsolationProvider):
             # NOTE: Ubuntu Focal/Jammy have Podman version 3, and their seccomp policy
             # does not include the `ptrace()` syscall. This system call is required for
             # running gVisor, so we enforce a newer seccomp policy file in that case.
-            # This file has been copied as is [1] from the official Podman repo.
             #
-            # [1] https://github.com/containers/common/blob/d3283f8401eeeb21f3c59a425b5461f069e199a7/pkg/seccomp/seccomp.json
+            # See also https://github.com/freedomofpress/dangerzone/issues/846
             if Container.get_runtime_version() < (4, 0):
-                seccomp_json_path = get_resource_path("seccomp.gvisor.json")
-                security_args += ["--security-opt", f"seccomp={seccomp_json_path}"]
+                security_args += custom_seccomp_policy_arg
         else:
             security_args = ["--security-opt=no-new-privileges:true"]
+            # Older Docker Desktop versions may have a seccomp policy that does not
+            # allow `ptrace(2)`. In these cases, we specify our own. See:
+            # https://github.com/freedomofpress/dangerzone/issues/846
+            if Container.get_runtime_version() < (25, 0):
+                security_args += custom_seccomp_policy_arg
 
         security_args += ["--cap-drop", "all"]
         security_args += ["--cap-add", "SYS_CHROOT"]