From 0a181a334275610aac088c52b173f5490e971e19 Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Fri, 26 Jul 2024 16:27:40 +0300 Subject: [PATCH 1/9] container: Set `container_engine_t` SELinux label Set the `container_engine_t` SELinux on the **outer** Podman container, so that gVisor does not break on systems where SELinux is enforcing. This label is provided for container engines running within a container, which fits our `runsc` within `crun` situation. We have considered using the more permissive `label=disable` option, to disable SELinux labels altogether, but we want to take advantage of as many SELinux protections as we can, even for the **outer** container. Cherry-picked from e1e63d14f8d7d1b6b14b56a86232eef9555ac9d6 Fixes #880 --- dangerzone/isolation_provider/container.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dangerzone/isolation_provider/container.py b/dangerzone/isolation_provider/container.py index 4085039..82fd8e1 100644 --- a/dangerzone/isolation_provider/container.py +++ b/dangerzone/isolation_provider/container.py @@ -103,6 +103,9 @@ class Container(IsolationProvider): running gVisor. * Do not allow access to the network stack. * Run the container as the unprivileged `dangerzone` user. + * Set the `container_engine_t` SELinux label, which allows gVisor to work on + SELinux-enforcing systems + (see https://github.com/freedomofpress/dangerzone/issues/880). For Podman specifically, where applicable, we also add the following: * Do not log the container's output. @@ -138,6 +141,7 @@ class Container(IsolationProvider): security_args += ["--cap-drop", "all"] security_args += ["--cap-add", "SYS_CHROOT"] + security_args += ["--security-opt", "label=type:container_engine_t"] security_args += ["--network=none"] security_args += ["-u", "dangerzone"] From 61e04d42ef420bf519e505a4898970d2dd645c26 Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Tue, 30 Jul 2024 16:43:45 +0300 Subject: [PATCH 2/9] Bump the RPM patch level to 2 Bump the RPM patch level to 2, so that the rebuilt RPM package for 0.7.0 hotfix release can be installed over the existing 0.7.0-1 package. --- install/linux/dangerzone.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/linux/dangerzone.spec b/install/linux/dangerzone.spec index adc6a05..0da0662 100644 --- a/install/linux/dangerzone.spec +++ b/install/linux/dangerzone.spec @@ -33,7 +33,7 @@ Name: dangerzone %endif Version: 0.7.0 -Release: 1%{?dist} +Release: 2%{?dist} Summary: Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs License: AGPL-3.0 From 27d201a95bae89f87982737440d65e995ae9cb05 Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Tue, 2 Jul 2024 20:41:58 +0300 Subject: [PATCH 3/9] container: Avoid pop-ups on Windows Avoid window pop-ups on Windows systems, by using the `startupinfo` argument of `subprocess.run`. --- dangerzone/isolation_provider/container.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dangerzone/isolation_provider/container.py b/dangerzone/isolation_provider/container.py index 82fd8e1..76c4aa0 100644 --- a/dangerzone/isolation_provider/container.py +++ b/dangerzone/isolation_provider/container.py @@ -67,7 +67,10 @@ class Container(IsolationProvider): cmd = [runtime, "version", "-f", query] try: version = subprocess.run( - cmd, capture_output=True, check=True + cmd, + startupinfo=get_subprocess_startupinfo(), + capture_output=True, + check=True, ).stdout.decode() except Exception as e: msg = f"Could not get the version of the {runtime.capitalize()} tool: {e}" From bd2dc0ea3c39dbff15653e4cfcc89fcf7bad25e3 Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Mon, 23 Sep 2024 18:03:57 +0300 Subject: [PATCH 4/9] Pin gVisor to the last working release Temporarily pin gVisor to the latest working version (`release-20240826.0`), since the latest one breaks our container image. Refs #928 --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9988660..3c33f4f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -88,7 +88,9 @@ FROM alpine:latest RUN apk --no-cache -U upgrade && \ apk --no-cache add python3 -RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/latest/$(uname -m)"; \ +# Temporarily pin gVisor to the latest working version (release-20240826.0). +# See: https://github.com/freedomofpress/dangerzone/issues/928 +RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/20240826/$(uname -m)"; \ wget "${GVISOR_URL}/runsc" "${GVISOR_URL}/runsc.sha512" && \ sha512sum -c runsc.sha512 && \ rm -f runsc.sha512 && \ From 4423fc6232e7df607cf8e783ff90479b05a5d51d Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Fri, 27 Sep 2024 13:22:07 +0300 Subject: [PATCH 5/9] Handle multiple image IDs in the `image-ids.txt` file. Docker Desktop 4.30.0 uses the containerd image store by default, which generates different IDs for the images, and as a result breaks the logic we are using when verifying the images IDs are present. Now, multiple IDs can be stored in the `image-id.txt` file. Fixes #933 --- dangerzone/isolation_provider/container.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dangerzone/isolation_provider/container.py b/dangerzone/isolation_provider/container.py index 76c4aa0..099c15b 100644 --- a/dangerzone/isolation_provider/container.py +++ b/dangerzone/isolation_provider/container.py @@ -194,7 +194,7 @@ class Container(IsolationProvider): """ # Get the image id with open(get_resource_path("image-id.txt")) as f: - expected_image_id = f.read().strip() + expected_image_ids = f.read().strip().split() # See if this image is already installed installed = False @@ -212,7 +212,7 @@ class Container(IsolationProvider): ) found_image_id = found_image_id.strip() - if found_image_id == expected_image_id: + if found_image_id in expected_image_ids: installed = True elif found_image_id == "": pass From fb2f4ce695cf11a05152921adb8ab8519a072c87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Mon, 30 Sep 2024 12:20:49 +0200 Subject: [PATCH 6/9] Add 0.7.1 to the CHANGELOG --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 60fc9a9..32a4b1e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [0.7.1](https://github.com/freedomofpress/dangerzone/compare/v0.7.1...v0.7.0) + +- Fix an `image-id.txt` mismatch happening on Docker Desktop >= 4.30.0 ([#933](https://github.com/freedomofpress/dangerzone/issues/933)) + ## [0.7.0](https://github.com/freedomofpress/dangerzone/compare/v0.7.0...v0.6.1) ### Added From 9117ba5d6c1b72efeb1a0b190694f72d2bf05494 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Mon, 30 Sep 2024 12:22:18 +0200 Subject: [PATCH 7/9] Bump version to 0.7.1 --- install/linux/dangerzone.spec | 4 ++-- pyproject.toml | 2 +- share/version.txt | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/install/linux/dangerzone.spec b/install/linux/dangerzone.spec index 0da0662..6a47843 100644 --- a/install/linux/dangerzone.spec +++ b/install/linux/dangerzone.spec @@ -32,8 +32,8 @@ Name: dangerzone-qubes Name: dangerzone %endif -Version: 0.7.0 -Release: 2%{?dist} +Version: 0.7.1 +Release: 1%{?dist} Summary: Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs License: AGPL-3.0 diff --git a/pyproject.toml b/pyproject.toml index 642c34c..d2af14c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "dangerzone" -version = "0.7.0" +version = "0.7.1" description = "Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs" authors = ["Freedom of the Press Foundation ", "Micah Lee "] license = "AGPL-3.0" diff --git a/share/version.txt b/share/version.txt index faef31a..39e898a 100644 --- a/share/version.txt +++ b/share/version.txt @@ -1 +1 @@ -0.7.0 +0.7.1 From 2371d1c23cda5bf745cb6cd26ed7c0c38fc2794e Mon Sep 17 00:00:00 2001 From: Alex Pyrgiotis Date: Mon, 30 Sep 2024 15:44:19 +0300 Subject: [PATCH 8/9] Add release note for containerd graph driver Fixes #933 --- RELEASE.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/RELEASE.md b/RELEASE.md index b724f60..cace36a 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -271,6 +271,8 @@ should point the user to the Qubes notifications in the top-right corner: - [ ] Verify and checkout the git tag for this release - [ ] Run `poetry install` - [ ] Run `poetry run ./install/macos/build-app.py`; this will make `dist/Dangerzone.app` +- [ ] Make sure that the build application works with the containerd graph + driver (see [#933](https://github.com/freedomofpress/dangerzone/issues/933)) - [ ] Run `poetry run ./install/macos/build-app.py --only-codesign`; this will make `dist/Dangerzone.dmg` * You need to run this command as the account that has access to the code signing certificate * You must run this command from the MacOS UI, from a terminal application. @@ -314,7 +316,10 @@ The Windows release is performed in a Windows 11 virtual machine as opposed to a - [ ] Run `poetry install` - [ ] Copy the container image into the VM > [!IMPORTANT] - > Instead of running `python .\install\windows\build-image.py` in the VM, run the build image script on the host (making sure to build for `linux/amd64`). Copy `share/container.tar.gz` and `share/image-id.txt` from the host into the `share` folder in the VM + > Instead of running `python .\install\windows\build-image.py` in the VM, run the build image script on the host (making sure to build for `linux/amd64`). Copy `share/container.tar.gz` and `share/image-id.txt` from the host into the `share` folder in the VM. + > Also, don't forget to add the supplementary image ID (see + > [#933](https://github.com/freedomofpress/dangerzone/issues/933)) in + > `share/image-id.txt`) - [ ] Run `poetry run .\install\windows\build-app.bat` - [ ] When you're done you will have `dist\Dangerzone.msi` From eee405e29e5a6de073efa4006798e34a8611d11a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexis=20M=C3=A9taireau?= Date: Tue, 1 Oct 2024 12:58:11 +0200 Subject: [PATCH 9/9] Update download links to use 0.7.1 --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 7f613dc..9c32c7b 100644 --- a/README.md +++ b/README.md @@ -13,8 +13,8 @@ _Read more about Dangerzone in the [official site](https://dangerzone.rocks/abou ## Getting started ### MacOS -- Download [Dangerzone 0.6.1 for Mac (Apple Silicon CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.6.1/Dangerzone-0.6.1-arm64.dmg) -- Download [Dangerzone 0.6.1 for Mac (Intel CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.6.1/Dangerzone-0.6.1-i686.dmg) +- Download [Dangerzone 0.7.1 for Mac (Apple Silicon CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.7.1/Dangerzone-0.7.1-arm64.dmg) +- Download [Dangerzone 0.7.1 for Mac (Intel CPU)](https://github.com/freedomofpress/dangerzone/releases/download/v0.7.1/Dangerzone-0.7.1-i686.dmg) You can also install Dangerzone for Mac using [Homebrew](https://brew.sh/): `brew install --cask dangerzone` @@ -24,7 +24,7 @@ You can also install Dangerzone for Mac using [Homebrew](https://brew.sh/): `bre ### Windows -- Download [Dangerzone 0.6.1 for Windows](https://github.com/freedomofpress/dangerzone/releases/download/v0.6.1/Dangerzone-0.6.1.msi) +- Download [Dangerzone 0.7.1 for Windows](https://github.com/freedomofpress/dangerzone/releases/download/v0.7.1/Dangerzone-0.7.1.msi) > **Note**: you will also need to install [Docker Desktop](https://www.docker.com/products/docker-desktop/). > This program needs to run alongside Dangerzone at all times, since it is what allows Dangerzone to