almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

Move container security arg to proper place

Browse source 
Now that #748 has been merged, we can move the `--userns nomap` argument
to the list with the rest of our security arguments.
This commit is contained in:
Alex Pyrgiotis 2024-12-04 17:34:19 +02:00
parent 0383081394
commit ec9f8835e0
No known key found for this signature in database
GPG key ID: B6C15EBA0357C9AA
1 changed files with 3 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
dangerzone/isolation_provider/container.py
View file

@ -46,12 +46,12 @@ class Container(IsolationProvider):
* Do not log the container's output. * Do not log the container's output.
* Do not map the host user to the container, with `--userns nomap` (available * Do not map the host user to the container, with `--userns nomap` (available
from Podman 4.1 onwards) from Podman 4.1 onwards)
- This particular argument is specified in `start_doc_to_pixels_proc()`, but
should move here once #748 is merged.
""" """
if container_utils.get_runtime_name() == "podman": if container_utils.get_runtime_name() == "podman":
security_args = ["--log-driver", "none"] security_args = ["--log-driver", "none"]
security_args += ["--security-opt", "no-new-privileges"] security_args += ["--security-opt", "no-new-privileges"]
if container_utils.get_runtime_version() >= (4, 1):
security_args += ["--userns", "nomap"]
else: else:
security_args = ["--security-opt=no-new-privileges:true"] security_args = ["--security-opt=no-new-privileges:true"]
@ -165,7 +165,6 @@ class Container(IsolationProvider):
self, self,
command: List[str], command: List[str],
name: str, name: str,
extra_args: List[str] = [],
) -> subprocess.Popen: ) -> subprocess.Popen:
container_runtime = container_utils.get_runtime() container_runtime = container_utils.get_runtime()
security_args = self.get_runtime_security_args() security_args = self.get_runtime_security_args()
@ -230,15 +229,8 @@ class Container(IsolationProvider):
"-m", "-m",
"dangerzone.conversion.doc_to_pixels", "dangerzone.conversion.doc_to_pixels",
] ]
# NOTE: Using `--userns nomap` is available only on Podman >= 4.1.0.
# XXX: Move this under `get_runtime_security_args()` once #748 is merged.
extra_args = []
if container_utils.get_runtime_name() == "podman":
if container_utils.get_runtime_version() >= (4, 1):
extra_args += ["--userns", "nomap"]
name = self.doc_to_pixels_container_name(document) name = self.doc_to_pixels_container_name(document)
return self.exec_container(command, name=name, extra_args=extra_args) return self.exec_container(command, name=name)
def terminate_doc_to_pixels_proc( def terminate_doc_to_pixels_proc(
self, document: Document, p: subprocess.Popen self, document: Document, p: subprocess.Popen