Merge 6cb9f46cae into 5ed4a048a0

Do not close stderr as part of the Qubes termination logic, since we
need to read the debug logs. This shouldn't affect typical termination
scenarios, since we expect our disposable qube to be either busy reading
from stdin, or writing to stdout. If this is not the case, then
forcefully killing the `qrexec-client-vm` process should unblock the
qube.

.github/workflows/scan_released.yml

@@ -6,14 +6,21 @@ on:
 
 jobs:
   security-scan-container:
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - runs-on: ubuntu-latest
+            arch: i686
+          - runs-on: macos-latest
+            arch: arm64
+    runs-on: ${{ matrix.runs-on }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Download container image for the latest release
         run: |
           VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
-          wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container.tar.gz
+          wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container.${{ matrix.arch }}.tar.gz -O container.tar.gz
       - name: Load container image
         run: docker load -i container.tar.gz
       # NOTE: Scan first without failing, else we won't be able to read the scan
@@ -30,7 +37,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.scan_container.outputs.sarif }}
-          category: container
+          category: container-${{ matrix.arch }}
       - name: Inspect container scan report
         run: cat ${{ steps.scan_container.outputs.sarif }}
       - name: Scan container image

dangerzone/isolation_provider/container.py

@@ -248,7 +248,7 @@ class Container(IsolationProvider):
         else:
             msg = (
                 f"{Container.CONTAINER_NAME} images found, but IDs do not match."
-                f"Found: {found_image_id}, Expected: {','.join(expected_image_ids)}"
+                f" Found: {found_image_id}, Expected: {','.join(expected_image_ids)}"
             )
             if raise_on_error:
                 raise ImageNotPresentException(msg)

dangerzone/isolation_provider/qubes.py

@@ -70,14 +70,18 @@ class Qubes(IsolationProvider):
         standard streams explicitly, so that we can afterwards use `Popen.wait()` to
         learn if the qube terminated.
 
+        Note that we don't close the stderr stream because we want to read debug logs
+        from it. In the rare case where a qube cannot terminate because it's stuck
+        writing at stderr (this is not the expected behavior), we expect that the
+        process will still be forcefully killed after the soft termination timeout
+        expires.
+
         [1]: https://github.com/freedomofpress/dangerzone/issues/563#issuecomment-2034803232
         """
         if p.stdin:
             p.stdin.close()
         if p.stdout:
             p.stdout.close()
-        if p.stderr:
-            p.stderr.close()
 
     def teleport_dz_module(self, wpipe: IO[bytes]) -> None:
         """Send the dangerzone module to another qube, as a zipfile."""