dangerzone

mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-29 10:12:38 +02:00

History

Etienne Perot 73b0f8b7d4 Disable gVisor's DirectFS feature. DirectFS is enabled by default in gVisor to improve I/O performance, but comes at the cost of enabling the `openat(2)` syscall (with severe restrictions, but still). As Dangerzone is not performance-sensitive, and that it is desirable to guarantee for the document conversion process to not open any files (to mimic some of what SELinux provides), might as well disable it by default. See #226.	2024-09-10 17:32:31 +03:00
..
entrypoint.py	Disable gVisor's DirectFS feature.	2024-09-10 17:32:31 +03:00

DirectFS is enabled by default in gVisor to improve I/O performance,
but comes at the cost of enabling the `openat(2)` syscall (with severe
restrictions, but still). As Dangerzone is not performance-sensitive,
and that it is desirable to guarantee for the document conversion
process to not open any files (to mimic some of what SELinux provides),
might as well disable it by default.

See #226.

2024-09-10 17:32:31 +03:00

entrypoint.py

Disable gVisor's DirectFS feature.

2024-09-10 17:32:31 +03:00