From 7b1a09253c9f6e9a098616d94b3c31fc6cbf466b Mon Sep 17 00:00:00 2001
From: Alex Pyrgiotis <alex.p@freedom.press>
Date: Wed, 4 Dec 2024 17:34:19 +0200
Subject: [PATCH] Move container security arg to proper place

Now that #748 has been merged, we can move the `--userns nomap` argument
to the list with the rest of our security arguments.
---
 dangerzone/isolation_provider/container.py | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

diff --git a/dangerzone/isolation_provider/container.py b/dangerzone/isolation_provider/container.py
index 878c7d333..72da7ae89 100644
--- a/dangerzone/isolation_provider/container.py
+++ b/dangerzone/isolation_provider/container.py
@@ -46,12 +46,12 @@ def get_runtime_security_args() -> List[str]:
         * Do not log the container's output.
         * Do not map the host user to the container, with `--userns nomap` (available
           from Podman 4.1 onwards)
-          - This particular argument is specified in `start_doc_to_pixels_proc()`, but
-            should move here once #748 is merged.
         """
         if container_utils.get_runtime_name() == "podman":
             security_args = ["--log-driver", "none"]
             security_args += ["--security-opt", "no-new-privileges"]
+            if container_utils.get_runtime_version() >= (4, 1):
+                security_args += ["--userns", "nomap"]
         else:
             security_args = ["--security-opt=no-new-privileges:true"]
 
@@ -173,7 +173,6 @@ def exec_container(
         self,
         command: List[str],
         name: str,
-        extra_args: List[str] = [],
     ) -> subprocess.Popen:
         container_runtime = container_utils.get_runtime()
         security_args = self.get_runtime_security_args()
@@ -186,7 +185,6 @@ def exec_container(
             + prevent_leakage_args
             + enable_stdin
             + set_name
-            + extra_args
             + [container_utils.CONTAINER_NAME]
             + command
         )
@@ -236,15 +234,8 @@ def start_doc_to_pixels_proc(self, document: Document) -> subprocess.Popen:
             "-m",
             "dangerzone.conversion.doc_to_pixels",
         ]
-        # NOTE: Using `--userns nomap` is available only on Podman >= 4.1.0.
-        # XXX: Move this under `get_runtime_security_args()` once #748 is merged.
-        extra_args = []
-        if container_utils.get_runtime_name() == "podman":
-            if container_utils.get_runtime_version() >= (4, 1):
-                extra_args += ["--userns", "nomap"]
-
         name = self.doc_to_pixels_container_name(document)
-        return self.exec_container(command, name=name, extra_args=extra_args)
+        return self.exec_container(command, name=name)
 
     def terminate_doc_to_pixels_proc(
         self, document: Document, p: subprocess.Popen