Skip to content

Commit

Permalink
Move container security arg to proper place
Browse files Browse the repository at this point in the history
Now that #748 has been merged, we can move the `--userns nomap` argument
to the list with the rest of our security arguments.
  • Loading branch information
apyrgio committed Dec 4, 2024
1 parent e7cd6e3 commit eefe7c1
Showing 1 changed file with 3 additions and 12 deletions.
15 changes: 3 additions & 12 deletions dangerzone/isolation_provider/container.py
Original file line number Diff line number Diff line change
@@ -46,12 +46,12 @@ def get_runtime_security_args() -> List[str]:
* Do not log the container's output.
* Do not map the host user to the container, with `--userns nomap` (available
from Podman 4.1 onwards)
- This particular argument is specified in `start_doc_to_pixels_proc()`, but
should move here once #748 is merged.
"""
if container_utils.get_runtime_name() == "podman":
security_args = ["--log-driver", "none"]
security_args += ["--security-opt", "no-new-privileges"]
if container_utils.get_runtime_version() >= (4, 1):
security_args += ["--userns", "nomap"]
else:
security_args = ["--security-opt=no-new-privileges:true"]

@@ -173,7 +173,6 @@ def exec_container(
self,
command: List[str],
name: str,
extra_args: List[str] = [],
) -> subprocess.Popen:
container_runtime = container_utils.get_runtime()
security_args = self.get_runtime_security_args()
@@ -186,7 +185,6 @@ def exec_container(
+ prevent_leakage_args
+ enable_stdin
+ set_name
+ extra_args
+ [container_utils.CONTAINER_NAME]
+ command
)
@@ -236,15 +234,8 @@ def start_doc_to_pixels_proc(self, document: Document) -> subprocess.Popen:
"-m",
"dangerzone.conversion.doc_to_pixels",
]
# NOTE: Using `--userns nomap` is available only on Podman >= 4.1.0.
# XXX: Move this under `get_runtime_security_args()` once #748 is merged.
extra_args = []
if container_utils.get_runtime_name() == "podman":
if container_utils.get_runtime_version() >= (4, 1):
extra_args += ["--userns", "nomap"]

name = self.doc_to_pixels_container_name(document)
return self.exec_container(command, name=name, extra_args=extra_args)
return self.exec_container(command, name=name)

def terminate_doc_to_pixels_proc(
self, document: Document, p: subprocess.Popen

0 comments on commit eefe7c1

Please sign in to comment.