Always use our own seccomp policy as a default.

As per Etienne Perot's comment on #908: > Then it seems to me like it would be easy to simply apply this seccomp profile under all container runtimes (since there's no reason why the same image and the same command-line would call different syscalls under different container runtimes).
freedomofpress · Sep 20, 2024 · f2b04ba · f2b04ba
1 parent c3c7fbb
commit f2b04ba
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 17 deletions.
diff --git a/dangerzone/gui/logic.py b/dangerzone/gui/logic.py
@@ -139,9 +139,9 @@ def _find_pdf_viewers(self) -> OrderedDict[str, str]:
                                     "application/pdf" in desktop_entry.getMimeTypes()
                                     and "dangerzone" not in desktop_entry_name.lower()
                                 ):
-                                    pdf_viewers[desktop_entry_name] = (
-                                        desktop_entry.getExec()
-                                    )
+                                    pdf_viewers[
+                                        desktop_entry_name
+                                    ] = desktop_entry.getExec()
 
                                     # Put the default entry first
                                     if filename == default_pdf_viewer:

diff --git a/dangerzone/isolation_provider/container.py b/dangerzone/isolation_provider/container.py
@@ -126,21 +126,13 @@ def get_runtime_security_args() -> List[str]:
         if Container.get_runtime_name() == "podman":
             security_args = ["--log-driver", "none"]
             security_args += ["--security-opt", "no-new-privileges"]
-
-            # NOTE: Ubuntu Focal/Jammy have Podman version 3, and their seccomp policy
-            # does not include the `ptrace()` syscall. This system call is required for
-            # running gVisor, so we enforce a newer seccomp policy file in that case.
-            #
-            # See also https://github.com/freedomofpress/dangerzone/issues/846
-            if Container.get_runtime_version() < (4, 0):
-                security_args += custom_seccomp_policy_arg
         else:
             security_args = ["--security-opt=no-new-privileges:true"]
-            # Older Docker Desktop versions may have a seccomp policy that does not
-            # allow `ptrace(2)`. In these cases, we specify our own. See:
-            # https://github.com/freedomofpress/dangerzone/issues/846
-            if Container.get_runtime_version() < (25, 0):
-                security_args += custom_seccomp_policy_arg
+
+        # We specify a custom seccomp policy, because on some container engines, the
+        # default policy might not allow `ptrace(2)`.
+        # See https://github.com/freedomofpress/dangerzone/issues/846
+        security_args += custom_seccomp_policy_arg
 
         security_args += ["--cap-drop", "all"]
         security_args += ["--cap-add", "SYS_CHROOT"]

diff --git a/tests/isolation_provider/test_container.py b/tests/isolation_provider/test_container.py
@@ -54,7 +54,6 @@ class TestContainer(IsolationProviderTest):
 
 
 class TestContainerTermination(IsolationProviderTermination):
-
     def test_linger_runtime_kill(
         self,
         provider_wait: base.IsolationProvider,
-Original file line number
+Diff line change
@@ Expand Up / @@ -54,7 +54,6 @@ class TestContainer(IsolationProviderTest): @@
     class TestContainerTermination(IsolationProviderTermination):
         def test_linger_runtime_kill(
             self,
             provider_wait: base.IsolationProvider,
@@ Expand Down @@