Ensure that the bundled seccomp profile is accessible by the runtime. On Linux platforms, this method is basically a no-op since there's no VM involved. If the container runtime is Docker Desktop, then this method is a no-op as well, because it knows how to pass this file to the VM
()
| 76 | |
| 77 | |
| 78 | def make_seccomp_json_accessible() -> Path | PurePosixPath: |
| 79 | """Ensure that the bundled seccomp profile is accessible by the runtime. |
| 80 | |
| 81 | On Linux platforms, this method is basically a no-op since there's no VM |
| 82 | involved. |
| 83 | |
| 84 | If the container runtime is Docker Desktop, then this method is a no-op as well, |
| 85 | because it knows how to pass this file to the VM. |
| 86 | |
| 87 | If the container runtime is Podman on Windows/macOS, then we need to copy the |
| 88 | file to a place where it will be mounted in the Podman machine. Typically, the |
| 89 | user directory is mounted in the VM [1], so we opt to copy the seccomp profile to |
| 90 | the cache dir for Dangerzone, which is within the user directory. |
| 91 | |
| 92 | For Windows, we have to be extra careful and translate the file path to the |
| 93 | equivalent in the WSL2 VM [2]. |
| 94 | |
| 95 | [1] https://github.com/containers/podman/issues/26558 |
| 96 | [2] Read about the 'volumes=' config in |
| 97 | https://github.com/containers/common/blob/main/docs/containers.conf.5.md#machine-table |
| 98 | """ |
| 99 | if get_runtime_version() < (4, 0): |
| 100 | # On OSes that use: |
| 101 | # |
| 102 | # * crun < 0.19 |
| 103 | # * runc < 1.0.0-rc95 |
| 104 | # * golang-github-containers-common [0] < v0.40.0 |
| 105 | # |
| 106 | # the "mseal" system call _may_ be denied with ENOPERM, rather than the |
| 107 | # expected ENOSYS, making the conversions fail [1]. |
| 108 | # |
| 109 | # Currently, we are aware that the affected OSes are Ubuntu Jammy. |
| 110 | # Since it's not easy to test for every version of the above packages, we |
| 111 | # choose a simpler heuristic to check if Podman is _potentially_ affected. If |
| 112 | # the Podman version is >= 4.0, which was released 6 months after these |
| 113 | # versions, in all likelihood it's not affected. Podman versions prior to 4.0 |
| 114 | # _may_ be affected, and currently include only Ubuntu Jammy. |
| 115 | # |
| 116 | # For affected Podman versions, we use a separate seccomp policy to allow |
| 117 | # unknown syscalls, so that the kernel can fail them with ENOSYS. |
| 118 | # |
| 119 | # [0] https://github.com/containers/common/ |
| 120 | # [1] For more information, have a look at |
| 121 | # https://github.com/freedomofpress/dangerzone/issues/1201 |
| 122 | src = get_resource_path("seccomp.gvisor.permissive.json") |
| 123 | else: |
| 124 | src = get_resource_path("seccomp.gvisor.json") |
| 125 | |
| 126 | if platform.system() == "Linux": |
| 127 | return src |
| 128 | else: |
| 129 | SECCOMP_PATH.parent.mkdir(parents=True, exist_ok=True) |
| 130 | # This file will be overwritten on every conversion, which is unnecessary, but |
| 131 | # the copy operation should be quick. |
| 132 | shutil.copy(src, SECCOMP_PATH) |
| 133 | if platform.system() == "Windows": |
| 134 | # Translate the Windows path on the host to the WSL2 path on the VM. That |
| 135 | # is, change backslashes to forward slashes, and replace 'C:/' with |
no test coverage detected