MCPcopy
hub / github.com/freedomofpress/dangerzone / make_seccomp_json_accessible

Function make_seccomp_json_accessible

dangerzone/container_utils.py:78–139  ·  view source on GitHub ↗

Ensure that the bundled seccomp profile is accessible by the runtime. On Linux platforms, this method is basically a no-op since there's no VM involved. If the container runtime is Docker Desktop, then this method is a no-op as well, because it knows how to pass this file to the VM

()

Source from the content-addressed store, hash-verified

76
77
78def make_seccomp_json_accessible() -> Path | PurePosixPath:
79 """Ensure that the bundled seccomp profile is accessible by the runtime.
80
81 On Linux platforms, this method is basically a no-op since there's no VM
82 involved.
83
84 If the container runtime is Docker Desktop, then this method is a no-op as well,
85 because it knows how to pass this file to the VM.
86
87 If the container runtime is Podman on Windows/macOS, then we need to copy the
88 file to a place where it will be mounted in the Podman machine. Typically, the
89 user directory is mounted in the VM [1], so we opt to copy the seccomp profile to
90 the cache dir for Dangerzone, which is within the user directory.
91
92 For Windows, we have to be extra careful and translate the file path to the
93 equivalent in the WSL2 VM [2].
94
95 [1] https://github.com/containers/podman/issues/26558
96 [2] Read about the 'volumes=' config in
97 https://github.com/containers/common/blob/main/docs/containers.conf.5.md#machine-table
98 """
99 if get_runtime_version() < (4, 0):
100 # On OSes that use:
101 #
102 # * crun < 0.19
103 # * runc < 1.0.0-rc95
104 # * golang-github-containers-common [0] < v0.40.0
105 #
106 # the "mseal" system call _may_ be denied with ENOPERM, rather than the
107 # expected ENOSYS, making the conversions fail [1].
108 #
109 # Currently, we are aware that the affected OSes are Ubuntu Jammy.
110 # Since it's not easy to test for every version of the above packages, we
111 # choose a simpler heuristic to check if Podman is _potentially_ affected. If
112 # the Podman version is >= 4.0, which was released 6 months after these
113 # versions, in all likelihood it's not affected. Podman versions prior to 4.0
114 # _may_ be affected, and currently include only Ubuntu Jammy.
115 #
116 # For affected Podman versions, we use a separate seccomp policy to allow
117 # unknown syscalls, so that the kernel can fail them with ENOSYS.
118 #
119 # [0] https://github.com/containers/common/
120 # [1] For more information, have a look at
121 # https://github.com/freedomofpress/dangerzone/issues/1201
122 src = get_resource_path("seccomp.gvisor.permissive.json")
123 else:
124 src = get_resource_path("seccomp.gvisor.json")
125
126 if platform.system() == "Linux":
127 return src
128 else:
129 SECCOMP_PATH.parent.mkdir(parents=True, exist_ok=True)
130 # This file will be overwritten on every conversion, which is unnecessary, but
131 # the copy operation should be quick.
132 shutil.copy(src, SECCOMP_PATH)
133 if platform.system() == "Windows":
134 # Translate the Windows path on the host to the WSL2 path on the VM. That
135 # is, change backslashes to forward slashes, and replace 'C:/' with

Callers 1

Calls 2

get_runtime_versionFunction · 0.85
get_resource_pathFunction · 0.85

Tested by

no test coverage detected