Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sandbox all document processing in gVisor #590

Merged
merged 4 commits into from
Jun 12, 2024
Merged

Sandbox all document processing in gVisor #590

merged 4 commits into from
Jun 12, 2024

Commits on Jun 12, 2024

  1. Use TESSDATA_PREFIX if explicitly passed 

    Our logic for detecting the appropriate Tesseract data directory should
also take into account the canonical envvar, if explicitly passed.
    @apyrgio
    apyrgio committed Jun 12, 2024
    Configuration menu
    Copy the full SHA
    cf9a545 View commit details
    Browse the repository at this point in the history

  2. Get container runtime version 

    Get the (major, minor) parts of the Docker/Podman version, to check if
some specific features can be used, or if we need a fallback. These
features are related with the upcoming gVisor integration, and will be
added in subsequent commits.
    @apyrgio
    apyrgio committed Jun 12, 2024
    Configuration menu
    Copy the full SHA
    7179d6f View commit details
    Browse the repository at this point in the history

  3. Add Podman's default seccomp policy 

    Add Podman's default seccomp policy as of 2024-06-10 [1]. This policy
will be used in subsequent commits in platforms with Podman version 3,
whose seccomp policy does not allow the `ptrace()` syscall.

[1] https://github.com/containers/common/blob/d3283f8401eeeb21f3c59a425b5461f069e199a7/pkg/seccomp/seccomp.json
    @apyrgio
    apyrgio committed Jun 12, 2024
    Configuration menu
    Copy the full SHA
    e005ea3 View commit details
    Browse the repository at this point in the history

  4. Sandbox all Dangerzone document processing within gVisor. 

    This wraps the existing container image inside a gVisor-based sandbox.

gVisor is an open-source OCI-compliant container runtime.
It is a userspace reimplementation of the Linux kernel in a
memory-safe language.

It works by creating a sandboxed environment in which regular Linux
applications run, but their system calls are intercepted by gVisor.
gVisor then redirects these system calls and reinterprets them in
its own kernel. This means the host Linux kernel is isolated
from the sandboxed application, thereby providing protection against
Linux container escape attacks.

It also uses `seccomp-bpf` to provide a secondary layer of defense
against container escapes. Even if its userspace kernel gets
compromised, attackers would have to additionally have a Linux
container escape vector, and that exploit would have to fit within
the restricted `seccomp-bpf` rules that gVisor adds on itself.

Fixes freedomofpress#126
Fixes freedomofpress#224
Fixes freedomofpress#225
Fixes freedomofpress#228
    @EtiennePerot @apyrgio
    EtiennePerot authored and apyrgio committed Jun 12, 2024
    Configuration menu
    Copy the full SHA
    f03bc71 View commit details
    Browse the repository at this point in the history