container: Take SELinux labels into account

Take SELinux labels into account when mounting a file to the Dangerzone container. Use the `:Z` flag (which is a no-op in non-SELinux systems) to clear the existing SELinux label for a file, and apply one that matches the container's. Refs #335
freedomofpress · Feb 8, 2023 · 2072458 · 2072458
1 parent ebef341
commit 2072458
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/dangerzone/isolation_provider/container.py b/dangerzone/isolation_provider/container.py
@@ -265,9 +265,9 @@ def _convert_with_tmpdirs(
  ]
  extra_args = [
  "-v",
- f"{document.input_filename}:/tmp/input_file",
+ f"{document.input_filename}:/tmp/input_file:Z",
  "-v",
- f"{pixel_dir}:/dangerzone",
+ f"{pixel_dir}:/dangerzone:Z",
  ]
  ret = self.exec_container(document, command, extra_args, stdout_callback)
  if ret != 0:
@@ -283,9 +283,9 @@ def _convert_with_tmpdirs(
  ]
  extra_args = [
  "-v",
- f"{pixel_dir}:/dangerzone",
+ f"{pixel_dir}:/dangerzone:Z",
  "-v",
- f"{safe_dir}:/safezone",
+ f"{safe_dir}:/safezone:Z",
  "-e",
  f"OCR={ocr}",
  "-e",