Sandbox all document processing in gVisor

CHANGELOG.md

@@ -12,6 +12,15 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 - Fix a deprecation warning in PySide6, thanks to [@naglis](https://github.com/naglis) ([issue #595](https://github.com/freedomofpress/dangerzone/issues/595))
 - Make update notifications work in systems with PySide2, thanks to [@naglis](https://github.com/naglis) ([issue #788](https://github.com/freedomofpress/dangerzone/issues/788))
 
+### Security
+
+- Integrate Dangerzone with gVisor, a memory-safe application kernel, thanks to [@EtiennePerot](https://github.com/EtiennePerot) ([#126](https://github.com/freedomofpress/dangerzone/issues/126))
+ As a result of this integration, we have also improved Dangerzone's security
+ in the following ways:
+ * Prevent attacker from becoming root within the container ([#224](https://github.com/freedomofpress/dangerzone/issues/224))
+ * Use a restricted seccomp profile ([#225](https://github.com/freedomofpress/dangerzone/issues/225))
+ * Make use of user namespaces ([#228](https://github.com/freedomofpress/dangerzone/issues/228))
+
 ## Dangerzone 0.6.1
 
 ### Added

Dockerfile

@@ -50,7 +50,7 @@ RUN mkdir /libreoffice_ext && cd libreoffice_ext \
 ###########################################
 # Dangerzone image
 
-FROM alpine:latest
+FROM alpine:latest AS dangerzone-image
 
 # Install dependencies
 RUN apk --no-cache -U upgrade && \
@@ -68,15 +68,49 @@ COPY --from=h2orestart-dl /libreoffice_ext/ /libreoffice_ext
 
 RUN install -dm777 "/usr/lib/libreoffice/share/extensions/"
 
-ENV PYTHONPATH=/opt/dangerzone
-
 RUN mkdir -p /opt/dangerzone/dangerzone
 RUN touch /opt/dangerzone/dangerzone/__init__.py
 COPY conversion /opt/dangerzone/dangerzone/conversion
 
-# Add the unprivileged user
-RUN adduser -s /bin/sh -D dangerzone
+# Add the unprivileged user. Set the UID/GID of the dangerzone user/group to
+# 1000, since we will point to it from the OCI config.
+#
+# NOTE: A tmpfs will be mounted over /home/dangerzone directory,
+# so nothing within it from the image will be persisted.
+RUN addgroup -g 1000 dangerzone && \
+ adduser -u 1000 -s /bin/true -G dangerzone -h /home/dangerzone -D dangerzone
+
+###########################################
+# gVisor wrapper image
+
+FROM alpine:latest
+
+RUN apk --no-cache -U upgrade && \
+ apk --no-cache add python3
+
+RUN GVISOR_URL="https://storage.googleapis.com/gvisor/releases/release/latest/$(uname -m)"; \
+ wget "${GVISOR_URL}/runsc" "${GVISOR_URL}/runsc.sha512" && \
+ sha512sum -c runsc.sha512 && \
+ rm -f runsc.sha512 && \
+ chmod 555 runsc && \
+ mv runsc /usr/bin/
+
+# Add the unprivileged `dangerzone` user.
+RUN addgroup dangerzone && \
+ adduser -s /bin/true -G dangerzone -h /home/dangerzone -D dangerzone
+
+# Switch to the dangerzone user for the rest of the script.
 USER dangerzone
 
-# /safezone is a directory through which Pixels to PDF receives files
-VOLUME /safezone
+# Copy the Dangerzone image, as created by the previous steps, into the home
+# directory of the `dangerzone` user.
+RUN mkdir /home/dangerzone/dangerzone-image
+COPY --from=dangerzone-image / /home/dangerzone/dangerzone-image/rootfs
+
+# Create a directory that will be used by gVisor as the place where it will
+# store the state of its containers.
+RUN mkdir /home/dangerzone/.containers
+
+COPY gvisor_wrapper/entrypoint.py /
+
+ENTRYPOINT ["/entrypoint.py"]

README.md

@@ -37,6 +37,7 @@ See [installing Dangerzone](INSTALL.md#linux) for adding the Linux repositories
 ## Some features
 
 - Sandboxes don't have network access, so if a malicious document can compromise one, it can't phone home
+- Sandboxes use [gVisor](https://gvisor.dev/), an application kernel written in Go, that implements a substantial portion of the Linux system call interface.
 - Dangerzone can optionally OCR the safe PDFs it creates, so it will have a text layer again
 - Dangerzone compresses the safe PDF to reduce file size
 - After converting, Dangerzone lets you open the safe PDF in the PDF viewer of your choice, which allows you to open PDFs and office docs in Dangerzone by default so you never accidentally open a dangerous document

dangerzone/conversion/common.py

@@ -14,7 +14,9 @@ def running_on_qubes() -> bool:
 
 
 def get_tessdata_dir() -> str:
- if running_on_qubes():
+ if os.environ.get("TESSDATA_PREFIX"):
+ return os.environ["TESSDATA_PREFIX"]
+ elif running_on_qubes():
  return "/usr/share/tesseract/tessdata/"
  else:
  return "/usr/share/tessdata/"

dangerzone/gvisor_wrapper/entrypoint.py

@@ -0,0 +1,161 @@
+#!/usr/bin/python3
+
+import json
+import os
+import shlex
+import subprocess
+import sys
+import typing
+
+# This script wraps the command-line arguments passed to it to run as an
+# unprivileged user in a gVisor sandbox.
+# Its behavior can be modified with the following environment variables:
+# RUNSC_DEBUG: If set, print debug messages to stderr, and log all gVisor
+# output to stderr.
+# RUNSC_FLAGS: If set, pass these flags to the `runsc` invocation.
+# These environment variables are not passed on to the sandboxed process.
+
+
+def log(message: str, *values: typing.Any) -> None:
+ """Helper function to log messages if RUNSC_DEBUG is set."""
+ if os.environ.get("RUNSC_DEBUG"):
+ print(message.format(*values), file=sys.stderr)
+
+
+command = sys.argv[1:]
+if len(command) == 0:
+ log("Invoked without a command; will execute 'sh'.")
+ command = ["sh"]
+else:
+ log("Invoked with command: {}", " ".join(shlex.quote(s) for s in command))
+
+# Build and write container OCI config.
+oci_config: dict[str, typing.Any] = {
+ "ociVersion": "1.0.0",
+ "process": {
+ "user": {
+ # Hardcode the UID/GID of the container image to 1000, since we're in
+ # control of the image creation, and we don't expect it to change.
+ "uid": 1000,
+ "gid": 1000,
+ },
+ "args": command,
+ "env": [
+ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+ "PYTHONPATH=/opt/dangerzone",
+ "TERM=xterm",
+ ],
+ "cwd": "/",
+ "capabilities": {
+ "bounding": [],
+ "effective": [],
+ "inheritable": [],
+ "permitted": [],
+ },
+ "rlimits": [
+ {"type": "RLIMIT_NOFILE", "hard": 4096, "soft": 4096},
+ ],
+ },
+ "root": {"path": "rootfs", "readonly": True},
+ "hostname": "dangerzone",
+ "mounts": [
+ {
+ "destination": "/proc",
+ "type": "proc",
+ "source": "proc",
+ },
+ {
+ "destination": "/dev",
+ "type": "tmpfs",
+ "source": "tmpfs",
+ "options": ["nosuid", "noexec", "nodev"],
+ },
+ {
+ "destination": "/sys",
+ "type": "tmpfs",
+ "source": "tmpfs",
+ "options": ["nosuid", "noexec", "nodev", "ro"],
+ },
+ {
+ "destination": "/tmp",
+ "type": "tmpfs",
+ "source": "tmpfs",
+ "options": ["nosuid", "noexec", "nodev"],
+ },
+ # LibreOffice needs a writable home directory, so just mount a tmpfs
+ # over it.
+ {
+ "destination": "/home/dangerzone",
+ "type": "tmpfs",
+ "source": "tmpfs",
+ "options": ["nosuid", "noexec", "nodev"],
+ },
+ # Used for LibreOffice extensions, which are only conditionally
+ # installed depending on which file is being converted.
+ {
+ "destination": "/usr/lib/libreoffice/share/extensions/",
+ "type": "tmpfs",
+ "source": "tmpfs",
+ "options": ["nosuid", "noexec", "nodev"],
+ },
+ ],
+ "linux": {
+ "namespaces": [
+ {"type": "pid"},
+ {"type": "network"},
+ {"type": "ipc"},
+ {"type": "uts"},
+ {"type": "mount"},
+ ],
+ },
+}
+not_forwarded_env = set(
+ (
+ "PATH",
+ "HOME",
+ "SHLVL",
+ "HOSTNAME",
+ "TERM",
+ "PWD",
+ "RUNSC_FLAGS",
+ "RUNSC_DEBUG",
+ )
+)
+for key_val in oci_config["process"]["env"]:
+ not_forwarded_env.add(key_val[: key_val.index("=")])
+for key, val in os.environ.items():
+ if key in not_forwarded_env:
+ continue
+ oci_config["process"]["env"].append("%s=%s" % (key, val))
+if os.environ.get("RUNSC_DEBUG"):
+ log("Command inside gVisor sandbox: {}", command)
+ log("OCI config:")
+ json.dump(oci_config, sys.stderr, indent=2, sort_keys=True)
+ # json.dump doesn't print a trailing newline, so print one here:
+ log("")
+with open("/home/dangerzone/dangerzone-image/config.json", "w") as oci_config_out:
+ json.dump(oci_config, oci_config_out, indent=2, sort_keys=True)
+
+# Run gVisor.
+runsc_argv = [
+ "/usr/bin/runsc",
+ "--rootless=true",
+ "--network=none",
+ "--root=/home/dangerzone/.containers",
+]
+if os.environ.get("RUNSC_DEBUG"):
+ runsc_argv += ["--debug=true", "--alsologtostderr=true"]
+if os.environ.get("RUNSC_FLAGS"):
+ runsc_argv += [x for x in shlex.split(os.environ.get("RUNSC_FLAGS", "")) if x]
+runsc_argv += ["run", "--bundle=/home/dangerzone/dangerzone-image", "dangerzone"]
+log(
+ "Running gVisor with command line: {}", " ".join(shlex.quote(s) for s in runsc_argv)
+)
+runsc_process = subprocess.run(
+ runsc_argv,
+ check=False,
+)
+log("gVisor quit with exit code: {}", runsc_process.returncode)
+
+# We're done.
+sys.exit(runsc_process.returncode)