dangerzone icon indicating copy to clipboard operation
dangerzone copied to clipboard

Published 20 hours ago verified publisher icon freedomofpress

Defense in Depth

Open apyrgio opened this issue 1 year ago • 3 comments

Primer

Dangerzone currently uses two containers (Docker containers on MacOS/Windows, Podman containers on Linux) for the conversion process:

  • The first container accepts a suspicious document/image as input, and produces a list of RGB files (corresponding to the pages of the document).
  • The second container accepts the list of RGB files, and produces the safe PDF document.

On this issue, we'll focus on protecting the users against an attacker who tries to take control of the first container.

Requirements

From the point where a conversion process reads an attacker payload, to the point where the attacker manages to escape to the host, there are several hurdles that they must jump. In order of importance, from the innermost hurdle to the outermost, these are the requirements from Dangerzone, to keep a user safe.

  1. The attacker must not gain control of a process within the container.
  2. The attacker must not access host data from within the container.
  3. The attacker must not access the network from within the container.
  4. The attacker must not become root within the container.
  5. The attacker must not escape the container.
  6. The attacker must not access host data outside the container.
  7. The attacker must not become user/root outside the container.
  8. The attacker must not escape the VM.

Current situation

The protective measures that Dangerzone has in place are:

  • (MacOS/Windows only) Containers run in VMs.
    • This is necessary, as this the only way that Docker Desktop can run Linux containers in the rest of the OSes.
  • The conversion process in the container is not / cannot become root.
    • The Dangerzone container image has a regular user in it, and the conversion process runs with their UID.
    • No process can elevate themselves to root, since no new privileges can be acquired.
    • See the relevant discussion: https://github.com/freedomofpress/dangerzone/issues/169
  • Containers have no capabilities (see capabilities(7)).
    • We drop all capabilities when we create a new container, as we don't need them.
    • See the relevant PR: https://github.com/freedomofpress/dangerzone/pull/183
  • Containers have no access to the network.

The question here is: can we improve on this situation even more?

Subtasks

  • [ ] https://github.com/freedomofpress/dangerzone/issues/228
  • [ ] https://github.com/freedomofpress/dangerzone/issues/225
  • [ ] https://github.com/freedomofpress/dangerzone/issues/227
  • [ ] https://github.com/freedomofpress/dangerzone/issues/226
  • [x] https://github.com/freedomofpress/dangerzone/issues/222
  • [ ] https://github.com/freedomofpress/dangerzone/issues/224
  • [x] https://github.com/freedomofpress/dangerzone/issues/223
  • [ ] https://github.com/freedomofpress/dangerzone/issues/633

Previous issues

  • https://github.com/freedomofpress/dangerzone/issues/52
  • https://github.com/freedomofpress/dangerzone/issues/169
  • https://github.com/freedomofpress/dangerzone/issues/182

apyrgio avatar Oct 13 '22 22:10 apyrgio