dangerzone
dangerzone copied to clipboard
Published
20 hours ago •
freedomofpress
freedomofpress
Run Unsafe (development-only) Dangerzone version in MacOS and Windows for CI purposes
Our native CI runners don't seem to work well with nested virtualization (docker within a non-linux VM). For this reason we want to explore options of bypassing compartmentalization in theses systems.
Windows:
- [ ] save input file in another directory other than as
/tmp/input_file - [ ] output file location: remove hard-coded
/tmpand/tmp/input_filefromdoc_to_pixels.py - [ ] install libreoffice (can be done with
choco install libreoffice-still -y) - [ ] (optional) add
.hwplibreoffice extension (if not done, then skip respective tests) - [ ] change libreoffice subprocess call to
C:\Program Files\LibreOffice\program\soffice.exe
MacOS
- [ ] install LibreOffice
- [ ] consider other location than
/tmpdue to parallel tests
Common
- [ ] download tesseract languages and pass path as argument
- [ ] (optional) add
.hwplibreoffice extension (if not done, then skip respective tests)
Have an isolation-provider called unsafe.py that essentially piggy-backs on Qubes and bypasses the isolation provider.
class UnsafeConverter(Qubes):
"""Unsafe Isolation Provider (FOR TESTING ONLY)
Unsafe converter - files are sanitized without any isolation
"""
def __init__(self) -> None:
super().__init__()
# Sanity check
if not getattr(sys, "dangerzone_dev", False):
raise Exception(
'The "Unsafe" isolation provider is UNSAFE as the name implies'
+ " and should never be called in a non-testing system."
)
def install(self) -> bool:
return True
def start_doc_to_pixels_proc(self) -> subprocess.Popen:
return subprocess.Popen(
# XXX The unsafe converter bypasses the isolation provider by calling
# the Qubes server component directly
[Path(__file__).parent.parent.parent / "qubes" / "dz.Convert"],
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
)
def get_max_parallel_conversions(self) -> int:
return 1
