Suppose that Dangerzone was installed in Tails (original discussion). What would the container image look like in this case? Most probably, it would have to be small. Either small enough to be packaged with Tails, or small enough to be downloaded via Tor (see #154).
What happened here? Because Tails has LibreOffice installed, we can mount (read-only) Tails' system files within an empty container, and run LibreOffice inside that container, with all of our protections.
This is akin to moving a jailed process from a cell made of concrete into a cell made of hardened glass. Now the process can look outside, but cannot affect it. Can it read sensitive info? We don't mount Tails' persistent storage, symlinks don't work within the container, but still, this is not foolproof. Do we enlarge our attack surface with filesystem bugs? Sadly yes.
Untested territory
Can we make this better? We could copy into the container image the files that LibreOffice needs to run. For instance, we could recursively list all the LibreOffice dependencies:
and then get the files of these dependencies with dpkg -L. This file list is very large though, because we need core system libraries as well.
Alternatively, we could have a Bullseye image with the main LibreOffice dependencies installed, which hopefully won't take much space, and then copying just the LibreOffice dirs into it, e.g.:
Warning: this is a thought experiment :bulb:
Suppose that Dangerzone was installed in Tails (original discussion). What would the container image look like in this case? Most probably, it would have to be small. Either small enough to be packaged with Tails, or small enough to be downloaded via Tor (see #154).
But how small can we possibly make that image? We have crunched some numbers (https://github.com/freedomofpress/dangerzone/issues/658#issuecomment-1861239821), and while it's still early days, best case scenario looks like ~200MiB. Can we make it smaller? Can we make it 0?
What happened here? Because Tails has LibreOffice installed, we can mount (read-only) Tails' system files within an empty container, and run LibreOffice inside that container, with all of our protections.
This is akin to moving a jailed process from a cell made of concrete into a cell made of hardened glass. Now the process can look outside, but cannot affect it. Can it read sensitive info? We don't mount Tails' persistent storage, symlinks don't work within the container, but still, this is not foolproof. Do we enlarge our attack surface with filesystem bugs? Sadly yes.
Untested territory
Can we make this better? We could copy into the container image the files that LibreOffice needs to run. For instance, we could recursively list all the LibreOffice dependencies:
and then get the files of these dependencies with
dpkg -L. This file list is very large though, because we need core system libraries as well.Alternatively, we could have a Bullseye image with the main LibreOffice dependencies installed, which hopefully won't take much space, and then copying just the LibreOffice dirs into it, e.g.: