Due to bubblewrap's pickiness, mat2 can now be run
without a sandbox, even if bubblewrap is installed.

Apparently, abstractstaticmethod is deprecated
since python3.3.

madaidan authored 5 years ago and jvoisin committed 5 years ago

This mounts a new tmpfs on /tmp so any files residing there would be hidden
from the sandbox. Many programs store some files in there that might be useful
to an attacker.  It also drops all capabilities incase it is ever run with
extra capabilities for whatever reason.

On some machines (like mine), `/proc` has to be mounted.  Also, since
sandboxing with bubblewrap is best effort and assumes that an attacker doesn't
have control outside of the file to clean, it's safe to __try__ to enable some
bubblewrap features, and to silently fail otherwise.

This is related to the previous commit

nsids are random identifiers, usually used to ease merging
between documents, and can trivially be used for fingerprinting.

- gentoo and debian with bubblewrap are not allowed to fail anymore
- don't run coverage on debian without bubblewrap

georg authored 5 years ago and jvoisin committed 5 years ago

It seems, there is a bug somewhere if the test suite is invoked as
'root', and bubblewrap is available.

Relates #106

georg authored 5 years ago and jvoisin committed 5 years ago

As such, hopefully, it's not really used widely anymore. If so, this
note isn't really relevant.

georg authored 5 years ago and jvoisin committed 5 years ago

Also, make the note generic, to omit the need to update it "constantly".

Closes #76

This shouldn't make a big difference in the CLI/extension
usage, but might improve the performances of long-running
instances, or people misusing the API.

atenart authored 5 years ago and jvoisin committed 5 years ago

Rework the dependencies definition to include a 'required' flags, which
is passed by the check_dependencies helper to the callers, so that they
can distinguish between required and optional dependencies.

This help in two ways:
- The unit test for the dependencies was now failing when an optional
  one was missing, due to a previous rework.
- Mat2's --check-dependencies was referring to "required dependencies"
  and was misleading for the user as some of them could be optional.

Signed-off-by: Antoine Tenart <antoine.tenart@ack.tf>

atenart authored 5 years ago and jvoisin committed 5 years ago

Remove the try/except logic when calling check_dependencies, as it
cannot throw the exception anymore (it's caught already in the
function).

Signed-off-by: Antoine Tenart <antoine.tenart@ack.tf>