From 4e8c1e53ee2a804622c5553bd1afcbaa5606507d Mon Sep 17 00:00:00 2001
From: szaimen <szaimen@e.mail.de>
Date: Wed, 14 Sep 2022 11:21:23 +0200
Subject: [PATCH] allow to disable seccomp for collabora

Signed-off-by: szaimen <szaimen@e.mail.de>
---
 docker-compose.yml                      |  1 +
 manual-install/update-yaml.sh           |  1 +
 php/containers.json                     |  2 +-
 php/src/Data/ConfigurationManager.php   | 15 +++++++++++++++
 php/src/Docker/DockerActionManager.php  |  2 ++
 readme.md                               |  3 +++
 tests/QA/060-environmental-variables.md |  1 +
 7 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index d96afc08..269dd992 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,6 +27,7 @@ services:
       # - NEXTCLOUD_UPLOAD_LIMIT=10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud
       # - NEXTCLOUD_MAX_TIME=3600 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud
       # - TRUSTED_CACERTS_DIR=/path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-(ca)
+      # - COLLABORA_SECCOMP_DISABLED=false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature
 
   # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
   # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588
diff --git a/manual-install/update-yaml.sh b/manual-install/update-yaml.sh
index cf419f2a..3cbc708e 100644
--- a/manual-install/update-yaml.sh
+++ b/manual-install/update-yaml.sh
@@ -74,6 +74,7 @@ sed -i 's|AIO_URL=|AIO_URL=localhost          # Has no function but needs to be
 sed -i 's|NC_DOMAIN=|NC_DOMAIN=yourdomain.com          # TODO! Needs to be changed to the domain that you want to use for Nextcloud.|' sample.conf
 sed -i 's|NEXTCLOUD_PASSWORD=|NEXTCLOUD_PASSWORD=          # TODO! This is the password of the initially created Nextcloud admin with username "admin".|' sample.conf
 sed -i 's|TIMEZONE=|TIMEZONE=Europe/Berlin          # TODO! This is the timezone that your containers will use.|' sample.conf
+sed -i 's|COLLABORA_SECCOMP_POLICY=|COLLABORA_SECCOMP_POLICY=--o:security.seccomp=true          # Changing the value to false allows to disable the seccomp feature of the Collabora container.|' sample.conf
 sed -i 's|=$|=          # TODO! This needs to be a unique and good password!|' sample.conf
 
 cat sample.conf
diff --git a/php/containers.json b/php/containers.json
index 2498a2bc..50fe1d1e 100644
--- a/php/containers.json
+++ b/php/containers.json
@@ -193,7 +193,7 @@
       ],
       "environmentVariables": [
         "aliasgroup1=https://%NC_DOMAIN%:443",
-        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning --o:home_mode.enable=true",
+        "extra_params=--o:ssl.enable=false --o:ssl.termination=true --o:logging.level=warning --o:home_mode.enable=true %COLLABORA_SECCOMP_POLICY%",
         "dictionaries=%COLLABORA_DICTIONARIES%",
         "TZ=%TIMEZONE%"
       ],
diff --git a/php/src/Data/ConfigurationManager.php b/php/src/Data/ConfigurationManager.php
index b7bb37d5..a816e4f4 100644
--- a/php/src/Data/ConfigurationManager.php
+++ b/php/src/Data/ConfigurationManager.php
@@ -550,6 +550,21 @@ class ConfigurationManager
         return $this->GetEnvironmentalVariableOrConfig($envVariableName, $configName, $defaultValue);
     }
 
+    public function GetCollaboraSeccompPolicy() : string {
+        $defaultString = '--o:security.seccomp=';
+        if ($this->GetCollaboraSeccompDisabledState() !== 'true') {
+            return $defaultString . 'true';
+        }
+        return $defaultString . 'false';
+    }
+
+    private function GetCollaboraSeccompDisabledState() : string {
+        $envVariableName = 'COLLABORA_SECCOMP_DISABLED';
+        $configName = 'collabora_seccomp_disabled';
+        $defaultValue = 'false';
+        return $this->GetEnvironmentalVariableOrConfig($envVariableName, $configName, $defaultValue);
+    }
+
     /**
      * @throws InvalidSettingConfigurationException
      */
diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php
index 4b1e0682..19fa4789 100644
--- a/php/src/Docker/DockerActionManager.php
+++ b/php/src/Docker/DockerActionManager.php
@@ -326,6 +326,8 @@ class DockerActionManager
                     $replacements[1] = $this->configurationManager->GetBorgBackupHostLocation();
                 } elseif ($out[1] === 'APACHE_MAX_SIZE') {
                     $replacements[1] = $this->configurationManager->GetApacheMaxSize();
+                } elseif ($out[1] === 'COLLABORA_SECCOMP_POLICY') {
+                    $replacements[1] = $this->configurationManager->GetCollaboraSeccompPolicy();
                 } else {
                     $replacements[1] = $this->configurationManager->GetSecret($out[1]);
                 }
diff --git a/readme.md b/readme.md
index f671edeb..5f43a80d 100644
--- a/readme.md
+++ b/readme.md
@@ -499,3 +499,6 @@ You can make the Nextcloud container trust any Certification Authority by provid
 When using `docker run`, the environmental variable can be set with `-e TRUSTED_CACERTS_DIR=/path/to/my/cacerts`.
 
 In order for the value to be valid, the path should start with `/` and not end with '/' and point to an existing **directory**. Pointing the variable directly to a certificate **file** will not work and may also break things.
+
+### How to disable Collabora's Seccomp feature?
+The Collabora container enables Seccomp by default, which is a security feature of the Linux kernel. On systems without this kernel feature enabled, you need to provide `-e COLLABORA_SECCOMP_DISABLED=true` to the initial docker run command in order to make it work.
diff --git a/tests/QA/060-environmental-variables.md b/tests/QA/060-environmental-variables.md
index faf636d2..194f61b2 100644
--- a/tests/QA/060-environmental-variables.md
+++ b/tests/QA/060-environmental-variables.md
@@ -13,5 +13,6 @@
 - [ ] When starting the mastercontainer with `-e DISABLE_BACKUP_SECTION=true` it should hide the backup section that gets shown after AIO is set up (everything of [020-backup-and-restore](./020-backup-and-restore.md)) and simply show that the backup section is disabled.
 - [ ] When starting the mastercontainer with `-e TRUSTED_CACERTS_DIR=/path/to/my/cacerts`, the resulting nextcloud container should trust all the Certification Authorities, whose certificates are included in the directory `/path/to/my/cacerts` on the host.
 See https://github.com/nextcloud/all-in-one#how-to-trust-user-defiend-certification-authorities-(ca)
+- [ ] When starting the mastercontainer with `-e COLLABORA_SECCOMP_DISABLED=true`, the resulting collabora container should have `--o:security.seccomp=false` applied to it.
 
 You can now continue with [070-timezone-change.md](./070-timezone-change.md)