Are you aware of any privacy respecting sandboxes for various types of documents: PDFs, epub, word, etc? I’m trying to find interactive sandboxes primarily, but can work with regular sandboxes as well. I was able to find https://dangerzone.rocks/, but I ran into dependency-hell on trying to get that set-up on Pop!_OS. Another option I found was GitHub - kevoreilly/CAPEv2: Malware Configuration And Payload Extraction, which I have not tried yet.
All of my personal systems are running Linux, so I’m basically looking for a privacy way to do what Defender does on Windows. For some reason, clamav doesn’t exude confidence for me. Any recommendations for how to approach this or even solutions you personally use to check potentially suspicious documents? Should I just pay for any.run or a similar service with alias information?
I appreciate this thread as securely opening PDF files is something I’ve been REALLY struggling with.
In addition of using a sandbox, did you ever consider using a software firewall App to prevent your PDF reader app(e.g MuPDF) from contacting the Internet and transmitting the PDF files you’re viewing?
That was one part of my worry, the other part was my personal files. If it is a malicious document, it would potentially have the capabilities to delete files locally. Might be an overkill thought, but would still like to be safe than sorry here.
hmm good point. Do they officially support it as a container? I see the app uses containers in the backend w/ gvisor for converting the files, but didn’t see the actual app being served from a container.
@FranklyFlawless I guess this is really overkill here. OP clearly asks for „normal“ GNU/Linux here.
Try Firejail. It isolates your PDF file from the rest of your system without having to run a full VM (Virtual Machine).
But usually, it is safe to open a PDF file as long as you have macros disabled. For an attacker to attack you using a PDF file they‘d need to find a zero-day exploit in PDF viewing software, so if you aren‘t under the threat „targeted attack“, it‘s fine (just make sure as a Windows user if you read this (I know OP is running GNU/Linux but for a Windows user who reads this) that the setting „show file name extensions“ is on).
I explicitly and fully answered the OP’s questions I am able to provide from experience, and nothing more, unless there is an urgent demand I am not aware of to answer the last question.
@SYST3M_D3STR0YER@FranklyFlawless thanks for sharing your insight! I think Qubes is out of the picture…for now. However, I know firejail has a big SUID bit set. So if I’m going with bubblewrap, I’m then at flatpaks (as I believe flatpaks use bubblewrap in the backend), so I might just use a flatpak app for PDFs for now.
You would be better of using your browser to view pdfs and read the other threads regarding this topic. Safely viewing PDFs has been discussed a few times.
Understood, was just looking for a way I can do it without a browser tbh. Sometimes browsers are limited to just expand and zooms. You are completely correct though.
Also, needed it for documents in general just not PDFs.