Subgraph OS pre-Alpha for Testers
Where to download?
- Get the latest link from our IRC channel on OFTC, #subgraph
What is Subgraph OS?
- Linux (Debian Stretch) based OS
- grsecurity hardened kernel
- Application sandboxing with Oz: brower, mail client, IM client, PDF viewer, image viewer, LibreOffice..
- Network egress over Tor
- seccomp bpf whitelisting and blacklisting as part of Oz
- Application firewall
- MAC spoofing with Macouflage
- Curated packages, such as CoyIM as alternative for GUI XMPP
Pre-Alpha! Important Caveats
- Subgraph OS is pre-alpha. It has not been security audited, not even by us. There will be bugs, including likely security bugs, and it is unfit for 'real' use.
- While the release is signed (by an informal developer key), the packages are not yet signed. We are still finalizing our workflow for building and releasing packages, including the key management around this.
- The repo we have created for our packages is temporary and will change in the near future.
- The captive portal detector and authentication tool is still not complete and is not in the current ISO.
- We are also working on something to indicate the status of Tor, this is not present in the ISO yet (or exist at all). Check /var/log/tor/log for information about the state of tor.
- Subgraph OS is still relying on the Debian vanilla installer, there is no Tor egress during installation. Any connections (e.g. to retrieve update metadata or updates) made during install time are identifiable. You can skip the network setup to avoid this.
- 64-bit only
- 2GB ram min, 4-8 recommended
- SGOS only supports legacy boot
Known important issues
- Tor bootstrap may be slow at first boot or in live mode.
- Tor Browser Launcher writes Tor Browser into the user's home directory, and it is writeable inside the sandbox. We will replace Tor Browser Launcher with Tor Browser package. Issue here.
- CoyIM is not yet stable, please report crashes or bugs to the development team here.
- Tor will not be able to egress at boot due to firewall rules when running in live mode on VMWare Fusion. Issue here.
- Seccomp whitelists are currently DISABLED for most Oz sandboxed apps (except Coy) because we haven't tested them in about a month and need to retrain them. Instead most applications are running with the generic seccomp blacklist in /etc/oz/blacklist-generic.seccomp.
- If Tor Browser does not start, it may be because Pax flags were not set. Run the following command: sudo paxrat -c /etc/paxrat/paxrat_tbl.conf to set them manually for Tor Browser.
- If Tor does not successfully bootstrap, it may be because the system time was not set to GMT. Please set it to the current time GMT to unblock Tor. You can do it by issuing this command (as root): date --set="X FEB 2016 XX:XX:XX"
- To restart Oz daemon at any time (if apps won't start..) issue this command: sudo systemctl restart oz-daemon
What is the default password for the Live mode?
- The default password for the user in live mode is «live»
How do I remove a Subgraph firewall rule?
- Firewall rules are in /var/lib/sgfw/sgfw_rules
How do I list running sandboxes?
- Use the Oz Gnome Shell Plugin (top)
- $ oz list
How do I enter a sandbox shell?
- $ oz shell n (where n is the sandbox # from oz list)
- Oz client README.
How do I see Oz sandbox profiles?
- Look in /var/lib/oz/cells.d
- Technical walkthrough on how Oz works currently is here.
Please report all bugs using Github issues.
Make sure to search to ensure that the issue you are reporting is not already known to us.
- General SGOS bugs can be reported here.
- Bugs in Oz can be reported here.
- Bugs in CoyIM can be reported here.
Gathing data for bug reports
- While testing keep a window open running the following command: sudo journalctl -f
- Tor logs to /var/log/tor/log
- Oz logs to /var/log/daemon.log
- dmesg is useful for diagnosing grsecurity/PaX problems and seccomp bpf hits
We recommend contacting us through the following, in order of preference:
- IRC: OFTC, channel #subgraph
- Twitter: @subgraph
- Email: email@example.com
For now documentation is minimal, but we are actively improving it. Start here.