Subgraph OS pre-Alpha for Testers

Where to download?

Get the latest link from our IRC channel on OFTC, #subgraph

What is Subgraph OS?

Linux (Debian Stretch) based OS

grsecurity hardened kernel

Application sandboxing with Oz: brower, mail client, IM client, PDF viewer, image viewer, LibreOffice..

Network egress over Tor

seccomp bpf whitelisting and blacklisting as part of Oz

Application firewall

MAC spoofing with Macouflage

Curated packages, such as CoyIM as alternative for GUI XMPP

...

Pre-Alpha! Important Caveats

Subgraph OS is pre-alpha. It has not been security audited, not even by us. There will be bugs, including likely security bugs, and it is unfit for 'real' use.

While the release is signed (by an informal developer key), the packages are not yet signed. We are still finalizing our workflow for building and releasing packages, including the key management around this.

The repo we have created for our packages is temporary and will change in the near future.

The captive portal detector and authentication tool is still not complete and is not in the current ISO.

We are also working on something to indicate the status of Tor, this is not present in the ISO yet (or exist at all). Check /var/log/tor/log for information about the state of tor.

Subgraph OS is still relying on the Debian vanilla installer, there is no Tor egress during installation. Any connections (e.g. to retrieve update metadata or updates) made during install time are identifiable. You can skip the network setup to avoid this.

Requirements

64-bit only

2GB ram min, 4-8 recommended

SGOS only supports legacy boot

Known important issues

Tor bootstrap may be slow at first boot or in live mode.

Tor Browser Launcher writes Tor Browser into the user's home directory, and it is writeable inside the sandbox. We will replace Tor Browser Launcher with Tor Browser package. Issue here.

CoyIM is not yet stable, please report crashes or bugs to the development team here.

Tor will not be able to egress at boot due to firewall rules when running in live mode on VMWare Fusion. Issue here.

Seccomp whitelists are currently DISABLED for most Oz sandboxed apps (except Coy) because we haven't tested them in about a month and need to retrain them. Instead most applications are running with the generic seccomp blacklist in /etc/oz/blacklist-generic.seccomp.

Troubleshooting

If Tor Browser does not start, it may be because Pax flags were not set. Run the following command: sudo paxrat -c /etc/paxrat/paxrat_tbl.conf to set them manually for Tor Browser.

to set them manually for Tor Browser. If Tor does not successfully bootstrap, it may be because the system time was not set to GMT. Please set it to the current time GMT to unblock Tor. You can do it by issuing this command (as root): date --set="X FEB 2016 XX:XX:XX"

To restart Oz daemon at any time (if apps won't start..) issue this command: sudo systemctl restart oz-daemon

What is the default password for the Live mode?

The default password for the user in live mode is «live»

How do I remove a Subgraph firewall rule?

Firewall rules are in /var/lib/sgfw/sgfw_rules

How do I list running sandboxes?

Use the Oz Gnome Shell Plugin (top)

$ oz list

How do I enter a sandbox shell?

$ oz shell n (where n is the sandbox # from oz list)

(where n is the sandbox # from oz list) Oz client README.

How do I see Oz sandbox profiles?

Look in /var/lib/oz/cells.d

Technical walkthrough on how Oz works currently is here.

Reporting bugs

Please report all bugs using Github issues.

Make sure to search to ensure that the issue you are reporting is not already known to us.

General SGOS bugs can be reported here.

Bugs in Oz can be reported here.

Bugs in CoyIM can be reported here.

Gathing data for bug reports

While testing keep a window open running the following command: sudo journalctl -f

Tor logs to /var/log/tor/log

Oz logs to /var/log/daemon.log

dmesg is useful for diagnosing grsecurity/PaX problems and seccomp bpf hits

Contacting us

We recommend contacting us through the following, in order of preference:

IRC: OFTC, channel #subgraph

Twitter: @subgraph

Email: info@subgraph.com

Documentation

For now documentation is minimal, but we are actively improving it. Start here.