A new Subgraph OS Alpha ISO is available for download.
This is a release mainly targeting some bugs that were present in the last available ISO.
We are working on some major new features that aren't done yet or aren't yet robust enough to be included in a release to users. Some of those new features are described below.
We really should have released an ISO sooner than this as there were some annoying bugs that got in the way of new users trying Subgraph OS for the first time. We've setup a new, more aggressive release schedule and should be making non-release ISO builds available as we produce them monthly.
New features: Alpha release 4
Ther are some new features in this ISO. Note that existing users should have most of these, as Subgraph is a rolling release distro.
One exception is the HexChat default configuration for use with SOCKS5, implemented with a default config put in /etc/skel/.config/hexchat.
1. Multi-bridge (including clearnet) support in Oz
Oz now has support for an arbitrary number of named bridges to be created and attached to sandboxes to support flexible layer 3 network exits. We have included chromium as the first default configuration that uses this feature to provide a clearnet browser. To get the chromium clearnet browser, just run:
sudo apt-get install chromium
..and chromium should be setup as the clearnet browser in Subgraph OS. We will likely include chromium in the next ISO.
There is also a proof-of-concept implementation for launching OpenVPN and wiring a sandbox bridge to the tun device. Try it, but don't rely on it: it's fragile and insecure, and we know that. We intend to make substantial improvements to this for future releases, as well as support other VPN technologies.
2. Use of GPG restricted socket in Thunderbird sandbox
We redesigned the Thunderbird sandbox so that private keys are not accessible in the sandbox, and decryption/signing operations are requested via gpg-agent through the GPG restricted socket.
3. Experimental support for launching ephemeral sandboxes
There is an experimental feature that allows for users to optionally launch sandboxes without any persistence. To enable this, add the following to /etc/oz/oz.conf:
, "enable_ephemerals": true
Following this, launching sandboxes will produce a pop-up asking if the sandbox should be launched ephemerally. We will make this less annoying in the future as this feature becomes more robust.
4. Rework of XDG_DIRS in sandbox filesystem
In earlier versions of Subgraph OS, users would have to remember to use a a special shared folder in a sandbox that applications would have no awareness of. We've automatically mapped the XDG_DIRS directories to shared folders outside of the sandbox, which improves the user experience within applcations. For example, Chromium downloads will be saved to a location accessible outside of the sandbox without any extra user interaction.
The only exception to this is Tor Browser, which still saves downloads to .local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/Downloads/, which we acknowledge is ridiculous and will be addressing as soon as possible.
Improvements and bug fixes
- Pure UEFI boot fixed
- Hexchat default configuration is to use a SOCKS5 proxy
Known issues
Subgraph OS is a work in progress, and major changes are underway. There are some important issues users should be aware of. Some of them are included below; for more, review the open issues at our Github repository.
1. System time at startup in live mode and after first install
Requiring system time be already set to the correct time is still an issue for bootstrapping Tor. We will address this issue in the coming ISO.
2. Tor Browser writeable in home directory/sandbox
Tor Browser Launcher installs Tor Browser into the user's home directory, where it ends up being writeable in the sandbox. This is a long-standing issue we hope to address soon.
3. OpenVPN client runs as root
Our implementation of support for OpenVPN is very rudimentary and experimental. There are a number of options on the table for us to support it in a way that's much more safe and robust, and implementing this is a work in progress. Part of the reason we are taking our time is because we want to support multiple modes: attaching the tun device to a bridge that is used by multiple sandboxes, for example (this is not yet possible). We can also put a tun device into the namespace of a single sandbox and remove all exposure of the host routing table to the VPN server.
Coming soon
Here's a preview of some of the things we're working on and are excited about.
1. Major Subgraph Firewall improvements
We're working on some major improvements to Subgraph Firewall. These include:
- A SOCKS5 application firewall (i.e. filter Tor access)
- TLSGuard
- UDP and ICMP support
- Sandbox awareness and policy support
If we can fix all bugs and are happy with the user interface changes, we'll release this in the next ISO.
Screenshot:
2. Support for terminal applications in Oz
Oz will support terminal applications with seccomp-bpf whitelists installed. We also sandbox gnome-terminal.
3. System-wide Tor through Subgraph Firewall
With support for a SOCKS5 filter, we'll be able to apply system-wide filtering of network exits via Tor. No unprivileged process will have direct access to the Tor SOCKS5 port: they will have to go through Subgraph Firewall, where mandatory TLS can be enforced on a per-process/application basis. We are currently testing this and working out bugs.
4. Support for USB devices in sandboxes
We've been working on dynamic support for popular devices such as Yubikeys and hardware cryptocurrency wallets. This has been prototyped and we have had Yubikeys working with Chromium in an Oz sandbox, as well as Ledger Nano S in an Electrum sandbox.
5. i2p Support
We have successfully implemented experimental support for i2p, with specific sandboxes (HexChat, Chromium) configured to exit via i2p tunnels (see note below on Chronion re: privacy issues with Chromium).
6. "Chronion", a sandbox profile for using Chromium with Tor
Chronion is an experimental sandbox configuration for the Chromium that launches it so that it exits via Tor. The Chronion profile also enforces ephemerality so that there's no persistent state left (apart from an optional shared Downloads/ folder) between instantiations. The Oz sandbox runtime also prevents known leaks of interface IP addresses via webrtc.
The primary reasons for a Chromium-over-Tor sandbox configuration are superior security against browser exploits and performance.
There are privacy drawbacks to using Chromium with Tor, and we have been reluctant to make this widely available for those reasons. At a minimum, Chromium is likely less resistant to known browser fingerprinting attacks mitigated by Tor Browser's pro-privacy and anti-fingerprinting customizations. We will elaborate on this in a future blog post.
Screenshot:
7. Support for WireGuard and other IPSec based VPNs in Oz
We have successfully setup Oz sandboxes that exit via wg interfaces, and there should be no reason why we cannot also support any IPSec based firewall. This is a work in progress being implemented alongside the very basic and experimental support for OpenVPN.
8. Better support for Tor configuration, bridges
We're improving support for configuration of Tor, both in live mode and for installed users. This includes managing bridges via a GUI, and providing more control over how/when Tor bootstraps.
9. Non-Tor mode
Subgraph OS without a default system-wide Tor exit is planned for the future, with use of Tor and other alternate network transits manageable on a flexible, per app/sandbox basis (or system-wide perhaps if chosen during install).
Follow us on Twitter at @subgraph as well as at this blog for progress updates.