{"id":43514274,"url":"https://github.com/subgraph/oz","last_synced_at":"2026-02-03T13:30:44.126Z","repository":{"id":33059944,"uuid":"36696441","full_name":"subgraph/oz","owner":"subgraph","description":"OZ: a sandboxing system targeting everyday workstation applications","archived":false,"fork":false,"pushed_at":"2018-04-18T00:49:34.000Z","size":14447,"stargazers_count":431,"open_issues_count":69,"forks_count":57,"subscribers_count":52,"default_branch":"master","last_synced_at":"2024-06-18T20:24:20.864Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://subgraph.com/sgos/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/subgraph.png","metadata":{"files":{"readme":"README.mdwn","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-06-02T00:04:12.000Z","updated_at":"2024-05-23T12:49:30.000Z","dependencies_parsed_at":"2022-09-12T17:11:59.196Z","dependency_job_id":null,"html_url":"https://github.com/subgraph/oz","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/subgraph/oz","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Foz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Foz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Foz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Foz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/subgraph","download_url":"https://codeload.github.com/subgraph/oz/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/subgraph%2Foz/sbom","scorecard":{"id":856751,"data":{"date":"2025-08-11","repo":{"name":"github.com/subgraph/oz","commit":"b9675452f7123b2f6a9d379308568f144ab03720"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3,"checks":[{"name":"Code-Review","score":0,"reason":"Found 2/29 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 3 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-24T00:02:52.599Z","repository_id":33059944,"created_at":"2025-08-24T00:02:52.599Z","updated_at":"2025-08-24T00:02:52.599Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29046555,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-03T10:09:22.136Z","status":"ssl_error","status_checked_at":"2026-02-03T10:09:16.814Z","response_time":96,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-03T13:30:43.155Z","updated_at":"2026-02-03T13:30:44.117Z","avatar_url":"https://github.com/subgraph.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Intro\n\nOz is a sandboxing system targeting everyday workstation applications.\nIt acts as a wrapper around application executables for completely transparent user operations. It achieves process containment through the use of [Linux Namespaces](http://man7.org/linux/man-pages/man7/namespaces.7.html), [Seccomp filters](http://man7.org/linux/man-pages/man2/seccomp.2.html), [Capabilities](http://man7.org/linux/man-pages/man7/capabilities.7.html), and X11 restriction using [Xpra](https://xpra.org/). It has built-in support with automatic configuration of bridge mode networking and also support working with contained network environment using the built in connection forwarding proxy.\n\n[See the wiki for the complete technical documentation.](https://github.com/subgraph/oz/wiki/Oz-Technical-Details)\n\n# Demo\n\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://support.subgraph.com/videos/oz_evince_01.webm\"\u003e\u003cimg src=\"https://raw.githubusercontent.com/subgraph/oz/docs/videos/oz_evince_01.gif\" alt=\"OZ Sandbox Evince Demo\"/\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n# Warnings!\n\nPlease note that Oz is currently under major development and still at a very alpha stage. **As of this writing some features are not yet available in the public master branch**. It is not intended for use in multi-users systems. Use it at your own risk!\n\n# Installing\n\nYou can easily build a debian package from the latest tagged release:\n\n\t$ sudo apt-get install golang xpra bridge-utils ebtables libacl1 libacl1-dev dh-golang dh-systemd git-buildpackage\n\t$ git clone -b debian https://github.com/subgraph/oz.git\n\t$ cd oz\n\t### To Build from stable\n\t$ gbp buildpackage -us -uc\n\t### To Build from strict-etc\n\t$ gbp buildpackage -us -uc --git-upstream-branch=strict-etc\n\t### Once you are ready to install and have no important unsaved content in Oz windows\n\t$ sudo dpkg -i /tmp/build-area/oz-daemon_\u003cversion\u003e.deb\n\t$ sudo paxrat\n\t$ sudo systemctl restart oz-daemon.service\n\nOr to build it manually:\n\n## Prerequisites\n\nCurrently Oz only works and is only tested for Debian (\u003e= jessie).\nAs of this writing it does **not** work in Ubuntu. While it has been minimally tested under Fedora,\nthere doesn't exist an RPM equivalent to `dpkg-divert` which allows to conveniantly wrap executables of existing program.\nFor seccomp filters you need at least kernel version 3.17. We recommend using Debian stretch with a 4.0+ grsecurity patched kernel.\n\nIt is highly recommend that you run it in conjunction with [grsecurity](https://grsecurity.net/).\n\n### Dependencies\n\n```\n$ sudo apt-get install golang xpra bridge-utils ebtables libacl1\n```\n\nYou need golang version 1.4.\n\nYou must also have the `veth` and `bridge` kernel module loaded to use *bridge network mode*.\n\n### Grsec\n\nIf you are using grsecurity you will need to disable the following kernel options\npermanently via the sysctl interface or by echoing values to files in `/proc/sys/kernel/grsecurity/`:\n\n```\nkernel.grsecurity.chroot_caps = 0\nkernel.grsecurity.chroot_deny_chmod = 0\nkernel.grsecurity.chroot_deny_mount = 0\n```\n\nSee [Grsecurity/Appendix/Sysctl Options](https://en.wikibooks.org/wiki/Grsecurity/Appendix/Sysctl_Options)\nfor information on setting grsecurity sysctl options.\n\n### Network Manager\n\nIf you are using Network-Manager you need to make sure to exclude the bridge interface.\nTo do so a file must be created in `/etc/NetworkManager/conf.d/oz.conf` containing:\n\n```\n[main]\nplugins=keyfile\n\n[keyfile]\nunmanaged-devices=mac:6a:a8:2e:56:e8:9c;interface-name:oz0\n```\n\nIf this file is missing `oz-daemon` will output a warning but it may fail to setup bridge networking.\n\n### Bridge networking\n\nBridge networking is automatically configured by Oz, but you will need to setup\nat minimum a few iptables masquerading rules and ebtables isolation rules as follows (adjusted with the name of the interfaces):\n\n```\nsudo iptables -t nat -A POSTROUTING -o $INTERFACE_ONE -j MASQUERADE\nsudo iptables -t nat -A POSTROUTING -o $INTERFACE_TWO -j MASQUERADE\nsudo ebtables -P FORWARD DROP\nsudo ebtables -F FORWARD\nsudo ebtables -A FORWARD -i oz0 -j ACCEPT\nsudo ebtables -A FORWARD -o oz0 -j ACCEPT\n```\n\nIP Forwarding must be enabled (do this as root):\n\n```\n# echo 1 \u003e/proc/sys/net/ipv4/ip_forward\n```\n\n## Building\n\n1. To setup a GOPATH for Oz, run the following commands (or you can use your\nexisting GOPATH):\n\n```\n$ export GOPATH=/opt/local/golang-oz\n$ sudo mkdir -p $GOPATH\n$ sudo chown user. $GOPATH\n```\n\n2. To build Oz with the required external Golang dependencies, run the following\ncommands:\n\nFirstly we build the [godep](https://github.com/tools/godep) tool:\n\n```\n$ go get github.com/tools/godep\n```\n\nNow checkout the source using either:\n\n```\n$ git clone https://github.com/subgraph/oz.git src/github.com/subgraph/oz\n```\n\nOr alternatively if we want to create a development environment use:\n\n```\n$ go get -d github.com/subgraph/oz\n```\n\nWe are ready to build and install:\n\n``` \n$ sudo apt-get install libacl1-dev\n$ cd $GOPATH/src/github.com/subgraph/oz/\n$ $GOPATH/bin/godep go install ./...\n$ sudo cp $GOPATH/bin/oz* /usr/local/bin\n$ sudo mkdir -p /var/lib/oz/cells.d\n$ sudo cp $GOPATH/src/github.com/subgraph/oz/profiles/* /var/lib/oz/cells.d/\n$ sudo mkdir /etc/oz\n$ sudo cp $GOPATH/src/github.com/subgraph/oz/profiles/generic-blacklist.seccomp /etc/oz/blacklist-generic.seccomp\n$ sudo cp $GOPATH/src/github.com/subgraph/oz/sources/etc/network/if-up.d/* /etc/network/if-up.d/\n$ sudo chmod a+x /etc/network/if-up.d/oz\n$ sudo cp $GOPATH/src/github.com/subgraph/oz/sources/etc/network/if-post-down.d/* /etc/network/if-post-down.d/\n$ sudo cp $GOPATH/src/github.com/subgraph/oz/sources/lib/systemd/system/oz-daemon.service /lib/systemd/system/oz-daemon.service\n$ sudo cp $GOPATH/src/github.com/subgraph/oz/sources/etc/NetworkManager/conf.d/oz.conf /etc/NetworkManager/conf.d/oz.conf\n$ sudo dpkg-divert --add --package oz --rename --divert /etc/xpra/xpra.conf.pkg-dist /etc/xpra/xpra.conf\n$ sudo cp $GOPATH/src/github.com/subgraph/oz/sources/etc/xpra/xpra.conf /etc/xpra/xpra.conf\n$ sudo systemctl enable oz-daemon.service\n```\n\n## Enabling a profile\n\nOnce installed you can enable profiles using the `oz-setup` command as such (using the profile for the 'evince' application):\n\n```\n$ sudo oz-setup install evince\n```\n\nThis will install a symlink to the oz client executable in place of the original, the original executable will be moved to `dirname(path)-oz/basename(path).unsafe`. This behavior can be altered using the divert_path and divert_suffix configuration flags.\n\n## Disabling a profile\n\nIf you want to disable a profile that you're not using or prior to uninstalling Oz, you can run the following command (once again\nwith 'evince' as the target application):\n\n\n```\n$ sudo oz-setup remove evince\n```\n\nIf you have already uninstalled Oz you can remove the divertions manually using the `dpkg-divert` command.\n\n## Viewing the status of a profile\n\nYou can view the status of a profile using the `status` sub-command:\n\n```\n$ sudo oz-setup status /usr/bin/lowriter\nPackage divert is installed for:     /usr/bin/libreoffice\nPackage divert is installed for:     /usr/bin/lowriter\nPackage divert is installed for:     /usr/bin/lobase\nPackage divert is installed for:     /usr/bin/localc\nPackage divert is installed for:     /usr/bin/loffice\n\u003c...output truncated for clarity\u003e\n```\n\n# Usage\n\nFirstly you must launch the daemon utility either with the init script or manually:\n\n```\n$ sudo oz-daemon\n```\n\nOnce the daemon is started you can transparently launch any applications for which you have enabled the profile.\nThis means Oz sandboxing will be used whether you launch your browser from gnome-shell or from the command line.\n\nAny files inside of your home passed as arguments to the command (either via double clicking or program arguments) are automatically added to the whitelist (if the profile supports `allow_files`).\n\nThe [OZ gnome-shell extension](https://github.com/subgraph/ozshell-gnome-extension) allows you to easily interface running sandboxes:\nto add/remove files inside a sandbox, open a shell inside a sandbox, and terminate a sandbox.\n\nIf you wish to run an executable outside of the sandbox simply call it at `dirname(path)-oz/basename(path).unsafe`, for example:\n\n```\n$ /usr/bin-oz/evince.unsafe\n```\n\n# Advanced Usage Information\n\n## Oz client commands\n\nThe `oz` executable acts as a client for the daemon when called directly. It provides a number of commands to interact with sandboxes.\n\n* `profiles`: lists available profiles\n* `launch \u003cname\u003e`: launches a sandbox for the given profile name, pass the `--noexec` flag to prevent execution of the default program\n* `list`: lists the running sandboxes\n* `kill \u003cid\u003e`: kills the sandbox with the given numerical id\n* `kill all`: kills all running sandboxes\n* `shell \u003cid\u003e`: enters a shell in a given sandbox, mostly useful for debugging\n* `logs [-f]`: prints out the logs, pass `-f` to follow the output\n\n## Oz-daemon configurations\n\nIn nearly every case the default configurations should be used, but for debugging and development purposes some flags are configurable inside of the `/etc/oz/oz.conf` file. You can view the current configuration by running the following command:\n\n```\n$ oz-setup config show\n\nConfig file     : /etc/oz/oz.conf\n##################################################################\nprofile_dir     : /var/lib/oz/cells.d                            # Directory containing the sandbox profiles\nshell_path      : /bin/bash                                      # Path of the shell used when entering a sandbox\nprefix_path     : /usr/local                                     # Prefix path containing the oz executables\netc_prefix      : /etc/oz                                        # Prefix for configuration files\nsandbox_path    : /srv/oz                                        # Path of the sandboxes base\nbridge_mac      : 6A:A8:2E:56:E8:9C                              # MAC Address of the bridge interface\ndivert_suffix   : unsafe                                         # Suffix using for dpkg-divert of application executables, can be left empty when using a divert path\ndivert_path     : true                                           # Whether the diverted executable should be moved out of the path\nnm_ignore_file  : /etc/NetworkManager/conf.d/oz.conf             # Path to the NetworkManager ignore config file, disables the warning if empty\nuse_full_dev    : false                                          # Give sandboxes full access to devices instead of a restricted set\nallow_root_shell: false                                          # Allow entering a sandbox shell as root\nlog_xpra        : false                                          # Log output of Xpra\nenvironment_vars: [USER USERNAME LOGNAME LANG LANGUAGE _ TZ=UTC] # Default environment variables passed to sandboxes\ndefault_groups  : [audio video]                                  # List of default group names that can be used inside the sandbox\n```\n\n## Profiles\n\nProfiles files are simple JSON files located, by default, in `/var/lib/oz/cells.d`. They must include at minimum the path to the executable to be sandboxed using the `path` key. It may also define more executables to run under the same sandbox under the `paths` array; in which case a `name` key must also be specified. Some other base options are also available:\n\n* `path`: if multiple executables are to be sandboxed under the same profile\n* `allow_files`: whether to allow binding of files passed as arguments inside the sandbox (does not affect files added manually)\n* `auto_shutdown`: whether the sandbox should be terminated right away after the process exits, one of [yes|no], (defaults to `yes`)\n* `watchdog`: an array of strings containing the names of process the auto-shutdown feature should look for in case the main process spawns a detached process.\n* `allowed_groups`: an array of user groups assigned to the user inside the sandbox\n* `default_params`: an array of default params to pass to the program whenever it is executed\n\n### Xserver\n\nThis section defines the configuration of the Xserver (namely [xpra](https://www.xpra.org/)).\nPossible options are:\n\n* `enabled`: whether or not to use the Xserver\n* `enable_tray`: whether or not to enable the Xpra tray diagnostic menu/tray (This requires the [`Top Icons`](https://extensions.gnome.org/extension/495/topicons/) gnome-shell extension!)\n* `tray_icon`: the path to an icon file to use for the to tray menu\n* `window_icon`: the path to an icon file to use for windows\n* `audio_mode`: one of [none|pulseaudio~~|speaker|full~~] selects the audio passthrough mode (defaults: none) (Only pulseaudio mode supported at this time)\n* `disable_clipboard`: optionally disable clipboard sharing\n* `enable_notifications`: enable passing of dbus notifications\n\n### Network configs\n\nThe network can be configured in one of three different ways: host, bridge, and empty namespace, as defined in the `type` key.\n\n* `empty`: the sandbox will live with an empty network namespace (ie: only `lo` interface)\n* `bridge`: the sandbox will have its own network namespace and use *veth* to join a bridge named `oz0`\n* `none`: don't even configure the loopback interface, connection proxy will be unavailable\n* `host`: the sandbox will share the network namespace with the host (usually not desirable)\n\n\n#### Port Forwarding config\n\nOz allows you to forward ports on the loopback interface between the host and the sandbox.\nThis is useful so that you can expose some services (such as a socks proxy) to the sandbox without giving the sandbox any real network access.\nYou may define as many forwards, called `sockets` in the configuration, as you like.\nEach socket configuration contains the following keys:\n\n* `type`: One of `client`, or `server`, this defines whether to connect (*client*) or listen (*server*) on the host side\n* `proto`: One of `tcp`, or `udp`, or `socket`\n* `port`: The network port number to connect to\n* `destination`: *Optional*, in client mode this is the address to connect to, in server mode this is the address to bind to. Defaults to *localhost*.\n\n\n### Bind list\n\nThere exists two types of *bindlists*: a whitelist and a blacklist.\nThe whitelist allows you to bring files from the host into the sandbox; while the blacklist allows you to remove access to specific files or directories.\n\nThe `path` key specifies the path of the directory or file to bind. \n\nBoth of these types support a few ways of resolving files:\n\n* In the path by using the `${PATH}` prefix.\n* In the home by using the `${HOME}` prefix.\n* By replacing `${UID}` with the user numeric id.\n* By replacing `${USER}` with the user login.\n* By replacing any `${XDG_\u003cDIRECTORY\u003e_DIR}` with the current localized version of that XDG directory.\n* By path globbing using the `*` wildcard.\n\n\nThe whitelist carries some extra properties:\n\n* An optional `target` key can be specified to bind the file to a different path inside the sandbox.\n* If the original file does not exist and is inside the home, an empty directory will be created in its place if the `can_create` key is set.\n* If the target already exists the whitelist will fail to bind unless the `force` key is set.\n* A profile will fail to launch if a whitelist item is missing unless the `ignore` key is set.\n* An item can be marked as read only with the `read_only` boolean key.\n* Files passed as arguments to the command while launching are automatically added to the whitelist (if the `allow_files` boolean key is set).\n\nThe whitelist carries some extra caveats:\n\n* If the original file is a symlink it is resolved, but the target remains the same.\n\n### Environment\n\nOne can specify which environment variables to pass by defining them in this list.\nIt is also possible to define static variables by also defining a `value` attribute in the list item.\n\n### Seccomp \n\nOz supports both whitelist and blacklist seccomp policies for sandboxed applications. Seccomp allows for See the [Oz Seccomp documentation page](https://github.com/subgraph/oz/wiki/Oz-Seccomp) for more details.\n\nOz can also run sandboxed applications with whitelist and blacklist seccomp policies loaded, but in non-enforced (audit only) mode. More information is available on the [Oz seccomp non-enforcement mode documentation](https://github.com/subgraph/oz/wiki/Oz-Seccomp-Non-Enforcement-Mode) page.\n\n### Example\n\nYou can find a list of existing profiles in the repository. Here is the porfile for running the `torbrowser-launcher`:\n\n```\n{\n\"path\": \"/usr/bin/torbrowser-launcher\"\n, \"watchdog\": [\"start-tor-browser\", \"firefox\"]\n, \"xserver\": {\n\t\"enabled\": true\n\t, \"enable_tray\": false\n\t, \"tray_icon\":\"/usr/share/pixmaps/torbrowser80.xpm\"\n\t, \"audio_mode\": \"pulseaudio\"\n}\n, \"networking\":{\n\t\"type\":\"empty\"\n\t, \"sockets\": [\n\t\t{\"type\":\"client\", \"proto\":\"tcp\", \"port\":9050}\n\t\t, {\"type\":\"client\", \"proto\":\"tcp\", \"port\":9051}\n\t]\n}\n, \"whitelist\": [\n\t{\"path\":\"${HOME}/.local/share/torbrowser\", \"can_create\":true}\n\t, {\"path\":\"${HOME}/.config/torbrowser\", \"can_create\":true}\n\t, {\"path\":\"${HOME}/Downloads/TorBrowser\", \"can_create\":true}\n\t, {\"path\":\"/run/tor/control.authcookie\", \"ignore\":true}\n]\n, \"blacklist\": [\n]\n, \"environment\": [\n\t{\"name\":\"TOR_SKIP_LAUNCH\"}\n\t, {\"name\":\"TOR_SOCKS_HOST\"}\n\t, {\"name\":\"TOR_SOCKS_PORT\"}\n\t, {\"name\":\"TOR_CONTROL_PORT\"}\n\t, {\"name\":\"TOR_CONTROL_PASSWD\"}\n\t, {\"name\":\"TOR_CONTROL_AUTHENTICATE\"}\n\t, {\"name\":\"TOR_CONTROL_COOKIE_AUTH_FILE\"}\n]\n, \"allowed_groups\": [\"debian-tor\"]\n, \"seccomp\": {\n\t\"mode\":\"blacklist\"\n\t, \"enforce\": true\n}\n}\n```\n\n# FAQ\n\n**Q: Why don't you use unprivileged user namespaces, I hear it would be far more secure!**\n\nA: Please see [this issue which explains the reasoning and tracks multiple unprivileged user namespace related kernel vulnerabilities](https://github.com/subgraph/oz/issues/11#issuecomment-163396758)\n\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://raw.githubusercontent.com/subgraph/oz/docs/images/oz_logo_02.png\" alt=\"Obsidian Zebra\" /\u003e\n\u003c/p\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsubgraph%2Foz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsubgraph%2Foz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsubgraph%2Foz/lists"}