From be812c36b9cdece4deb679fbf3eed4dc8528b14c Mon Sep 17 00:00:00 2001 From: Jordan Herzstein <63795875+jherzstein@users.noreply.github.com> Date: Sat, 21 Feb 2026 22:36:13 -0500 Subject: [PATCH 1/5] docs: Dangerzone FAQ entry --- content/FAQ.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/content/FAQ.md b/content/FAQ.md index 8a49e32..4031372 100644 --- a/content/FAQ.md +++ b/content/FAQ.md @@ -45,6 +45,7 @@ permalink: /faq - [Why am I unable to start containers?](#container-userns) - [How do I allow a specific container to be run?](#container-policy) - [How do I enable userns for other apps?](#unconfined-userns) + - [How do I manage potentially dangerous files or attachments?](#safe-pdfs) - [Why are Bluetooth kernel modules disabled? How do I enable them?](#bluetooth) - [How do I provision signed Distroboxes?](#distrobox-assemble) - [How do I customize secureblue?](#customization) @@ -347,6 +348,14 @@ ujust set-unconfined-userns on Attempting to bubblewrap a program without first enabling the ability toggled by the ujust above will result in a `bwrap: Creating new namespace failed: Permission denied` error, but beware that enabling it results in a security degradation. Consult our [user namespaces article](/articles/userns) for more details. +### [How do I manage potentially dangerous files or attachments?](#safe-pdfs) +{: #safe-pdfs} +There is a command to install the program [Dangerzone](https://dangerzone.rocks) which is designed sanitize potentially dangerous pdfs, office documents, or images safely. Note that this comes with the caveat of having to enable [container userns](#container-userns) and "admin-only attach" ptrace, [setting `ptrace_scope` to `2` or lower](https://github.com/secureblue/secureblue/issues/1523#issuecomment-3453657980), allowing privilledged/root users to attach or trace child processes. Dangerzone runs Podman under the hood, and requires [gVisor](https://gvisor.dev/) to run document processing workloads in an isolated sandbox [which needs Linux's ptrace subsystem to intercept system calls](https://gvisor.dev/blog/2024/09/23/safe-ride-into-the-dangerzone/). + +``` +ujust install-dangerzone +``` + ### [Why are Bluetooth kernel modules disabled? How do I enable them?](#bluetooth) {: #bluetooth} From a7b8485690c250d5520995d06317119684afc151 Mon Sep 17 00:00:00 2001 From: Jordan Herzstein <63795875+jherzstein@users.noreply.github.com> Date: Sun, 22 Feb 2026 10:13:00 -0500 Subject: [PATCH 2/5] fix: (FAQ) Dangerzone whitespace correction --- content/FAQ.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/FAQ.md b/content/FAQ.md index 4031372..a0bce64 100644 --- a/content/FAQ.md +++ b/content/FAQ.md @@ -350,6 +350,7 @@ Attempting to bubblewrap a program without first enabling the ability toggled by ### [How do I manage potentially dangerous files or attachments?](#safe-pdfs) {: #safe-pdfs} + There is a command to install the program [Dangerzone](https://dangerzone.rocks) which is designed sanitize potentially dangerous pdfs, office documents, or images safely. Note that this comes with the caveat of having to enable [container userns](#container-userns) and "admin-only attach" ptrace, [setting `ptrace_scope` to `2` or lower](https://github.com/secureblue/secureblue/issues/1523#issuecomment-3453657980), allowing privilledged/root users to attach or trace child processes. Dangerzone runs Podman under the hood, and requires [gVisor](https://gvisor.dev/) to run document processing workloads in an isolated sandbox [which needs Linux's ptrace subsystem to intercept system calls](https://gvisor.dev/blog/2024/09/23/safe-ride-into-the-dangerzone/). ``` From 0c6ad6af9e1f2ba71aeb4dac37955bcc6c82aa75 Mon Sep 17 00:00:00 2001 From: Jordan Herzstein <63795875+jherzstein@users.noreply.github.com> Date: Sun, 22 Feb 2026 10:52:33 -0500 Subject: [PATCH 3/5] fix: Dangerzone FAQ remove trailing whitespace. --- content/FAQ.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/FAQ.md b/content/FAQ.md index a0bce64..01896fa 100644 --- a/content/FAQ.md +++ b/content/FAQ.md @@ -351,7 +351,7 @@ Attempting to bubblewrap a program without first enabling the ability toggled by ### [How do I manage potentially dangerous files or attachments?](#safe-pdfs) {: #safe-pdfs} -There is a command to install the program [Dangerzone](https://dangerzone.rocks) which is designed sanitize potentially dangerous pdfs, office documents, or images safely. Note that this comes with the caveat of having to enable [container userns](#container-userns) and "admin-only attach" ptrace, [setting `ptrace_scope` to `2` or lower](https://github.com/secureblue/secureblue/issues/1523#issuecomment-3453657980), allowing privilledged/root users to attach or trace child processes. Dangerzone runs Podman under the hood, and requires [gVisor](https://gvisor.dev/) to run document processing workloads in an isolated sandbox [which needs Linux's ptrace subsystem to intercept system calls](https://gvisor.dev/blog/2024/09/23/safe-ride-into-the-dangerzone/). +There is a command to install the program [Dangerzone](https://dangerzone.rocks) which is designed sanitize potentially dangerous pdfs, office documents, or images safely. Note that this comes with the caveat of having to enable [container userns](#container-userns) and "admin-only attach" ptrace, [setting `ptrace_scope` to `2` or lower](https://github.com/secureblue/secureblue/issues/1523#issuecomment-3453657980), allowing privilledged/root users to attach or trace child processes. Dangerzone runs Podman under the hood, and requires [gVisor](https://gvisor.dev/) to run document processing workloads in an isolated sandbox [which needs Linux's ptrace subsystem to intercept system calls](https://gvisor.dev/blog/2024/09/23/safe-ride-into-the-dangerzone/). ``` ujust install-dangerzone From 28a10907e183bff1e0d11fbcc3ad052d6664aef8 Mon Sep 17 00:00:00 2001 From: Jordan Herzstein <63795875+jherzstein@users.noreply.github.com> Date: Sun, 22 Feb 2026 15:50:11 -0500 Subject: [PATCH 4/5] docs: Dangerzone FAQ edit based on reviewer feedback. --- content/FAQ.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/FAQ.md b/content/FAQ.md index 01896fa..1c9d952 100644 --- a/content/FAQ.md +++ b/content/FAQ.md @@ -351,12 +351,14 @@ Attempting to bubblewrap a program without first enabling the ability toggled by ### [How do I manage potentially dangerous files or attachments?](#safe-pdfs) {: #safe-pdfs} -There is a command to install the program [Dangerzone](https://dangerzone.rocks) which is designed sanitize potentially dangerous pdfs, office documents, or images safely. Note that this comes with the caveat of having to enable [container userns](#container-userns) and "admin-only attach" ptrace, [setting `ptrace_scope` to `2` or lower](https://github.com/secureblue/secureblue/issues/1523#issuecomment-3453657980), allowing privilledged/root users to attach or trace child processes. Dangerzone runs Podman under the hood, and requires [gVisor](https://gvisor.dev/) to run document processing workloads in an isolated sandbox [which needs Linux's ptrace subsystem to intercept system calls](https://gvisor.dev/blog/2024/09/23/safe-ride-into-the-dangerzone/). +The program [Dangerzone](https://dangerzone.rocks/) is designed to sanitize potentially dangerous PDFs, office documents, or images in a sandboxed environment. To install Dangerzone, run: ``` ujust install-dangerzone ``` +Note that this comes as a security trade-off, it requires enabling [container-domain user namespaces](#container-userns) and "admin-only attach" ptrace (`ptrace_scope` is set to `2`), allowing privileged users to attach to or trace child processes. Dangerzone runs Podman under the hood, and requires [gVisor](https://gvisor.dev/) to run document processing workloads in an isolated sandbox, [which needs Linux's ptrace subsystem to intercept system calls](https://gvisor.dev/blog/2024/09/23/safe-ride-into-the-dangerzone/). + ### [Why are Bluetooth kernel modules disabled? How do I enable them?](#bluetooth) {: #bluetooth} From 65e52ee3b8262f1c105cf313b830d1c5e2754181 Mon Sep 17 00:00:00 2001 From: Jordan Herzstein <63795875+jherzstein@users.noreply.github.com> Date: Sun, 22 Feb 2026 15:52:22 -0500 Subject: [PATCH 5/5] docs: Another Dangerzone FAQ edit based on reviewer feedback. --- content/FAQ.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/FAQ.md b/content/FAQ.md index 1c9d952..5c71b17 100644 --- a/content/FAQ.md +++ b/content/FAQ.md @@ -357,7 +357,7 @@ The program [Dangerzone](https://dangerzone.rocks/) is designed to sanitize pote ujust install-dangerzone ``` -Note that this comes as a security trade-off, it requires enabling [container-domain user namespaces](#container-userns) and "admin-only attach" ptrace (`ptrace_scope` is set to `2`), allowing privileged users to attach to or trace child processes. Dangerzone runs Podman under the hood, and requires [gVisor](https://gvisor.dev/) to run document processing workloads in an isolated sandbox, [which needs Linux's ptrace subsystem to intercept system calls](https://gvisor.dev/blog/2024/09/23/safe-ride-into-the-dangerzone/). +Note that this comes with a security trade-off: it requires enabling [container-domain user namespaces](#container-userns) and "admin-only attach" ptrace (`ptrace_scope` is set to `2`), allowing privileged users to attach to or trace child processes. Dangerzone runs Podman under the hood, and requires [gVisor](https://gvisor.dev/) to run document processing workloads in an isolated sandbox, [which needs Linux's ptrace subsystem to intercept system calls](https://gvisor.dev/blog/2024/09/23/safe-ride-into-the-dangerzone/). ### [Why are Bluetooth kernel modules disabled? How do I enable them?](#bluetooth) {: #bluetooth}