Dangerzone doc sanitizer

Dangerzone doc sanitizer from First Look Media now packaged for Debian. Uses containers for saboxing the conversion process. Supports OCR to make searchable PDF copies of documents.

Can we drop this into our repo?

1 Like

I don’t like dangerzone. It just uses a simple Docker container for “sandboxing” which is rather weak. We can make a much stronger sandbox ourselves with barely any syscall, file, etc. access. The conversion process won’t need many resources so it’s not hard to make very tight restrictions for it (which Docker doesn’t provide).

1 Like

I am not a big fan of docker just yet.

In context of their blog post, threat model it might even make sense.


Journalists on Windows are probably better off using an easy to use docker container wrapper (dangerzone) to open a PDF than opening it in Adboe Acrobat directly.

Docker based also means it might not easily start inside virtual machines since docker is also using virtualization since that would be nested virtualization?

1 Like

Docker doesn’t use virtualization. It’s basically a fancy chroot with namespaces and seccomp.

1 Like

It depends on the platform. Docker needs vtx on Windows and Mac, but there was work on doing away with this requirement.

In Linux it just needs cgroups. I might have to check if virtualization use is optional. If it’s possible on Linux wouldn’t this tool be worth it?

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]