PDF

To safely view a PDF document, while preventing damage from exploitation of vulnerabilities or malware infection, we can use firejail.

Firejail is a lightweight secuirty tool intended to protectd a Linux system by setting up a restricted environment for running (potentially untrusted) applications.

LogoGitHub - netblue30/firejail: Linux namespaces and seccomp-bpf sandboxGitHub

For the PDF document viewer, mudpdf will be a great option, due to it being lightweight and open-sourced.

LogoGitHub - ArtifexSoftware/mupdf: mupdf mirrorGitHub

firejail can be used to create a sandboxed environment for secure viewing of the PDF using mupdf :

Flags

  • --net=none: Disables all network acccess, expect for a new loopback interface (lo).

  • --caps.drop=all: Drop all capabilities for the processes running in the sandbox.

  • --nogroups : Disable supplementary groups.

  • --noroot: Install a user namespace with a single user - the current user. The root user does not exist in the new namespace.

  • --private=directory: Use directory as user home. This should be the directory where the .pdf file is present.

Reusable Bash function (~/.bashrc)

We can create a Bash function in ~/.bashrc that can be used as a simple command:

To load changes in ~/.bashrc:

Run this command after each update to the function in ~/.bashrc

To call the function:

firejail(1) - Linux manual pageman7.org
PreviousSafe document viewerNext.docx

Last updated