puck

puck is an AppJail application that uses a very restricted, ephemeral jail to convert a potentially suspicious PDF into a trustworthy one.

This application is basically a few patches for qubes-app-linux-pdf-converter, so you are essentially using the original application; the patches are only necessary to make it work on FreeBSD. There is one subtle difference: both the client and server run inside the jail, so no dependencies need to be installed for the client to work. Just run the Makejail file as described below.

For more details, please see the article in which this concept was originally introduced:

http://blog.invisiblethings.org/2013/02/21/converting-untrusted-pdfs-into-trusted.html

How to use this Makejail

# appjail makejail \
    -f gh+AppJail-makejails/puck \
    -o container="args:--pull" \
    -- \
    --puck_file /path/to/your/suspicious/file.pdf
...
# xdg-open file.trusted.pdf
...

Arguments

• puck_file (mandatory): Suspicious PDF file.
• puck_output (default: ${APPJAIL_PWD}): Output file or directory. The current directory is used by default.
• puck_nostop (optional): Don't stop the jail.
• puck_from (default: ghcr.io/appjail-makejails/puck): Location of OCI image. See also OCI Configuration.
• puck_tag (default: latest): OCI image tag. See also OCI Configuration.

Environment

• PUCK_RESOLUTION (default: 300): Resolution of output.
• PUCK_BATCH (default: 50): Maximum number of conversion tasks.
• PUCK_COMPRESSION (default: 1): Enable compression. Set this environment variable to 0 to disable compression.
• PUCK_COMPRESSION_WITH_GRAYSCALE (default: 0): Enable grayscale conversion which can further reduce output size.
• PUCK_COMPRESSION_RESOLUTION (default: 72): Resolution in DPI.

OCI Configuration

build:
  variants:
    - tag: 15.0
      containerfile: Containerfile.pkg
      aliases: ["latest"]
      default: true
      args:
        FREEBSD_RELEASE: "15.0"
        PYTHON_VERSION: "311"

Notes

1. This Makejail includes gh+AppJail-makejails/user-mapping.