blob: 323cc34ef887fbe11457cbe38a07f52018ead968 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
[[!meta title="Virtualized GUI environments"]]
Can't or don't want to use [Qubes OS](https://www.qubes-os.org/)? Here comes a straightforward sollution
that, while not offering the same level of security, is practical enough to be implemented in the confort
of your current FOSS OS!
A picture
---------
Could you spot the difference between the Tor Browser running in the host for the one inside the virtual machine? That's what we want to achieve!
![Screenshot](screenshot.png)
First things first
------------------
What you can do:
1. Create a virtual machine image of the operating system of your choice like [this example](https://padrao.sarava.org/boxes/).
2. Setup basic X11 environment with automatic login and startup programs.
3. Configure your hypervisor to hide icons and additional decorations around the virtual machine.
4. Setup key bindings on your window manager to start/resume and stop/suspend the virtual machine.
Debian desktop
--------------
When using a debian virtual machine as a virtual desktop, consider the following:
apt-get install lightdm ratpoison plymouth
Make sure to configure `/etc/lightdm/lightdm.conf` with something like
autologin-user=vagrant
autologin-user-timeout=0
If using VirtualBox, you might also want to try [virtualbox-guest-x11](https://packages.debian.org/stable/virtualbox-guest-x11).
Features
--------
* Good security through isolation.
* Improved start/stop of your application by using virtual machine suspend/resume.
* Minor performance penalties while running the virtual machine.
Limitations
-----------
* Memory and disk consumption.
* Clipboard might still be available to the virtual environment, see [this discussion](http://theinvisiblethings.blogspot.com.br/2011/04/linux-security-circus-on-gui-isolation.html).
Future
------
* Automated expendable snapshots for one-time-use virtual machines.
* Automated recipes (puppet/ansible).
* Vagrant integration for fast provisioning of golden images.
* Alternatives to the VirtualBox hypervisor.
References
----------
Applications:
* [vbox script](https://git.sarava.org/?p=vbox.git;a=summary).
* [plymouth - Debian Wiki](https://wiki.debian.org/plymouth).
Other implementations:
* [Marco Carnut: Ambiente "Auto-Limpante" via Virtualização Ultra-Leve Descartável - Tempest Blog](http://blog.tempest.com.br/marco-carnut/ambiente-auto-limpante-via-virtualizacao-ultra-leve-descartavel.html).
* [Subgraph OS and Mail](https://subgraph.com/sgos/index.en.html) with [oz](https://github.com/subgraph/oz) sandboxing system.
|