[GH-ISSUE #1022] hybrid isolation approaches #699

New issue

Closed

opened 2026-05-05 06:28:21 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 06:28:21 -06:00

Owner

Originally created by @xahare on GitHub (Jan 5, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1022

this isnt an issue, this is just the best forum i can think of to discuss hybrid isolation approaches.

for my own, im using virtual machines and firejail. sometimes in qubes-os, and sometimes my own scripted maze of virtualbox, packer, and ansible. a previous version did this with vmware, but virtualbox does a better job with usb device isolation. qubes-os is far better, but only some hardware can run it.

virtual machines drop the mic (sorry, couldnt resist), cameras and other devices (mute the mic in the host os. suspend all other VMs when you need that mic). this extends into protecting the host from malicious usb devices.

they also allow for typing into apps on vms that dont run x11. wayland, mac/windows vms etc. this is mostly for password keepers.

so the model is 4 vms. 1 usb canary that gets snapshotted / reset at each use, 1 package cache and "router", 1 password keeper, and the main one running firejail for everything else. the rest of the system is free for vagrant, whonix, disposable vms etc. ive tried the "router" taking a usb wifi device, leaving the host os either without network access and just routing through that vm. both have worked pretty well, except on a mac where you cant pci pass devices and the available usb wifi cards are weak compared to onboard ones.

the clipboard of the password keeper is either typed into the target vm, or copied to its clipboard.

the virtualbox python module messes up some non alphanumeric characters like ` and ~, and ive had a little trouble with xdotool in python, though i had no problems doing that through pure shell scripts. xdotool only works with x11 so i have little interest in taking the time to fix it. theres also vncdotool for vmware/kvm, and qemus built in send_key. has anyone here tried those?

has anyone here tried intels clear containers?

Originally created by @xahare on GitHub (Jan 5, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1022 this isnt an issue, this is just the best forum i can think of to discuss hybrid isolation approaches. for my own, im using virtual machines and firejail. sometimes in qubes-os, and sometimes my own scripted maze of virtualbox, packer, and ansible. a previous version did this with vmware, but virtualbox does a better job with usb device isolation. qubes-os is far better, but only some hardware can run it. virtual machines drop the mic (sorry, couldnt resist), cameras and other devices (mute the mic in the host os. suspend all other VMs when you need that mic). this extends into protecting the host from malicious usb devices. they also allow for typing into apps on vms that dont run x11. wayland, mac/windows vms etc. this is mostly for password keepers. so the model is 4 vms. 1 usb canary that gets snapshotted / reset at each use, 1 package cache and "router", 1 password keeper, and the main one running firejail for everything else. the rest of the system is free for vagrant, whonix, disposable vms etc. ive tried the "router" taking a usb wifi device, leaving the host os either without network access and just routing through that vm. both have worked pretty well, except on a mac where you cant pci pass devices and the available usb wifi cards are weak compared to onboard ones. the clipboard of the password keeper is either typed into the target vm, or copied to its clipboard. the virtualbox python module messes up some non alphanumeric characters like ` and ~, and ive had a little trouble with xdotool in python, though i had no problems doing that through pure shell scripts. xdotool only works with x11 so i have little interest in taking the time to fix it. theres also vncdotool for vmware/kvm, and qemus built in send_key. has anyone here tried those? has anyone here tried intels clear containers?

gitea-mirror

2026-05-05 06:28:21 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:28:27 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 5, 2017):

virtual machines drop the mic (sorry, couldnt resist), cameras and other devices (mute the mic in the host os. suspend all other VMs when you need that mic). this extends into protecting the host from malicious usb devices.

That's the best feature of VMs, pure sandboxing will never be able to do it.

I am open to any kind of new developments in this area, something like starting a VM with firejail the same way we start today xpra or xephyr for x11. VMs and sandboxes will have to merge at some point.

@netblue30 commented on GitHub (Jan 5, 2017): > virtual machines drop the mic (sorry, couldnt resist), cameras and other devices (mute the mic in the host os. suspend all other VMs when you need that mic). this extends into protecting the host from malicious usb devices. That's the best feature of VMs, pure sandboxing will never be able to do it. I am open to any kind of new developments in this area, something like starting a VM with firejail the same way we start today xpra or xephyr for x11. VMs and sandboxes will have to merge at some point.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#699

No description provided.

Rows
Columns