bcl
commented
5 years ago Nice! What does your firejail cmdline look like?
Open MindMount opened 5 years ago
bcl
commented
5 years ago Nice! What does your firejail cmdline look like?
MindMount
commented
5 years ago Launching gateway in whonix sandbox:
firejail --net=virbr0 --caps.drop=all --noroot --name=whonix /home/user/Downloads/Whonix/QEMU/whonix-user-qemu-master/run-gateway /home/user/Downloads/Whonix/QEMU/whonix-user-qemu-master/Whonix-Gateway-XFCE-15.0.0.0.9.qcow2
Then attach Whonix workstation to whonix sandbox:
firejail --caps.drop=all --noroot --join=whonix '/home/user/Downloads/Whonix/QEMU/whonix-user-qemu-master/run-workstation' '/home/user/Downloads/Whonix/QEMU/whonix-user-qemu-master/Whonix-Workstation-XFCE-15.0.0.0.9.qcow2'
There is an elegance to having both VMs run in a single sandbox, but for Quebes like isolation ideally each would run in separate sandboxes. I have to figure out the loopback network to tunnel the workstation sandbox to the gateway, then networking can be disabled in the workstation sandbox and they no longer would need to be joined.
Tightening firejail such as --private --priv-temp --private-home can achieve Tails style amnesiac Whonix instances or even multiple discrete Whonix instances. QEMU firejail profile will also tighten security.
This is superb, I have gotten Whonix QEMU running in a firejail sandbox with Secomp and user namespace. In order to get gateway and workstation to communicate I have to join workstation to the gateway sandbox. Performance is excellent.
For further isolation I tried launching them in separate firejails that share a network namespace but workstation isn't connecting to gateway. This is a bit beyond me but I'm close enough to taste it. Thanks for the great script!