Paranoid-terminus

Paranoid, but lucid

Using qemu to run untrusted application

					On a system where the security matter, many common application are not secure by design. Browser, heavy mail or im client, window manager...
					Firefox is one of them, in a cycle of constant development, the code growth fast and fat, new features, functions, dependency are add and see the day on every release,
					along with it a pack of bugs, often leading to vulnerability that can be exploit and compromise the entire system.
					Knowing it, as the web is hard to avoid, we will confine Firefox inside a virtual environment using qemu, to ensure that even the worth happen, it will be limited to virtual system (except if qemu was successfully exploited to gain access to the host machine)
					The following "howto" will explain how to setup a minimal environment with Devuan, using qemu/spice to run a confined Firefox process, as it was an icons in your desktop.

Requirement

Check for the following requirement :

- Qemu and kvm
						- Devuan ASCII minimal live
						- Spicy gtk

Create the image hard drive

We will create a 8Gb qcow2 image where the virtual system will be install, run

user $ qemu-img create -f qcow2 devuan.qcow2 8G

Now let's create our qemu start, use your favorite text editor, create new file named devuan.sh and add this inside

devuan.sh
						#!/bin/sh
						qemu-system-x86_64 \
						-machine vmport=off \
						-cpu host \
						-boot d \
						-vga qxl \
						-enable-kvm \
						-daemonize \
						-m 2024 \
						-device ich9-ahci \
						-drive file=devuan-ascii-minimal.iso,index=2,media=cdrom \
						-drive file=devuan.qcow2,index=0,media=disk \
						-spice unix,addr=/home/neurosis/devuan.sock,disable-ticketing \
						-device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent \
						-device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
						"$@"
						exec spicy --uri='spice+unix:///home/neurosis/devuanbrowser.sock'
						

At the drive line, replace file= with what is revelant for you (path to the devuan iso and devuan qcow2 image)

A fast comment on this script :

-machine vmport=off : we disable vmware port emulation as it enable by default
						-boot d : we boot on the cdrom drive (devuan iso img)
						-vga qxl : Recommanded drivers graphics to use with spice protocol
						-daemonize : Allow the client GTK to run in the same "instance"
						-m 2024 : 2024mb ram maximum for the virtual system
						-drive : first cdrom (to handle the installer iso), seconds the qcow2 image as hard drive for the virtual machine
						
user $ ./devuan.sh

Install Devuan

At the login prompt, use the following credential

root # Username : root Password : toor

run setnet.sh to get the connection and start the installer script

root # refractainstaller
						Follow the basic instruction until you are asked to set the disk partition. Select the option cfdisk following by dos as boot sector
						Create a single partition that will take the 8Gb (full space), you don't need to change the type of filesystem however, do not forget to activate the boot flag. Select write and confirm with yes. quit cfdisk
						When the script ask to give full device for boot, set /dev/sda1 followed by ext4 as filesystem. The same is true for the root
						Select no when Encrypted partition is asked, for "set /home partition", just press enter. Hostname you may pick whatever you like (devuan, linux or systemdlover...).
						The script will now fetch and install the system, confirm with yes and wait until the script finish his job. You need to answer the last few questions, when you see "Disable auto-login", next, Press 2 (install bootloader and finish the installation)
						At this stage, the script failed to complete the install for me, this isn't a serious problem as we will now enter in our environment with chroot to install and config what we need
						Enter the following command to setup the chroot environment :
						
chroot
					mount /dev/sda1 /mnt
					mount -t proc proc /mnt/proc
					mount -R /sys /mnt/sys
					mount -R /dev /mnt/dev
					mount -R /tmp /mnt/tmp
					cp /etc/resolv.conf /mnt/etc/
					chroot /mnt /bin/bash
					

Tada, we are using our freshly installed devuan system, start by an general update

root # apt update && apt upgrade

If the script failed to complete, do the following

Fix grub
					apt install grub2
					grub-install /dev/sda
					grub-mkconfig > /boot/grub/grub.cfg
					

Before to change the password root and create a new system user make sure sudo is installed

root # apt install sudo

Change the root passwd

root # passwd root

Add a new user

root # adduser neurosis

Add the new user in the sudo group

root # usermod -a -G sudo neurosis

Edit /etc/sudoers and replace the default line %sudo by this one:

root # %sudo ALL=(ALL) NOPASSWD: ALL

We will now install the packages required for our setup

root # apt install xinit fluxbox firefox x11-xserver-utils spice-vdagentd openrc dhcpcd5
xinit / fluxbox : startx and a minimal WM
						x11-xserver-utils : needed for change the resolution of the virtual machine with xrandr
						spice-vdagentd : the guest daemon for the function mouse passtrough and the qxl display
						dhcpcd5 / openrc : start network at boot

You should add a terminal like rxvt-unicode or sakura in addition. Now open the inittab file (/etc/inittab) and look for the line starting by 1:2345:respawn and replace it by this one

1:2345:respawn:/bin/login -f neurosis tty1 </d/dev/tty1 >/dev/tty1 2>&1

Now login with your user

root # su neurosis

Make sure you are in your /home/$user directory. For run startx automatically :

user $ echo "startx" > ~/.bash_profile

You will need also to define the starting script of the WM

user $ echo "startfluxbox" > ~/.xinitrc

Add a startup script in your home directory to set the resolution and to run spice vdagent daemon automatically

start.sh
			
						# Set resolution (you can choice a different one, use xrandr to display all the resolution available)
xrandr --output Virtual-0 --mode 1280x960 # Make sure any previous socket are deleted sudo rm -rf /var/run/spice-vdagentd/* || true # Run spice vdagentd without the integration systemd sudo spice-vdagentd -x -X & spice-vdagent

Setup an unprivileged user to run firefox, as our main user have root permission without password

user $ sudo useradd --home=/home/firefox --create-home --shell /bin/false --user-group firefox

Make it password less

user $ echo "neurosis ALL=(firefox) NOPASSWD: /usr/bin/firefox" > /etc/sudoers.d/firefox

Create a launcher for firefox

firefox.sh
	
						# Run firefox as unprivilege user	
						xhost si:localuser:firefox
						sudo -u firefox firefox
						

Check if the base folder of fluxbox exist in your home (~/.fluxbox/), if not, copy /etc/X11/fluxbox to ~/.fluxbox . Open the file ~/.fluxbox/startup/, locate the line idesk & and add after it

user $ sh ~/start.sh &

user $ sh ~/firefox.sh & user $ rc-update add dhcpcd

You can before leave the chroot env, run to make grub boot instant (no timewait)

user $ sed -i 's/timeout=[0-9]/timeout=0/' /boot/grub/grub.cfg

exit the chroot, umount -lf /mnt and run poweroff

Open devuan.sh and replace boot d by boot c. If everything is set correctly, starting the virtaul env should after few seconds display

If you plan to run several virtual machine for isolate different apps, it's good idea to save the image in order to reuse it as many time as you need

Poweroff the virtual machine on application exit

It can be practical to auto poweroff the virtual machine when an application is close, example with Firefox

firefox.sh
	
					#!/bin/bash
					
					# Run firefox as unprivilege user	
					xhost si:localuser:firefox
					sudo -u firefox firefox

					while :; do

					   if [[ $(pidof firefox-esr) ]]; then
							sleep 2;
					   else
							$(sudo poweroff);
					   fi

					done
					

Borderless effect

It is possible to hide the window border of the guest application confined, you may refer to your WM manual to known how to do it. Regarding spicy however, you will have to patch client to add a visibility toggle of the menubar, the patch is available here Example with Firefox, running on fluxbox with the client spicy. The xprop result are made from both side

Visual integration of Firefox application