====== Amnesia virtual machine for browsing ======
As javascript features look more and [[https://www.vusec.net/projects/anc/|more]] funny every new time, it looks like it would be wise to cut off browser from reach of internet, or from rest of the system - kernel, libraries, battery state information... On one hand browser in virtual is not safe (see [[user:jenda:linux-insecurity#remote_code_execution]] CVE's at bottom to get some insight), on the other it's probably still much safer than when it has access to the rest of the system. As HTTPS everywhere, ABP and NoScript started to be "must-have" Live-CD virtual variant is not an option, but perstistency means inherently also persistency of unwecomed [[https://en.wikipedia.org/wiki/Remote_administration_tool | RATs]]. Those two antagonistic demands can be resolved, when machine could be run in "amnesic-mode" once (browsing) an than in "perstistive-mode" in another (fiddling noscript, updating) occasion.
===== Setting up host =====
==== VirtualBox Approach ====
I do not use VBox in my native set, but when I searched for solution to this problem I ran into interesting feature. You can have VBox HDD configured to Write-through or immutable mode as it's explained on [[http://virtuatopia.com/index.php/Understanding_and_Configuring_VirtualBox_Virtual_Hard_Disks#Normal.2C_Immutable_and_Write-Through_Disk_Images | this wiki page]], both options should do the trick.
==== KVM Approach ====
As I searched for "immutable mode" in KVM i found out that nothing like this exists. It can be still done by cloning "persistent" and thus creating "amnesic" or by having snapshot of HDD and every time you start to feel that cleaning should be made, revert to that snapshot.
I chose variant with cloning virtual, as I want to limit writes onto HDD. I prepared amnesic clone of persistent virtual machine. Disc of amnesic virtual machine is located on RAM (it's 2,2GB in my setup). Creating copy of perstitent disc-img to ram takes me few seconds on my HDD, on SSD it will be probably even faster. It can be automatized with cp + chown commands routine. Responsivenes in this case is much faster and importantly for users with SSD amount of disk-writes should be much lower compared to snapshot method.
===== Setting up guest =====
Size and simplicity of guest is crucial for almost all method mentioned above, those parameters are met by spartan distributions - probably gentoo, Arch-linux, and minimal spins of distros (for example debian server, ubuntu server). By keeping guest simple, attack surface area is reduced and also responsiveness of system is improved.
=== Straight start ===
Whole virtual machine is meant just for browsing. Keeping this in mind, three files should be modified to get your browser running as soon as possible.
== You don't want to login to tty session, you want to do it automatically. ==
In /etc/systemd/system/getty.target.wants/getty\@tty1.service
ExecStart=-/sbin/agentty --noclear %I $TERM
change to:
ExecStart=-/sbin/agentty -a *username* %I $TERM
[[https://unix.stackexchange.com/questions/42359/how-can-i-autologin-to-desktop-with-systemd#289612 | link to original idea ]]
== You want to start x automatically ==
Add few lines to ~/.bash_profile to start X:
if [ -z "$DISPLAY" ] && [ -n "$XDG_VTNR" ] && [ "$XDG_VTNR" -eq 1 ]; then
exec startx
fi
[[https://wiki.archlinux.org/index.php/Start_X_at_login#Autostart_X_at_login | link to original source]]
== Choose your desktop enviroment wisely ==
Smallest desktop enviroment is no enviroment.
Edit your ~/.xinitrc file based on your preferences.
exec firefox