As javascript features look more and more funny every new time, it looks like it would be wise to cut off browser from reach of internet, or from rest of the system - kernel, libraries, battery state information… On one hand browser in virtual is not safe (see remote_code_execution CVE's at bottom to get some insight), on the other it's probably still much safer than when it has access to the rest of the system. As HTTPS everywhere, ABP and NoScript started to be “must-have” Live-CD virtual variant is not an option, but perstistency means inherently also persistency of unwecomed RATs. Those two antagonistic demands can be resolved, when machine could be run in “amnesic-mode” once (browsing) an than in “perstistive-mode” in another (fiddling noscript, updating) occasion.
I do not use VBox in my native set, but when I searched for solution to this problem I ran into interesting feature. You can have VBox HDD configured to Write-through or immutable mode as it's explained on this wiki page, both options should do the trick.
As I searched for “immutable mode” in KVM i found out that nothing like this exists. It can be still done by cloning “persistent” and thus creating “amnesic” or by having snapshot of HDD and every time you start to feel that cleaning should be made, revert to that snapshot.
I chose variant with cloning virtual, as I want to limit writes onto HDD. I prepared amnesic clone of persistent virtual machine. Disc of amnesic virtual machine is located on RAM (it's 2,2GB in my setup). Creating copy of perstitent disc-img to ram takes me few seconds on my HDD, on SSD it will be probably even faster. It can be automatized with cp + chown commands routine. Responsivenes in this case is much faster and importantly for users with SSD amount of disk-writes should be much lower compared to snapshot method.
Size and simplicity of guest is crucial for almost all method mentioned above, those parameters are met by spartan distributions - probably gentoo, Arch-linux, and minimal spins of distros (for example debian server, ubuntu server). By keeping guest simple, attack surface area is reduced and also responsiveness of system is improved.
Whole virtual machine is meant just for browsing. Keeping this in mind, three files should be modified to get your browser running as soon as possible.
In /etc/systemd/system/getty.target.wants/getty\@tty1.service
ExecStart=-/sbin/agentty --noclear %I $TERM
change to:
ExecStart=-/sbin/agentty -a *username* %I $TERM
Add few lines to ~/.bash_profile to start X:
if [ -z "$DISPLAY" ] && [ -n "$XDG_VTNR" ] && [ "$XDG_VTNR" -eq 1 ]; then exec startx fi
Smallest desktop enviroment is no enviroment. Edit your ~/.xinitrc file based on your preferences.
exec firefox