Sandboxed browser on Kubuntu 13.10

I consider it good practice to make your Internet browser run in a sandbox and do whatever possible to make the fences around the sandbox as tight as possible.

Here is an example on how to do this on Kubuntu 13.10. In this example, the Firefox browser will be made to run in sandbox consisting of a virtual machine and AppArmor (based on QEMU/KVM):


sudo aptitude install qemu-kvm libvirt-bin bridge-utils virt-manager spice-client


  1. Download an ISO image of a Linux Distribution (say, Peppermint OS, for example).
  2. Start virt-manager to configure your VM (let’s call it sandboxedbrowser) and install the just downloaded image.
    • Make sure to use spice as display, QXL as video card, kvm64 or kvm32 as CPU model, and AC97 as sound card.
  3. Once installed, run (assuming a Ubuntu derived distribution)
    sudo aptitude install spice-vdagent
    on the guest.
  4. Add /usr/share/X11/xorg.conf.d/09-qxl.conf (assuming an Ubuntu derived guest OS) with the following contents:
    Section "Device"
    Identifier "QXL video"
    Driver "qxl"
    Option "EnableSurfaces" "0"
  5. Shutdown the guest
  6. On the host, modify the bottom of /etc/init/libvert-bin.conf to contain the line “export QEMU_AUDIO_DRV=spice” right before the libvirtd is started. That is, something like the following:
    [ -r /etc/default/libvirt-bin ] && . /etc/default/libvirt-bin
    export QEMU_AUDIO_DRV=spice
    exec /usr/sbin/libvirtd $libvirtd_opts
    end script
  7. Quit virt-manager
  8. restart libvirt:
    sudo /etc/init.d/libvirt-bin restart
  9. Restart the guest OS and use spicec to get access to display, sound, and clipboard of the guest:
    virsh start sandboxedbrowser
    spicec -h -h 5900

The QXL driver seems to be having resource management problems. If you don’t manually modify the Xorg configuration, you’ll eventually have Xorg.0.log filled up with “Out of surface” statements, and the desktop of the guest OS will become very slow and sometimes unresponsive. Step 4 above fixes this.

Step 3 ensures clipboard integration between guest and host. It also improves mouse integration and ensures that the X-session resolution automatically adjusts to the client display resolution. If you’re very paraniod (perhaps worried about accidental leakage of your host clipboard contents), you may want to disable the spice-vdagent (either don’t install it or stop it after booting up the guest).

On a Ubuntu derived guest OS, you may optionally want to enable the Firefox AppArmor profile on the guest (if you’re using Firefox as a browser). The default profile is not very restrictive, however, but it’s better than nothing. I’ve been thinking about writing a more restrictive AppArmor profile for Firefox, but have not been able to get this done, yet.

Leave a Reply

Your email address will not be published. Required fields are marked *