I consider it good practice to make your Internet browser run in a sandbox and do whatever possible to make the fences around the sandbox as tight as possible.
Here is an example on how to do this on Kubuntu 13.10. In this example, the Firefox browser will be made to run in sandbox consisting of a virtual machine and AppArmor (based on QEMU/KVM):
sudo aptitude install qemu-kvm libvirt-bin bridge-utils virt-manager spice-client
- Download an ISO image of a Linux Distribution (say, Peppermint OS, for example).
- Start virt-manager to configure your VM (let’s call it sandboxedbrowser) and install the just downloaded image.
- Make sure to use spice as display, QXL as video card, kvm64 or kvm32 as CPU model, and AC97 as sound card.
- Once installed, run (assuming a Ubuntu derived distribution)
sudo aptitude install spice-vdagent
on the guest.
- Add /usr/share/X11/xorg.conf.d/09-qxl.conf (assuming an Ubuntu derived guest OS) with the following contents:
Identifier "QXL video"
Option "EnableSurfaces" "0"
- Shutdown the guest
- On the host, modify the bottom of /etc/init/libvert-bin.conf to contain the line “export QEMU_AUDIO_DRV=spice” right before the libvirtd is started. That is, something like the following:
[ -r /etc/default/libvirt-bin ] && . /etc/default/libvirt-bin
exec /usr/sbin/libvirtd $libvirtd_opts
- Quit virt-manager
- restart libvirt:
sudo /etc/init.d/libvirt-bin restart
- Restart the guest OS and use spicec to get access to display, sound, and clipboard of the guest:
virsh start sandboxedbrowser
spicec -h 127.0.0.1 -h 5900
The QXL driver seems to be having resource management problems. If you don’t manually modify the Xorg configuration, you’ll eventually have Xorg.0.log filled up with “Out of surface” statements, and the desktop of the guest OS will become very slow and sometimes unresponsive. Step 4 above fixes this.
Step 3 ensures clipboard integration between guest and host. It also improves mouse integration and ensures that the X-session resolution automatically adjusts to the client display resolution. If you’re very paraniod (perhaps worried about accidental leakage of your host clipboard contents), you may want to disable the spice-vdagent (either don’t install it or stop it after booting up the guest).
On a Ubuntu derived guest OS, you may optionally want to enable the Firefox AppArmor profile on the guest (if you’re using Firefox as a browser). The default profile is not very restrictive, however, but it’s better than nothing. I’ve been thinking about writing a more restrictive AppArmor profile for Firefox, but have not been able to get this done, yet.
Something is changing the sound settings automatically and sound may all of a sudden no longer be audible. This seems to happen more frequently when a monitor is connected to HDMI/DisplayPort.
I’m still not sure how to reproduce this problem exactly, and I’m also not sure how to make a workaround that will fix the problem every time it occurs. So far, however, it seems that the following may resolve the problem (temporarily):
$ pulseaudio -k
$ rm -rf .config/pulse
$ rm .cache/event-sound-cache.tdb.*
$ pulseaudio --start --log-target=syslog
Then open “Audio and Video Settings – KDE Control Center” and check the settings to make sure you use the following Audio Hardware Setup:
- Sound card: Built-in Audio
- Profile: Analog Stereo Duplex
- Sound Device: Playback (Built-in Audio Analog Stereo)
- Connector: Speakers
Hopefully, “PulseAudio Server” is now listed under “Device Preference”. Test:
- Use the test buttons in the KDE Control Center.
- paplay /usr/share/sounds/alsa/Front_Center.wav
I will have to do a bit more investigation before I can make a bug report that describes a 100% reproducible problem.
Installation went smooth.
USB Ethernet Adapter (Lenovo Model U2L100P-Y1) works out of the box.
WebCam is working.
Buttons for screen brightness working.
Keyboard backlight working.
Media buttons (Speak mute, play/pause, volumen up/down, next, previous) working.
MIC Mute button is not working. This is because KDE 4.11.3 is built on top of Qt 4.8.3 and the XF86AudioMicMute key symbol is only handled in Qt 5.
The fingerprint reader works almost out of the box:
I installed fprintd libpam-fprintd fprint-demo and used fprint_demo to enroll fingerprints. Sadly, an old unresolved KDE bug report is still blocking the final integration with KDE:
After I connected a monitor via HDMI (1920×1080), the mouse cursor all of a sudden started to become very large on the laptop screen. I disabled resolution dependent cursor in System Settings, but then all fonts changed. The loss of default font configuration is a known problem in KDE, which has not been resolved, yet, unfortunately.
I installed firewalld and firewall-applet. I’ve been using ufw earlier on, but firewalld seems attractive due its concept of zones, which integrate well with the NetworkManger. However, as far as I can tell, firewalld doesn’t block unwanted outgoing traffic by default, but this is something I can probably add late by means of firewalld’s “rich rules”.
IP configuration on the wwan0 interface failed on my Lenovo Carbon X1 with Kubuntu 13.10 (3.11.0-15-generic). The problem seemed to be a due to a kernel change;
I followed the proposal made at the end of the bug report; add
options cdc_ncm prefer_mbim=N
That solved the problem!
And while I was at it, I also added
No reason to have avahi running on an interface towards the Internet.