{{Header}}
{{#seo:
|description=This page is targeted at users who wish to improve the security of their {{project_name_workstation_long}} to become even more secure.
|image=whonixworkstation3423423.png
}}
[[File:whonixworkstation3423423.png|thumb|275px]]
{{intro|
This page is targeted at users who wish to improve the security of their {{project_name_workstation_short}} to become even more secure.
}}
= Introduction =

{{security_intro}}

This page is targeted at users who wish to improve the security of their {{project_name_workstation_short}} for even greater protection.

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = '''Tip:''' {{project_name_long}} implementation examples are based on Debian. To use a customized {{project_name_workstation_short}} VM based on other operating systems, see [[Other_Operating_Systems|here]]. For technical design notes, see [[Operating_System|here]].
}}

If the {{project_name_workstation_short}} (<code>{{project_name_workstation_vm}}</code>) VM is ever compromised, the attacker has access to the data it contains, including all credentials, browser data and passwords. The IP address is never leaked since this requires a compromise of the {{project_name_gateway_long}} (<code>{{project_name_gateway_vm}}</code>) VM, but this information may still result in identity disclosure.

== {{non_q_project_name_short}} ==

Best practice is to:

# Keep a clean master copy of the {{project_name_workstation_short}} VM.
# Make snapshots / clones of the master copy.
# Only use the snapshots / clones for Internet activity.
# Periodically delete old snapshots / clones.

This way it is possible to 'rollback' -- use a new clean clone / snapshot VM -- after risky activity or if a system compromise is suspected. See the multiple [[#VM_Snapshots|VM Snapshots]] recommendation below.

== {{q_project_name_long}} ==

Best practice is to:

* Use [[Qubes/Disposables|Disposables]] for all Internet activity; or
* Periodically delete the {{project_name_workstation_short}} AppVM(s) and create fresh instances from the {{project_name_workstation_short}} Template.

{{Anchor|Recommendation to use multiple VM Snapshots}}

= AppArmor =

It is recommended to enable the [[AppArmor|{{project_name_short}} AppArmor profiles]] which are available for various applications that are run in either the {{project_name_gateway_short}} or {{project_name_workstation_short}}, such as Tor, Tor Browser, Thunderbird and others. The profiles are easy to apply and provide a considerable security benefit.

= File Storage Location =
{{kicksecure_wiki
|wikipage=Computer_Security_Introduction#File_Storage_Location
|text=See File Storage Location.
}}

= Firejail =

{{mbox
| image   = [[File:Ambox_warning_pn.svg.png|40px]]
| text    = Firejail should be used with caution. While it can be used to restrict Tor Browser, Firefox-ESR, VLC and other regularly used applications, this comes with an increased [https://forums.whonix.org/t/tor-browser-hardening-hardened-malloc-firejail-apparmor-vs-web-fingerprint/7851/54 fingerprinting risk]. Further, {{project_name_short}} developer madaidan has noted: <ref>https://madaidans-insecurities.github.io/linux.html#firejail</ref>
<blockquote>[https://firejail.wordpress.com/ Firejail] is another common sandboxing technology however, it is also insufficient. Firejail worsens security by acting as a privilege escalation hole — Firejail requires being [https://en.wikipedia.org/wiki/Setuid setuid], meaning that it executes with the privileges of the executable's owner which in this case, is the root user. This means that a vulnerability in Firejail can allow escalating to root privileges.

As such, great caution should be taken with setuid programs, but Firejail instead focuses more on usability and unessential features which adds significant attack surface and complexity to the code, resulting in [https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firejail numerous privilege escalation and sandbox escape vulnerabilities], [https://seclists.org/oss-sec/2017/q1/25 many of which aren't particularly complicated].</blockquote>
}}

== Introduction ==

According to the Firejail project page: <ref>https://firejail.wordpress.com/</ref>

<blockquote>Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license.</blockquote>

Firejail has built-in profiles for a large number of popular Linux programs, including many which are used in {{project_name_short}}. A small sample of the 100+ profiles includes: Chromium, CryptoCat, Thunar, Evince, Firefox, HexChat, LibreOffice, Okular, Thunderbird, Transmission, VirtualBox, VLC and wget. <ref>https://github.com/netblue30/firejail/tree/master/etc</ref>

== Launch Firejailed Applications ==

{{mbox
| type      = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = In [[Qubes|{{q_project_name_short}}]], create a new {{project_name_workstation_short}} AppVM based on any modified, cloned template(s) before running any applications. Never launch applications in the {{project_name_workstation_short}} Template.
}}

To run sandboxed applications, simply prefix the program command with "firejail" in a terminal. For example:

{{CodeSelect|code=
firejail evince
}}
{{CodeSelect|code=
firejail vlc
}}

For [[Tor Browser]] see [[Tor_Browser#Hardening|Tor Browser Hardening]] instead.

To confirm an application is sandboxed, open a terminal and run.

    firejail --tree

== Additional Firejail Options ==

The full list of Firejail command line options can be found in the [https://firejail.wordpress.com/features-3/ official documentation]. Alternatively, run the following terminal command in {{project_name_workstation_short}} (<code>{{project_name_workstation_vm}}</code>).

{{CodeSelect|code=
man firejail
}}

Firejail has a host of additional security features. For instance, VLC could be run while blocking access to the Internet as follows.

{{CodeSelect|code=
firejail --net=none vlc
}}

Similarly, the following commands would run VLC with seccomp restrictions and debug output. <ref>Preliminary tests of other security features reveals they are not yet functional in {{project_name_short}}, for instance {{code|--apparmor}}, {{code|--private}}, and {{code|--overlay-tmpfs}}. If the user does not specify a path to a specific profile when running Firejail, it will search for any relevant profile automatically. If a specific profile is not located, a default profile will be used.</ref>

{{CodeSelect|code=
firejail --debug vlc
}}

For a further technical discussion of Firejail containment options, see [https://forums.whonix.org/t/firejail-seccomp-more-options-for-program-containment here]. To build a customized Firejail profile for other applications, follow [https://firejail.wordpress.com/documentation-2/building-custom-profiles/ these steps].

== Firejail Firefox-ESR in Qubes Debian AppVM ==

{{mbox
| image   = [[File:Ambox_warning_pn.svg.png|40px]]
| text    = '''Warning:''' Do not use Firefox-ESR in a {{project_name_short}} template! It is easily fingerprinted and is less secure than Tor Browser.
}}

It is recommended to clone the Debian Template before proceeding, as a number of dependencies are installed:

* In a Debian AppVM, [[{{project_name_workstation_short}}_Security#Launch_Firejailed_Applications|launch a firejailed Firefox-ESR application]].
* Confirm Firefox-ESR is sandboxed:
** {{CodeSelect|code=
firejail --tree
}}

The output should confirm Firefox-ESR is now running in a firejail container.

    XXXX:user:firejail /usr/lib/firefox-esr/firefox-esr

= Network Adapters =

{{Anchor|Adding a Host-Only Networking Adapter to {{project_name_workstation_short}} / SSH into {{project_name_workstation_short}}}}
== Add a Host-Only Networking Adapter / SSH into {{project_name_workstation_short}} ==

If accessing the {{project_name_workstation_short}} via SSH, some users may consider something dangerous - adding a second network adapter with [https://www.virtualbox.org/manual/ch06.html#network_hostonly host-only networking].

{{mbox
| image   = [[File:Ambox_warning_pn.svg.png|40px]]
| text    = '''Warning:''' Never add another network adapter in this manner! It is also potentially dangerous if any other VMs are running except the {{project_name_workstation_short}}. The reason is that it will expose the MAC address of the host to the {{project_name_workstation_short}}.
}}

The VMware host-only warning regarding routing and connection sharing may equally apply to Whonix: <ref>https://www.vmware.com/support/ws4/doc/network_host_ws.html</ref>

<blockquote>If you install the proper routing or proxy software on your host computer, you can establish a connection between the host virtual Ethernet adapter and a physical network adapter on the host computer. This allows you, for example, to connect the virtual machine to a Token Ring or other non-Ethernet network.

On a Windows 2000, Windows XP or Windows Server 2003 host computer, you can use host-only networking in combination with the Internet connection sharing feature in Windows to allow a virtual machine to use the host's dial-up networking adapter or other connection to the Internet. See your Windows documentation for details on configuring Internet connection sharing.</blockquote>

If it is necessary to SSH or VNC into {{project_name_workstation_short}}, then use one of these recommended methods:

* It is safest to do this from another {{project_name_workstation_short}}. When using VMs, they can see each other if they are within the same virtual LAN. When using [[Dev/Build_Documentation/Physical_Isolation|Physical Isolation]], VMs can see each other if they are within the same LAN.
* Alternatively, run the services using [[Onion Services]] and access them through another {{project_name_workstation_short}}.

The following methods are <u>not</u> recommended, since they risk weakening isolation between the host and {{project_name_workstation_short}}:

* Another alternative is to run the services using [[Onion Services]] and access them from the host using ordinary torification methods.
* A final method is to SSH from the host into {{project_name_gateway_short}} (see [[File Transfer]] for instructions) and then SSH from there [[File_Transfer#SSH_into_{{project_name_workstation_short}}|into {{project_name_workstation_short}}]].

{{Anchor|Adding a NAT Adapter to {{project_name_workstation_short}} / Updates without Tor}}
== Add a NAT Adapter / Updates without Tor ==
{{mbox
| image   = [[File:Ambox_warning_pn.svg.png|40px]]
| text    = '''Warning:''' Anonymity is compromised if another NAT network adapter is added to the {{project_name_workstation_short}}.
}}

If this advice is disregarded, then a user's identity is leaked if/when infection occurs. Therefore, it is strongly recommended to always update over the Tor network. Although Tor updating is slow by comparison, it prevents inadvertent leaks.

= VM Snapshots =
{{kicksecure_wiki
|wikipage=Virtualization_Platform_Security#VM_Snapshots
|text=Use VM snapshots.
}}.

Regular <i>clean</i> snapshots or clones of the master VM should be made for activities that require anonymity. Particular care must be taken that clean and unclean states are never mixed up!

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]