Can one use internet in a sandbox environment?
(A part of the system is always offline so that there no chances of a virus from the internet)

The options I got from searching are
1. chrooting or FreeBSD jail
2. Using a docker container
3. Type1 hypervisors (directly run on the physical hardware) like Linux KVM
4. Type2 hypervisors (run as an application on an existing operating system) like Oracle VirtualBox
5. Block internet for the root user in Linux and allow internet only for other users.
But it looks like if you enable internet connection for non-root user then the root user is automatically connected to the internet (I maybe wrong).

I have tried using some commands (THERE MAYBE RISK INVOLVED IN DOING SO) like:
sudo iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT (replacing USERNAME with root)
but I had to restart the system to enable the internet connection again.


I think the option 4. maybe the best but I would like to know more details such as whether there could be any interaction/data transmission between two KVMs.

Note: I decided to create thread in General sub-forum than Virtualisation sub-forum as there are other points for discussion too.

Hello and welcome to LQ.

Yes.

One can't prove that all your choices are 100% secure to the host.

One could run a fully updated usb drive that didn't let the host disk get mounted automatically I'd think would secure it more.

Do you mean storing important files for offline use on a usb drive rather than on the system?.

If I need to copy some files from the system (which has internet access) to the usb then is there a way to be 100% sure that the usb won't be affected by a virus?

What I meant was to boot from a usb flash drive. Keep it from mounting any of your secure drives. Keep it fully updated.

A normal install to a usb will create an install as if it were a real hard drive on almost all modern distro's.

Thanks jefro for elaborating.

I understand that preventing automatic mounting of your secure drive would prevent any infection.

I would go one step further (I hope this is ok)

How would one transfer data from an internet-enabled device to a offline device/disk and make sure that the offline device/disk is not infected? (only the offline device can access (read/write) from the internet-enabled device and not the other way)

I am giving a scenario: (Devices: PC Hard Disk having important files for offline use, USB Device for data transfer and Mobile Device which has internet connection)
1. I have a hard disk that is offline (Linux OS).
2. I use a mobile device for internet, gather some data and transfer that to a usb device (via OTG).
3. I have to mount the usb device to the hard disk since I need the gathered data.
4. Give read and write permission to the usb.
5. I copy the gathered data from usb to the hard disk. Use/process the data as per needs
6. I write some data back to the usb if needed.
7. Connect usb to the mobile device if needed.

Data from mobile --> usb --> Hard disk
Data from Hard disk --> usb --> Mobile

How do I make sure that only the hard disk can read and write to the usb device and prevent the usb to read/write any hard disk data?

This is the big issue of security. You can't be fully sure. You can't take untrusted outside data and ever get it close to inside secure data. Defeats the entire gap process.

Just make a less secure system and keep secure system walled.

1 members found this post helpful.

Browser running in Sandboxie in a Windows VirtualBox VM for me. Can never be too careful...

If any downloaded files need transferring, they are first run through VirusTotal and Jotti while still in the sandbox, before being recovered from it.

This will open Firefox in a sandboxed environment and dispose of files saved in the temporary /home directories created by the --private argument.
If you're not a command line user, there's a GUI front-end called firetools

PDFs you download from the internet can "phone home" via embedded I-frames... You can prevent that too with firejail by opening up PDFs in a sandbox and denying it network access:

Look into a WORM device (Write Once Read Many) their mainly used to store log files to ensure they dont get altered.

are you saying this is how you always browse the WWW? like, right now?

No. There is no need to wear protective suits all the time, only when the occasion demands.

Yes, incase the usb device has an exe file virus which runs automatically when mounted (for Windows OS). Even multimedia and other files can have a virus.

But taking extreme precautions I think we can still prevent infection.

Example: If I need to just copy a user-created .txt file (no hidden extension) from the usb device to the hard disk, then there is no chance of a virus infecting the hard disk as a simple .txt file cannot have a virus.

If someone can answer this question (which I have posted previously) then it would greatly helpful!
How do I make sure that only the hard disk can read and write to the usb device and prevent the usb to read/write any hard disk data?


Thanks young_jedi for the useful information.

I am assuming that you are suggesting to use a WORM device to store important data which cannot be altered. Even though the data cannot be modified it can still be read and hence it can be stolen (correct me if wrong).

Think of it as a dropbox where you drop stuff into it, but you cant look inside.. Only user's with the proper permissions (e.g. root or a sudo user) should be able to get accesss to those files (unless they can mount your drive when you're not using it; in that case make sure its encrypted via full disk encryption)..

i cannot imagine what occasion would demand running a browser in sandbox software on a windows vm.
i would ask you to elaborate, but probably you want to keep that secret.
i guess i just never visit such sites.