A guide to smart Sandboxing

Publicado em by Tiago Dias

A lot of time has passed since I installed Windows in my home computer. To be fare, I actually upgrade it from Windows 10 to 11, so a lot of years have passed by and I’ve finally decided it’s time to do a old format and re-install everything.

All these years I’ve following a Virtualization pattern that it’s very “paranoid” and consists in the following rules:

  1. My host has the bare minimal installed software and Hyper-V;
  2. I have a Virtual Machine for software development where I do my personal stuff;
  3. I have a Virtual Machine for work where this machine has my company logins, required software, certificates etc. (the idea is i don’t do personal stuff in this VM)
  4. I have a Virtual Machine for sandboxed browsing and testing. This is where I:
    • don’t have any of my accounts logged in;
    • have a specific browser version with blocking extensions;
    • i open websites that might try to harm my system “without” fear;

First of all, why all this complexity?

  1. By keeping my host clean I don’t even remember when I’ve installed Windows, so i believe its a wonderful idea;
  2. By having a sandboxed VM for testing and downloading “stuff”, I was never afraid to install malware in my PC. I could use snapshots to revert to previous installation points, so i felt safe;
  3. By having a VM dedicated for my personal work, I could have the same as 2. but now for software development purposes, such as testing new development tools, and a lot have happened with AI recently;
  4. By having a VM dedicated for work, i could use my full setup and use my wonderful keyboard, mouse and gorgeous display.

Next, let’s see the pain points

  1. This requires a lot of RAM, and my host has 64GB of it;
  2. It’s hard to maintain 4 operating systems installations up to date;
  3. You need 4 Windows licenses. I bought those cheap ones like these, but it’s at least 50€;
  4. It’s hard to use hardware acceleration inside VMs. I’ve tried Hyper-V and never could make it work and VMWare where I made it work but the experience is not near perfect. It’s also tricky to manage peripherals. I always had a problem in my work VM when i had to do video calls. Sometimes camera didn’t connect, sometimes it was the microphone, and only with VMWare I could have blurred background.

I had a plan to change this and i took this holidays to do it.

The new approach

After formatting, installing Windows 11 and installed my baseline software, it was time to replace each one of the VMs.

Replacing VM for software development where I do my personal stuff

This was where i needed to compromise the most because I had to install more software in my host, however this was a controlled scenario. Because I work with Outsystems, this required me to install Service Studio only.

I eventually had to install more stuff because I’d like to experience other technologies and for those tests I’ve also installed VSCode, NodeJS and Docker.

Replacing VM where I do my professional work

This one was the easiest (but most expensive one). I’ve bought a KVM switch so I can use my keyboard, mouse and monitor in my personal computer and my company laptop. Just by pressing a button, all switches seamlessly between both machines.

Replacing VM for testing and downloading “stuff”

I think I left the best one until the end. I’ve docker installed so let’s leverage from that…

In my VM i had a clean browser, no logged in account and extensions that blocked adds, scripts, tracking cookies, etc. and JDownloader that deals with resumable downloads, captchas, etc. and I wanted to keep using it.

Container n1 – the browser sandbox – https://hub.docker.com/r/jlesage/firefox

You can read the full documentation in the provided link but to resume, when you run this container you’ll have a sandbox installation of Firefox and everything you do in this instance, don’t affect your system.

For my scenario I want to persist my bookmarks and the downloads that I do in the firefox instance, to be mapped in one of my host’s folders. I was able to achieve this by setting the following composer file:

services:
   firefox:
      image: jlesage/firefox
      container_name: firefox_secure
      shm_size: "2gb"
   ports:
      - "5801:5800"
   volumes:
      - "C:/Users/tiago/firefox_config:/config:rw" # allows to keep my configurations (such as bookmarks)
      - "C:/Users/tiago/Downloads/Sandboxed:/output:rw" # downloaded files are mapped to my host "Downloads/Sandboxed" folder
   environment:
      - USER_ID=1000
      - GROUP_ID=1000
      - DARK_MODE=1
      - FF_OPEN_URL=https://google.com 
      - ENABLE_CLIPBOARD=0
   restart: unless-stopped

In my host i access the sandboxed Firefox by opening http://localhost:5801

Container n2 – the jDownloader sandbox – https://hub.docker.com/r/jlesage/jdownloader-2

You can read the full documentation in the provided link but to resume, when you run this container you’ll have a sandbox installation of jDownloader.

For my scenario I want to persist download links and I also need to map the downloaded files to my hosts “Downloads” folder. I was able to achieve this by setting the following composer file:

services:
  jdownloader:
    image: jlesage/jdownloader-2
    container_name: jdownloader
    ports:
      - "5800:5800"
    volumes:
      - "C:/Users/tiago/jdownloader_config:/config:rw"
      - "C:/Users/tiago/Downloads:/output:rw"
    environment:
      - USER_ID=1000
      - GROUP_ID=1000
      - DARK_MODE=1
    restart: unless-stopped

In my host i access the sandboxed jDownloader by opening http://localhost:5800