sandboxing vbox + whonix , host hardening


i have discovered that we can run vbox from the host using default firejail profiles.

and i have tested if whonix going to work normally = well it worked!

so this is a better way to be explained in the wiki and advise the users to use it.

so by this:

if someone managed to break whonix and break vbox he cant break it to the host.

but not sure about the anonymity once he break vbox even if its sandboxed.

cc @torjunkie @0brand @Patrick


You can’t really harden VBox. If there is a bug in its kernel level code then your goose is cooked. Also it doesn’t implement isolation between VM processes and this is not something you can retrofit with apparmor or firejail.


yeah no vbox harden , its host harden.

so the answer to my question , if vbox an attacked break through whonix then vbox while its sandboxed then that attacker can deanonymize the user (regardless of the sandbox)??

but he cant hack the host as well no?