{{Header}}
{{title|title=
vm-app-manager - Virtualization-powered application sandbox
}}
{{#seo:
|description=vm-app-manager will be a virtual machine manager that allows users to install and run applications in virtualized environments. Applications will be somewhat integrated with the host to ease use, but will be incapable of compromising the host. This is a concept, implementation is not yet underway.
|image=Sandboxing123123.png
}}
{{intro|
vm-app-manager will be a virtual machine manager that allows users to install and run applications in virtualized environments. Applications will be somewhat integrated with the host to ease use, but will be incapable of compromising the host. This is a concept, implementation is not yet underway.
}}
[[File:Sandboxing123123.png|thumb]]
{{Developers-only}}
= Introduction =

<code>vm-app-manager</code> is intended to be a virtual machine manager somewhat similar to Chrome OS's [https://chromeos.dev/en/linux Crostini]. It will allow users to easily create virtual machines that are well-isolated from the host, while allowing applications within the VMs to be well-integrated with the host. This brings some of the security advantages of Qubes OS to Kicksecure.

= Roadmap =
Work in progress. Very rough. The currently listed feature set is probably too ambitious; features are subject to change without notice.

* Virtualization will be provided by KVM. QEMU will most likely be used, with emulated devices reduced to a minimum to decrease the risk of a VM escape by exploiting a bug in QEMU itself. ([https://github.com/cloud-hypervisor/cloud-hypervisor Cloud Hypervisor] also looks interesting, but does not seem to be present in Debian and may complicate audio support and other things.)
* Each VM will have a shared folder that can be used to easily transfer files between VMs, or between a VM and the host.
* Each VM will be able to connect to the host's Wayland compositor either directly or through a validating proxy (similar to Qubes OS's X11 GUI virtualization), allowing windows to be displayed on the host.
** A validating proxy would be highly desirable to prevent access to dangerous Wayland protocols such as virtual keyboard and mouse protocols. It is unknown how much effort would be required to write such a proxy.
* Each VM will have toggleable network access. Only simple NAT networking will be available; more advanced networking is out of scope and should be handled by a more capable VM manager like virt-manager.
* Each VM will have audio support (playback only, or playback and recording? Audio must be toggleable).
* (Possibly? Likely too difficult, though Pipewire might help) Each VM may be able to request camera access.
* (Possibly? Might not be too hard) Each VM could run as its own unprivileged user, rather than as root or the user interacting with the VM. In the event of a VM escape, this would limit the damage a malicious application could cause.
* (Possibly? Could be difficult but likely worthwhile) AppArmor and seccomp sandboxing will be used on the virtual machine processes to further limit the damage potential of a VM escape.
* (Hopefully) Multiple VMs can be created to allow sandboxing of various apps from each other. (This contrasts with Chrome OS's Crostini, which only allows creating a single VM without complex methods.)
* Individual apps can be launched directly from an application menu.
* Desktop VM support?

= TODO =

* Design a full specification
* Come up with a better name; <code>vm-app-manager</code> is uninspired
* Determine how to create an ideal virtual machine for this use case; Chrome OS uses a special build of Debian. We may need to build our own images, or start from a Debian cloud image and modify it into the final VM on the user's device.
* Implement the VM manager and app manager

= Limitations =

* vm-app-manager will not be usable if the user is actively using VirtualBox. This is because VirtualBox and KVM cannot be used simultaneously.
* vm-app-manager will not be usable within Qubes OS. This is because Xen (the hypervisor used by Qubes OS) does not support nested virtualization.
** Qubes OS users are expected to use Qubes OS's rich virtualization features instead.
* vm-app-manager may function within VirtualBox or KVM, but may not be supported due to the performance impact of nested virtualization and the fact that it can actually worsen security.

= Development Discussion =
https://forums.kicksecure.com/t/separate-some-user-applications-from-the-operating-system/1120

= References =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]