# Question: would running qemu in chroot increase security?

## bedtime

My situation:

I am running Gentoo hardened kernel with grsecurity as my base system. I have a Gentoo VM that runs in qemu with the '-sandbox on' parameter added. It is an .img file and can be run in persistent or temporary snapshot mode ('throw away' mode, as I like to call it.) It's working perfectly as of now. It uses hugepages for its memory.

Inside that Gentoo VM there are (or will be; I am compiling as I speak) separate chroot environments for large basic programs, such as firefox, thunderbird, and libreoffice.

Would having that Gentoo VM run in a chroot environment help to keep that VM more separate and secure from the base Gentoo system?

I want a VM system that is as separate and secure from the base system as possible.

Ideas or thoughts? I am new to this.

----------

## Ant P.

Security is a process, not a trash fire. You can't just pile up every buzzword you skim off page 50 of a google search and declare it "most secure". Understand what you're doing, what your threat model is, and start building from there.

----------

## NeddySeagoon

bedtime,

First you determine the threats you want to secure against.

Then you deploy layers of the security onion to defend against those threats.

Security is not absolute, the more layers you deploy, the harder it is for an attacker but to think that its impossible is deluding yourself.

The idea is to make attackers that want to add another host to their bot net, for example, give up and move on.

Also, there is a trade off between security and usability. You need to pick your tradeoff point there.

----------

## bedtime

 *Ant P. wrote:*   

> Security is a process, not a trash fire. You can't just pile up every buzzword you skim off page 50 of a google search and declare it "most secure". Understand what you're doing, what your threat model is, and start building from there.

 

Security in linux is new to me, so it looks like I have some learning to do.

 *Quote:*   

> First you determine the threats you want to secure against.
> 
> Then you deploy layers of the security onion to defend against those threats.
> 
> Security is not absolute, the more layers you deploy, the harder it is for an attacker but to think that its impossible is deluding yourself.
> ...

 

I think I gave a misleading impression...  As is, with the system automated, it is still convenient, but I could imagine how bogging it down too much can be more cumbersome than beneficial.

----------

