Don't get me wrong - I don't actually disagree with you here. It's just that... Yeah, things that shouldn't happen happen all the time. I see no merit in just saying "but it shouldn't happen" - I'd rather mitigate the effect of it happening. It is extremely important to address these flaws in the general use case as they crop up, but the paranoid use case of "I'm doing something I shouldn't be doing" warrants a few more layers of hardening.
That's fair, I suppose. I guess where I differ is that I don't consider this protection to be worth the added complexity, but then I was also looking at it as a way of running a web browser, where elevating privileges to root is basically never needed.
You explicitly stated that you don't like pre-made solutions in the field of security. I know you, and thus I have a good idea of what you meant, but I am going to be relatively unique to see your meaning despite your choice of words.
Well, to be more specific for the benefit of others: I prefer general-purpose tools that can be easily configured and composed to work the way I want them to, rather than tools that come pre-configured the way someone else thinks they should work. I don't think of configuration to suit your needs as reinventing the wheel, and I would never in any situation advocate reinvention of wheels in security. (Reinvention of wheels in other fields is
sometimes, though rarely, justified.)
I suppose the 5 users of OpenBSD might indeed be restricted there. I know for a fact that OP is not one of them, so I didn't concern myself with it when making my recommendation.
OpenBSD is but one example. I actually edited my last post while you were replying, so to expand upon that, the Whonix installation instructions for Linux provide options for Virtualbox and what they call "KVM" (which is actually libvirt managing KVM guests). My Linux systems with VMs
do use KVM, but they do not use libvirt, in part because libvirt does not support using the isolation features of QEMU that I use to mitigate the risk of VM escape attacks. It is a tad ironic that a project based on security by isolation would force me to reduce the isolation of my system in order to install it.
Other situations in which this is limiting are that you cannot use it on non-x86 hardware, or on old x86 CPUs without virtualisation extensions, or on a VM without nested virtualisation support (which is its own can of worms). In case you think I am contriving scenarios that will not arise in practice, I have personally encountered users who wanted to run VMs for isolation but could not for all three of these reasons.
Granted, this likely does not apply to the OP, but it
is one of my concerns about using multiple VMs for this. (If it were a single VM, it could — at least in principle — be installed onto bare hardware as a workaround.) Even if we accept that the approach improves security, it does so at the cost of portability, which reduces the number of users that can take advantage of the improved security.
Yeah - I am working with limited information, and I filled the gaps in what OP told us with my own experience with similar activities. I have some confidence in my guessed, but it obviously does not replace a well-defined spec. However, I also suspect that OP doesn't exactly know what he wants - hence my suggestion of looking at a tool and seeing if it feels right.
Agreed on that point, which is why I suggested OpenBSD as well, as an option that comes with a privacy- and security-enhanced Firefox installation by default (albeit without Tor). Hopefully one of these options will suit.