Best way to virtualize Thunderbird/mail client

[currentshaft]

I'd like to isolate my mail client (Thunderbird) from the rest of my system.

I installed virt-manager and made a virtual machine, installed Ubuntu and Thunderbird.

Then I used X forwarding over SSH on localhost to launch Thunderbird on my desktop, while it runs on the virtual machine.

This works fine except the UI is extremely slow and sluggish. It tends to lock up and crash. I have SSH compression turned on with little effect on performance.

I know I can run Thunderbird with firejail, but I really don't want it to have access to anything on the host OS.

Is there a faster, more performant way to virtualize an X application?

Thanks

[halogen2]

What purpose do you have in mind for this level of isolation?

Can you just use Thunderbird via the VM's own screen?

[TheFu]

I use the remote-X method and don't have performance issues. Here's my script:

$ more ~/bin/thunderbird.sh

Code:

#!/bin/bash

# FJ_OPTS="--dns=172.22.22.81 --rlimit-as=3500000000 --ignore=seccomp --ignore=protocol"   # This doesn't work anymore

FJ_OPTS="--dns=172.22.22.81 --rlimit-as=4700000000 "
TB_OPTS="-no-remote "

# limit RAM VSS to 4.7G
PID=$(/usr/bin/ssh   -X  deneb    /usr/bin/firejail   $FJ_OPTS     /usr/bin/thunderbird    $TB_OPTS    $@ & )
exit;

Deneb is a VM running Linux Mint. It runs thunderbird, Firefox, and a few other desktop apps that I don't like Ubuntu to run. When I'm traveling, it is the remote desktop I use via x2go - this leaves the data at home, not traveling with me.

The VM looks like this:

Code:

$ inxi 
CPU: 2x 1-core AMD EPYC-Rome (-SMP-) speed: 4200 MHz
Kernel: 5.15.0-105-generic x86_64 Up: 11d 18h 3m
Mem: 5318.6/5873.9 MiB (90.5%) Storage: 76.16 GiB (27.6% used) Procs: 241
Shell: Bash inxi: 3.3.13

I suppose you could use a Linux Container, but allowing a GUI to work inside a container is a little more complex. Others here have done it. I don't use Wayland, so perhaps that's the issue? IDK.

[currentshaft]

What purpose do you have in mind for this level of isolation?

Prevent my computer from getting owned if an attacker sends me a malicious email, or at least limit the damage to a virtual machine containing only my email client.

Can you just use Thunderbird via the VM's own screen?

It's slower to access and more difficult to manage. Instead of "ssh -Y host -t thunderbird", I would have to unlock and launch an entire X session, click around and/or launch additional terminals.

[currentshaft]

I use the remote-X method and don't have performance issues. Here's my script:

Interesting. That's basically what I do (ssh -Y host -t thunderbird) but it is painfully slow and constantly flagged for the "wait or force quit" dialog.

virt-manager, debian 12.5, sharing 4 cores and 8 gigs ram

I tried running chromium and it's also very laggy over X forwarding.

[1fallen]

I know I can run Thunderbird with firejail, but I really don't want it to have access to anything on the host OS.

Thanks

netblue30 might have some insight: https://github.com/netblue30/firejail/issues/995

[currentshaft]

netblue30 might have some insight: https://github.com/netblue30/firejail/issues/995

Sorry, that is not what I meant.

The risk I'm trying to prevent is an attacker exploiting firejailed thunderbird's setuid privilege (or any other vulnerability in thunderbird) to take over the system.

Basically I want to treat the system with thunderbird as untrusted entirely, and connect to it from a trusted host OS to access files/emails. Firejail is just an example, but it's not relevant to the solution I want.

[1fallen]

Thanks for the clarity, TheFu is pretty wise on this type of help.

I'm not sure why you hit such a lag in performance though with A KVM//

[halogen2]

Would it not be sufficient to use the flatpak version of Thunderbird and set restrictive permissions with flatseal?

For the performance issue:

1) How have you installed Thunderbird and Chromium?

2) Does Thunderbird have an option to disable hardware acceleration equivalent to this option in Firefox? Chromium has such option in chrome://settings/system , "Use graphics acceleration when available". Does it help to turn off this option?

3) What desktop environment are you using on the VM host? Is it running under X11 or Wayland? Are you able to test whether the performance problem occurs in a Xephyr on the host?

4) How do you have networking set up for the VM?

(I tested ssh -X (me)@(my-vms-ip) -t flatpak run org.chromium.Chromium to a virt-manager/KVM guest, which I connect to using a bridge interface, and did not see any performance issue in Chromium.)

[TheFu]

I don't use virt-manager, except to setup new VMs or destroy them when I'm done. Definitely NOT for daily use as a remote desktop.

Also, I'm not on Debian, though I have a few debian servers for things like VPNs and email gateways, but not much else. When Deb12 was released, I installed it and found the networking didn't meet my needs. Perhaps I had a too early version and networking setup wasn't working. I never came back around. My VM host is Ubuntu server 20.04 running on a different system. The ssh and X-forwarding are over a GigE LAN connection. On the same LAN, I generally don't use virt-viewer either. Generally I use ssh and remote X11 to my workstation. So much more convenient. Most of my daily use applications actually run over remote X11 on different systems and many are either containers or VMs, not a physical host ... mostly.

I don't force a tty. It isn't needed. I had to look that option up. Never noticed it before.

Also, I don't use wifi except on devices that have no other connection method. Laptops that don't have ethernet ports use USB3-to-Ethernet adapters. On the wire, iperf3 tests to 920-944 Mbps.

I don't see how thunderbird in a firejail can break out. Ever run bash with the same firejail settings? Lots of other things are disabled both in standard and private modes. Thunderbird in private mode isn't very useful, since prior address books, emails, and connection settings wouldn't exist.

I don't use any flatpaks and won't be using a snap package for browsers or email. I like the added control I get with firejail and I like NOT having extra bloated dependencies that aren't needed.