2

I've been running Pop!_OS 18.04 on a System76 Meerkat. I've been advised that I can run Quickbooks for Windows if I first install gnome-boxes. If I do so, will I have as much privacy as before? Or will Windows or Quickbooks somehow gather data about the system and my files? Thank you for your responses.

Roman Riabenko
  • 2,145
  • 3
  • 15
  • 39
John
  • 21
  • 1

3 Answers3

3

GNOME Boxes is a virtual machine manager, which (I believe) uses libvirt and QEMU-KVM. As such, you'd actually be running a copy of Windows on your machine, meaning:

  • Windows will send just as much data to Microsoft and their partners as it always does, which depends on the version of Windows, your Windows settings, etc.
  • So will all programs running under your copy of Windows, to their respective vendors.
  • When they try to see hardware info, they will see the virtual machine, which will likely share some details with the real hardware (e.g., CPU) but not others (e.g., will see amount of memory dedicated to the VM, not total in your machine).

VMs are normally fairly isolated from the host. I'm not sure if GNOME Boxes automatically (or gives the option of) sharing your home directory with the VM; if your home directory is shared to the VM, then of course Windows and the programs running on it could access your files.

You can set up, e.g., a firewall on the host to limit what the VM can send to the network, but since e.g., stopping Windows from talking to Microsoft at all will likely break Windows license activation, that may not be an option.

(I use libvirt and QEMU-KVM, but not GNOME Boxes, so I'm not exactly sure how it sets up its VMs).

derobert
  • 107,579
  • 20
  • 231
  • 279
1

By default, Boxes share some real hardware information, such as the model of the installed CPU, with the guest. It also "passes through" the network access, unless you disable this. So, if you have anything on the local network, such as routers, printers, and so on, it will become as available to Windows as it is to your machine. If there are any local services running on your computer, which you access by the IP address, for example, 127.0.0.1, and a port number, they all will become available by default to Windows too.

You most likely want to install SPICE guest tools in Windows for convenience and to make Windows run smoother. In that case, by default, Windows will have access to anything copied to your clipboard at any moment, so that you could copy and paste into Windows or from it. You can disable it with a switch in Boxes or suspend Windows, but will you?

SPICE does not share your files by default, but you can configure access through an emulated network resource (WebDAV) or drag-and-drop files into Boxes window.

So, if you do not trust Windows or the software running on it, which is off-topic to discuss here, then network and clipboard access may be your primary concern.

Roman Riabenko
  • 2,145
  • 3
  • 15
  • 39
0

Like any software it could take your data. If you can't trust some software then you have some options.

  • Run as a different user, on a different virtual console.
  • Setup app armour for it.
  • Run it in docker, or Run it in a Virtual Machine.
  • Set up a network firewall (in conjunction to running as another user).

There may be others, and they are not all mutually exclusive.

ctrl-alt-delor
  • 27,473
  • 9
  • 58
  • 102
  • GNOME Boxes appears to be a way to run VMs. So a lot of this doesn't seem to apply. – derobert Nov 21 '19 at 17:58
  • @derobert Yes (I just checked) Gnome boxes uses virtualisation, it may add the security that you need. However this only rules out 1/2 of point 3. The rest still stands (belts and braces). – ctrl-alt-delor Nov 21 '19 at 18:03
  • 1
    At least if its using libvirt the normal way (I don't think there is any other way, at least if its using the system libvirtd instance) then it already runs as a different user and with apparmour set up. I think only the last point (network firewall) remains. – derobert Nov 21 '19 at 18:13
  • @Derobert And point 1 – ctrl-alt-delor Nov 22 '19 at 17:13