GNOME Boxes & Nautilus

Subject: Proposal: “Open with Isolated VM” integration for GNOME Boxes & Nautilus

Hi GNOME Boxes team,

I’m a GNOME user and long-time admirer of your work on Boxes.
I’d like to propose a feature that could significantly improve everyday security workflows: a context-menu option to open files or URLs in an ephemeral, isolated VM directly from Nautilus.

Motivation
Current use cases that require isolation (banking, opening untrusted files, browsing suspicious URLs, running unverified code) involve manually creating/configuring VMs. This is slow and discourages non-technical users from using virtualization for security.

Proposed workflow
Nautilus integration:
Add “Open with Isolated VM” to the “Open With” menu for files and to the right-click menu for URLs/links.

VM boot:
Launch a pre-configured, minimal OS image (GNOME desktop + basic apps) in Boxes.
Boot should be as fast as possible (ideally using snapshots or qcow2 backing files).

Content injection:
The selected file or URL is passed securely into the VM.

Files: mounted as a temporary shared folder or copied into a volatile filesystem.

URLs: opened in the default browser inside the VM.

Ephemeral lifecycle:
Upon VM shutdown, all changes are discarded and the image reverts to a clean state (like --transient in QEMU or Windows Sandbox).

Implementation considerations
Performance:
Use lightweight base images and snapshotting for sub-5s launch times.

Security:
Strict separation — no permanent shared folders, clipboard optional.

Extensibility:
Allow multiple isolated profiles (e.g., “Browser VM”, “Document Viewer VM”).

Dependencies:
Likely needs deeper Nautilus–Boxes integration and enhancements in libvirt/QEMU command handling for transient VMs.

Benefits
Security:
Reduces attack surface by isolating risky operations.

Accessibility:
Brings sandboxed workflows to non-technical users via a one-click action.

Competitive advantage:
GNOME could offer a user-friendly alternative to Windows Sandbox or Qubes-style disposables in a desktop-integrated, open-source way.

Thanks for considering,

Hey! Thanks for sharing your thoughts about this. I have thought of similar things in the past.

I feel that if this is to be based on a specific OS base, such as GNOME OS, there’s no point in bringing Boxes+libvirt into the conversation. I would make this a standalone app that talks to QEMU directly. Boxes+libvirt is what makes the multiple-OS/preferences manageable. What you are seeking here is well defined VM.

The use of snapshot for this is interesting too.

What do you think?

Hi felipeborges

Thanks for your quick thoughts and for considering the idea! It’s great to hear you’ve thought along similar lines.

Regarding the technical implementation: if a dedicated standalone application talking directly to QEMU is the most streamlined and efficient way to achieve our goal for a well-defined, ephemeral sandbox VM, I’m completely on board with that approach. My main concern, as a user, is not the underlying architecture, but solely the highest level of security combined with ultimate user convenience and integration into the GNOME desktop.

The core value is in making powerful isolation accessible and intuitive. The “Open with Isolated VM” workflow via the Nautilus context menu is absolutely key. This provides the convenience. For security, ensuring the VM is always a clean, isolated environment (using snapshots or similar mechanisms) is paramount.

My primary goal is to empower average users with robust security through a simple, “one-click” secure workspace, regardless of the precise technical implementation details.

Thanks again for the feedback!

Hi Felipe,

Thanks for your quick thoughts and for considering the idea! It’s great to hear you’ve thought along similar lines.

Regarding the technical implementation: your suggestion of a standalone application talking directly to QEMU is indeed a very elegant technical solution for achieving a well-defined, ephemeral sandbox VM. We’ve also considered the development effort involved in building such a dedicated tool from the ground up, recognizing it might be more complex than adapting existing components. However, if this approach is ultimately the most streamlined and efficient way to deliver the core functionality, I’m completely on board with that.

My main concern, as a user, isn’t the underlying architecture, but solely the highest level of security combined with ultimate user convenience and seamless integration into the GNOME desktop.

The core value is in making powerful isolation accessible and intuitive for average users. The “Open with Isolated VM” workflow via the Nautilus context menu is absolutely key for this convenience. For security, ensuring the VM is always a clean, isolated environment (using snapshots or similar mechanisms) is paramount.

My primary goal is to empower average users with robust security through a simple, “one-click” secure workspace, regardless of the precise technical implementation details.

Thanks again for the feedback!

Best regards,

‫בתאריך יום ה׳, 14 באוג׳ 2025 ב-12:31 מאת ‪Felipe Borges via GNOME Discourse‬‏ <‪noreply@gnome.org‬‏>:‬