TL;DR - About switching from Linux Mint to Qubes OS from among various other options that try to provide security out-of-the-box (also discussed: OpenBSD, SculptOS, Ghaf, GrapheneOS)
TL;DR - About switching from Linux Mint to Qubes OS from among various other options that try to provide security out-of-the-box (also discussed: OpenBSD, SculptOS, Ghaf, GrapheneOS)
I could use gvisor inside distrobox inside an appVM in Qubes, couldn’t I?
Many CVE’s for Xen were discovered and patched by the Qubes folks, so that’s a good thing…
As for OpenBSD, I thought I mentioned in the blog post that I’m intending to use it as sys-net VM inside Qubes if not as HVM alongside my Linux appVMs, for when I need Linux. The best of both worlds, so to say.
to answer your first question, kind of. Gvisor (by google btw) uses the linux kernels sandboxing to sandbox the gvisor process itself.
Distrobox also uses the linux kernels sandboxing, which is how linux based containers work.
Due to issues with the attack surface of the linux’s kernels sandboxing components, the ability to create sandboxing or containers inside sandboxes or containers is usually restricted.
What this means is that to use gvisor inside docker/podman (distrobox) you must either loosen the (kinda nonexistent) distrobox sandbox, or you must disable gvisors sandboxing that it applies to itself. You lose the benefit, and you would be better off just using gvisor alone.
It’s complicated, but basically the linux’s kernels containers/sandboxing features can’t really be “stacked”.
Oh, good to know… In other words, sandboxing is not the best practice on Linux… So I’m better off with Qubes than with Secureblue