zlacker

[parent] [thread] 1 comments
1. Syonyk+(OP)[view] [source] 2023-07-11 19:28:10
The threat model assumes that any code in a VM can, with some application of effort, access anything else in that VM. Given the relatively low cost of local root exploits and kernel exploits, this is reasonable. Passwordless sudo is simply a reminder that you can't rely on intra-vm separation of anything you care about separating.

If you wanted to add additional hardening within a VM, it's supported - create your own templateVM for it, and use it. It's just not the default, and I generally agree with it. If you trust the OS kernel and features to keep things separated, there's no reason to run Qubes in the first place.

replies(1): >>beardo+Q
2. beardo+Q[view] [source] 2023-07-11 19:32:00
>>Syonyk+(OP)
>If you trust the OS kernel and features to keep things separated, there's no reason to run Qubes in the first place.

Yeah i see the argument - thats why I would still call Qubes very secure as is - but i personally prefer defense in depth. Mainly it would be helpful on machines with limited ram that can only run a few domains at once.

[go to top]