But what does that mean? Can I browse a webpage, open a doc, if those are listed as specific usage? And if not, what's the purpose of this and why are people talking about it with such import?
most people dont do a lot on their machines. they have specific tasks they want to do. The idea is to isolate by default and crack open gaps by policy. You can still do 'anything' but you wouldnt want to enable 'anything' to be possible in the policy..
Sounds like security through compartmentalization is more user-friendly: You can run whatever you want and how you want it in a dedicated VM, keeping sensitive things safely isolated, without much thinking of what to enable. Case in point: Qubes OS, my daily driver. Btw it already exists and is stable.
> security through compartmentalization is more user-friendly: You can run whatever you want and how you want it in a dedicated VM, keeping sensitive things safely isolated
My brain hurts. How is a system where you can run whatever you want, however you want, but still keep sensitive things safely isolated possible?
Either you have restrictions on what you can run or access (in which case those limit sandboxed capabilities) or you have a hypothetically secure system, the security features of which you never leverage (because sandboxes have absolute freedom).
Unless you were talking about the ability to guarantee a monitor-only hypervisor or resource slice a machine into multiple tenants? (i.e. no/light touch hypervisor situations)
this relys wholly on user skill which most people will not be able to do. you need extreme tradecraft and opsec to keep really secure. any little mistaken copy between domains etc. might compromise.
This is the downside of isolation machines and their upside.
Hard to make a completely isolated machine for all workflows and keep all data at all times inaccessible for exploits. But because each user has their own ways its more potential that 'your particular way of breaking the model' is not known or exploitable (yet).
A lot of holes you open are one-time actions from within a restricted domain.
in qubes you have cross domains tools from domain0 for this, which is very hard to reach (but not impossible).
And then supplychain is also hard. Qubes have canaries, but i think most ISO people copy into their dom0 and spinnVMs off of are not doing such rigorous things. (depends what u use ofc).
I'm not sure I understand your question. VMs run full operating systems on top of Xen hypervisor relying on hardware-assisted virtualization (VT-d or similar). You can run untrusted software in a dedicated VM and keep your sensitive data in another offline VM.
The dom0 has no network and doesn't manage, e.g., USB devices.
QubesOS is not bad indeed. its not perfect (they are looking i think to replace Xen or make it much more thin layer). Its definitely the way i think if u want to retain compatibility with existing OSes/tools.