note: not yet running qubes-os. just my own multi-vm setup until i find a good laptop. so if this is already solved, please just tell me :)
within my appvms i run all gui apps with firejail --x11 --private=... this means each app gets its own x server, home directory, and is sandboxed from certain calls. some have different, or no network access. its far from perfect, which is why i have multiple domains, a vault vm, usbvm etc. I think this approach would be good in qubes-os as well. it protects against clipboard, framegrabber, and keyboard sniffing, and otherwise sandboxes apps depending on that apps needs. the problem is with the clipboard. since the clipboard would go to display :0 in the app vm, cutting and pasting wouldn't work unless you allow clipboard sharing within an appvm. you could run keepassx in the app vm, and leave out --x11 so it could type into your other app vm windows. ive tried this with dummy strings on firejailed apps, and it does work. but, we probably dont want keepassx running in our appvms. libvirt cant send key into a xen vm. so, i can think of 3 options. maybe theres an easier, more sensible way. 1. dom0 has vnc sockets and a vncdotool (python) script to type from a given appvms clipboard (probably vault) to the window in another appvm. so instead of copy / paste clipboard to clipboard, it would be copy/paste clipboard to sendkey. maybe Ctrl-Shift-T. according to the vncdotool docs, special characters wont work with this. i dont know what special characters means, but that might kill its use for passwords that have policies insisting on weird characters. this would open network sockets in dom0 which might be scary. looking here, http://xenbits.xen.org/docs/unstable/man/xl.cfg.5.html i dont see a way for xen domains to have vnc listen on unix domain sockets instead of network ones. 2. run all your gui apps in their own appvm. laptop with 32gigs of ram? 3. switch gui to wayland. cant find any kms capable virtual graphics for xen / kvm, and this wont happen without that. i hope wayland has sensible policies. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2da87b67-e321-44b6-be13-456dd1959efc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
