I’m slowly moving untrusted apps to containers or VMs to limit their interaction with my documents on my personal system. I have a couple VMs in mind (one for each app). Having a new VM for each untrusted app becomes a hassle (and already is one). I know QubesOS solves this, but I would like to see how much of this can be done on a Debian-based system.
To provide more context:
I use KVM/Qemu for virtualization so it would be through that
I also use flatpaks, so this use case is for apps that are in AppImage form (not trying to use firejail for this - due to high SUID) and for apps that are binaries
I would say my case is similar to “App Qube” from QubesOS
I could use containers, as I have a hunch it will be less file size than a full-on debian VM. However, I will need to enable vnc or RDP on the container to access it.
These apps are crucial for personal tasks, so I won’t be able to just stop using them.
Has anyone dealt with this niche use case before? If so, how did you end up segmenting your system?
Well I was involved with a discussion about this segmentation issue a week or so ago:
Immediately under that is my participation into the topic, which is referring to another similar topic discussion:
So the problem is that you are containing each individual app into separate VMs, but you do not compartmentalize your identity into separate VMs instead, which means you are paying a lot for resources. To address that, you could separate your identity into similar workflows, such as the Qubes OS default qubes:
Personal
Untrusted
Vault
Work
This suggestion is incredibly generic because I have no idea what your identity consists of. Journalists and whistleblowers have specific needs that may not be applicable to your threat model, and so on. You will likely want to look at this documentation for some inspiration to compare against:
This information will nudge you into a more relevant direction, but you will still be required to do the initial bootstrap yourself.
If this is your only or primary objective, you certainly don’t need containers or VMs. You can simply create a new (UNIX) user, who will not have access to the home directory of your other users. I would add your main user to the group of your secondary user and modify the group permissions so that your main user does have access to the files of the secondary users (but not vice versa). This is what I do when I run coding agents, for example.