Hello everybody!
I’ve understood that two different AppVMs are perfectly isolated from each other.
My question is whether two qubes inside a single AppVM, say personal, enjoy GUI isolation. For example, is it possible for one app sniff for keystrokes inside the whole AppVM? I’m trying to understand whether it is secure to run KeePass along with some app I don’t 100% trust.
Run KeePass and similiar applications in a vaultVM (a VM without netVM). Use a separate vaultVM for each application.
Interesting question, though. I assume that Xserver is running in dom0… and that’s the reason the Qubes Maker are working for a sys-gui - to isolate the Xserver from dom0.
Huh, if the only Xserver is running in dom0, it is possible that only the app currently in focus receives its keystrokes and nobody else has access to them. However, a separate vault for KeePass seems reasonable. Anyway, I was confused by the fact that KeePass is by default placed in the ‘personal’ qube if i remember well.
Because KeePassXC is installed in the template, the application is
available in all qubes that use that template.
By default the vault , which is offline, is where most people will use
KeePassXC to store secrets. You can strengthen isolation by using
policies in /etc/qubes/policy/30-user.policy to control interactions
with the vault.
There are actually a lot of attacks thinkable.
Most easy way I can think of would be a hardware keylogger between your keyboard and your machine.
Joanna wrote about GUI isolation years ago… not sure if you still can use Xserver for keylogging:
Yeah, my way to Qubes actually started with this post 
I’ve checked, it still works the same way in Ubuntu, but in Qubes I wasn’t able to reproduce it even inside a single AppVM.
Try xinput test <id> in dom0. 
I haven’t dived into that topic but apparently in the domUs Qubes uses some dummy-xserver.
dom0 is not interesting 
I mean, I was unable to reproduce between qubes in the same AppVM
I am unable to reproduce even in the same tmux-ed-terminal.