Hello. I’m working on organizing my secure qubes into two types:
-
Read-only, called
secure-view& and will be used as an AppVM -
Write access restricted to one file (qvm-open-in-vm on a file), called
secure-edit& will be used as a disposableVM
Both have no network access. How would I go about configuring secure-view to strictly allow only stdin but little to no stdout through qrexec? My reasoning behind this is that I’d like to have a dedicated vm with GPU passthrough so I can view graphics intensive media and play offline video games that require graphics acceleration safely. Is this possible, and if so, am I my missing something critical that would render this setup less secure than OS level measures such as AppArmor and SELinux?