A guest being compromised is still a problem even when it's isolated from the rest of the system. The security of the guests still matters and the Linux kernel is large part of their attack surface and is the weak link for sandboxes they have internally like the Chromium sandbox.
Conversation
But then we're talking about sandboxes within sandboxes. Qubes focuses the user's attention on the qube/vm as the tool to manage risk. And I say this as author of a project that aims to improve Qubes guest security:
2
That's where my philosophy departs from Qubes': Allow the native security of the guest to do its job so malware won't have free (even if contained) reign, and remove anything that can compromise the startup environment.
1
Qubes' answer to the issue thus far has been "Use disposable VMs". But there are many use cases where they're difficult or impossible to use.
1
That doesn't resolve the issue of an application being compromised and an attacker gaining access to everything in that environment. Security against remote compromise and fine-grained containment certainly matters despite coarse-grained isolation chosen by the user higher up.
2
For the secure messaging example, it can be isolated per contact, and handling things like audio / video decoding for video calls can be isolated, as can cryptography, etc. Finer grained isolation than a group of applications for a certain identity / task is very important.
1
I think this approach is really less about containment and more about reducing the complexity of data formats exchanged between subsystems. Even the strong isolation of Qubes relies on the idea of simplified formats used at critical points.
1
Isolating per-contact in a messaging client, per-site in a browser, etc. is applying the same principle of QubesOS at a fine-grained level using existing privacy/security boundaries. Since they're existing boundaries, it doesn't require the user to do anything or be aware of it.
2
OK re per-contact-site isolation.... Now, demote "kernel" to "services" and look to hypervisor+qrexec as the actual kernel.
1
There are implementations of fine-grained isolation within applications using different mechanisms than OS sandboxing. Architecture-level virtualization is one possible approach and has pros / cons, as do other approaches like a higher-level virtual machine, etc.
The isolation between sites in a browser or contacts in a messaging app are good examples of existing fine-grained trust boundaries to reinforce. There are a lot of other examples and reinforcing those can improve security for a billion users with no more work on their part.
2
It makes sense to use hardware-supported virtualization for reinforcing those boundaries. I'm just saying there's more to isolation / containment than having the user divide things up at a high level, and there's a lot more to security than isolation / containment too.