A typical desktop usage for Cappsule: Firefox, gnome-terminal and evince, all launched inside 3 different VMs. The VMs are created instantly when the user clicks on the icons. Sounds familiar? It’s because we use Qubes OS’ GUI protocol. An example is worth thousands words, click the video below to see it in action (it can be played fullscreen with the button in the bottom right corner.)
If a kernel vulnerability is found, its exploitation will have no impact on the host. The first execution of
getroot will indeed give root privileges, however, the second time will crash the cappsule’s kernel. The cappsule is eventually killed because it tries to access to the hardware through an I/O.
Let’s take a common task: installing
vim package (e.g. via
apt). In Cappsule, everything is isolated from each other by default; the host filesystem remains unmodified but the package is still available and installed into the cappsule. Those changes are also persistent, you will not loose it when relaunching the cappsule.