TL;DR - About switching from Linux Mint to Qubes OS from among various other options that try to provide security out-of-the-box (also discussed: OpenBSD, SculptOS, Ghaf, GrapheneOS)
TL;DR - About switching from Linux Mint to Qubes OS from among various other options that try to provide security out-of-the-box (also discussed: OpenBSD, SculptOS, Ghaf, GrapheneOS)
Syd3, and gvisor, a similar project in go aren’t really sandboxes but instead user mode emulation of the linux kernel. I consider them more secure than virtual machines because code that programs run is not directly executed on your cpu.
Although syd3 doesn’t seem to emulate every syscall, only some, I know rhat gvisor does emulate every syscall.
If you compare CVE’s for gvisor and CVE’s for xen/kvm, you’ll see that they are worlds apart.
Xen has 25 pages: https://app.opencve.io/cve/?vendor=xen
Gvisor has 1: https://app.opencve.io/cve/?q=gvisor
Now, gvisor is a much newer product, but it is still a full 7 years old compared to xen’s 22 years of history. For something that is a third of the age, it has 1/25th of the cve’s.
There is a very real argument to be made that the hardened openbsd kernel, when combined with openbsd’s sandboxing, is more secure than xen, which you brought up.