How easy is it to adapt corridor and allow non torrified VMs like Kicksecure to connect too? Think dealing with captive portals. Per vm network granularity may be bluntly possible by excluding the kvm user group from networking restrictions o ensure no other non tor traffic form the host may happen. This should allow updates via apt-tor to work too.
Corridor on the host not easy at all.
OK I guess next best thing is to permit only debian-tor and kvm groups to connect on the host. Same trick you use for GW.
Not easy either.
On Whonix-Gateway this is possible and for Tor and linux user group
debian-tor because Tor is just a normal application.
For Whonix-Host for KVM this might not be possible by simply only allowing kvm groups to connect to the internet because KVM isn’t an application. It’s inside the kernel and works differently.
For first iteration just a “simple” Whonix host firewall. It doesn’t get any less secure than previously Debian Host + Whonix-Gateway + Whonix-Workstation.
corridor and/or kvm-only outgoing traffic can be considered in a later release.