in my world, you guess wrong ;). in my world, (exploitable) bugs are a fact of life and i've been working on intrusion prevention technologies for some years now.
> In the real world, people do run multiuser linux machines.
and did someone say otherwise? ;)
> Security is not black and white, there is such a thing as more secure and harder to break into.
did someone say otherwise? how did this even come up in this thread?
> you *also* need to be running a kernel which is exploitable in the
> limited attack surface presented to the JPEG decoding process.
you sound as if it was that hard to find such a kernel. here's the breaking news for you: *any* kernel in existence has exploitable bugs in it. exploitable 'in the limited attack surface presented to the JPEG decoding process'. remember do_brk? or mremap? are you gonna ban memory allocation? it's especially funny that you talk about attack surface here when the original solution (seccomp) did in fact have a meaningful reduction, unlike this alternative.
> Surely it's a good thing to attempt to limit the attack surface?
yes, except SELinux or this sandbox don't do it. the proper way is to prevent arbitrary code execution as a start or make kernel bugs unexploitable (for privilege elevation at least).
which part of 'most valuable personal box' was not clear ;)? or are you suggesting that all SELinux can protect in real life is worthless data? the fact that you're not putting your own box at risk speaks for itself.