A nasty local kernel vulnerability
Posted Feb 26, 2013 21:56 UTC (Tue) by nix
In reply to: A nasty local kernel vulnerability
Parent article: A nasty local kernel vulnerability
People are starting to depend on things like SeLinux and sandboxing way too much and those techniques only very effective if you are willing to put a lot of time into customizing rules and such.
That's so so true of SELinux, but there's no way it's true of properly implemented sandboxes. How much time do you have to put into customizing any of the sandboxes in Chrome? (The answer is 'none': you may not even realise they are there, but they're making it a heck of a lot harder to compromise the system through a vulnerability in the network-exposed parts of Chrome. There are three on Linux, one of which is more or less deprecated. You'll only notice if you look at about:sandbox or none of them initialize correctly, in which case Chrome will warn you.)
That's what security that actually makes a difference looks like. Security that works even if nobody has to do anything to turn it on, security that requires no configuration.
to post comments)