Walsh: Cool things with SELinux... Introducing sandbox -X
Walsh: Cool things with SELinux... Introducing sandbox -X
Posted Sep 20, 2009 8:31 UTC (Sun) by iq-0 (subscriber, #36655)In reply to: Walsh: Cool things with SELinux... Introducing sandbox -X by PaXTeam
Parent article: Walsh: Cool things with SELinux... Introducing sandbox -X
I didn't read those words as being such bold statements, but that might
just be my built-in mitigation system ;-) But if you read it like that, than
sure, you're perfectly right.
I'm thinking more along the lines of scripts that do more than just what
you're expecting. A lot of unwanted behaviors has nothing to do about
exploitation, but often are a result of e.g. publishers wanting to know
about their readers (and some readers don't want reading some document
to send notifications to publishers).
And, of course, even a basic sandbox limits the amount of immediately
useable exploits.
just be my built-in mitigation system ;-) But if you read it like that, than
sure, you're perfectly right.
I'm thinking more along the lines of scripts that do more than just what
you're expecting. A lot of unwanted behaviors has nothing to do about
exploitation, but often are a result of e.g. publishers wanting to know
about their readers (and some readers don't want reading some document
to send notifications to publishers).
And, of course, even a basic sandbox limits the amount of immediately
useable exploits.
Anyway, you have a point if you interpret things so strictly, but along those
lines almost no tech article could be written with long disclaimers after
each statement. But a little more attention about stuff it doesn't prevent
might indeed be in order, especially given the security context of the blog
and the products involved.