Chrome sandboxing method, for other applications?

Discussion in 'sandboxing & virtualization' started by Gullible Jones, May 3, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    @ m00n,

    Apparmor does work by pathname, that's correct. SELinux does not though.

    They likely don't. Linux allows for multiple different LSMs through the kernel but this actually opens up a hole for attack. The only way around this is to choose only a single LSM and have it be the only one allowed to work. Taht would mean all distros would have to use AppArmor or SELinux or whatever other one.

    Microsoft decided they don't want to give that choice to the users so they created their own security model, MIAC, and they're enforcing only that.
     
  2. Opens up a hole for attack how? I was under the impression that LSMs could only be changed or disabled on boot. And is this something purely theoretical, or has it been exploited in practice?
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    -httxs://grsecurity.net/lsm.php-

    https://www.linux.com/learn/linux-t...bols-whats-available-to-your-module-what-isnt
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yep. I'd pick SELinux if I were using Linux. I prefer its method of protection over AppArmor.
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    You say that now =p but when you see a SELinux profile you'll change your mind.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    No pain, no gain. ;)
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    True. I would rather just use SELinux but it's a huge amount of pain for not a ton of gain =p
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.