Chrome sandboxing method, for other applications?

@ m00n,

Apparmor does work by pathname, that's correct. SELinux does not though.

They likely don't. Linux allows for multiple different LSMs through the kernel but this actually opens up a hole for attack. The only way around this is to choose only a single LSM and have it be the only one allowed to work. Taht would mean all distros would have to use AppArmor or SELinux or whatever other one.

Microsoft decided they don't want to give that choice to the users so they created their own security model, MIAC, and they're enforcing only that.

 

Opens up a hole for attack how? I was under the impression that LSMs could only be changed or disabled on boot. And is this something purely theoretical, or has it been exploited in practice?

 

-httxs://grsecurity.net/lsm.php-

https://www.linux.com/learn/linux-t...bols-whats-available-to-your-module-what-isnt

 

Yep. I'd pick SELinux if I were using Linux. I prefer its method of protection over AppArmor.

 

You say that now =p but when you see a SELinux profile you'll change your mind.

 

No pain, no gain.

 

True. I would rather just use SELinux but it's a huge amount of pain for not a ton of gain =p