←back to thread

190 points Harvesterify | 1 comments | | HN request time: 0s | source
Show context
surajrmal ◴[] No.45669852[source]
A shared global namespace ultimately makes it very difficult to have a decent capability based security system. Namespaces limited to the set of actions you have and a hierarchy of capabilities whereby children can only be given access to capabilities their parents have is required for a sane view of how things work. Much like encapsulation makes it easier to reason about abstractions in a program, this nested hierarchy of capabilities makes it easier to reason about the privilege of various parts of the system. Instead we have soup where no one can quite reason about what has access to what.
replies(6): >>45670120 #>>45670198 #>>45670857 #>>45671117 #>>45671465 #>>45674367 #
rootnod3 ◴[] No.45670120[source]
Even if not super fine grained, I think that OpenBSD’s pledge is really nicely done.

Next after that I’d vote for FreeBSD’s capsicum.

replies(2): >>45670403 #>>45671131 #
charcircuit ◴[] No.45671131[source]
I disagree. Pledge requires every app to OPT IN to security. This means that most apps won't do it, and the ones that do will likely be lazy and restrict their usage to what they use before and won't do the work of rearchitecting things.
replies(4): >>45671362 #>>45671634 #>>45672570 #>>45675089 #
cyberax ◴[] No.45671634{3}[source]
The thing is, it works better. A simple API like pledge/unveil allows apps to significantly improve the security level without much of time investment.

Meanwhile, complex external systems like SELinux end up being unused because they are complex and external (and thus can just be ignored).

replies(2): >>45674031 #>>45674615 #
lagosfractal42 ◴[] No.45674615{4}[source]
> Meanwhile, complex external systems like SELinux end up being unused because they are complex and external (and thus can just be ignored).

Wdym? It's very notably used in Android

replies(1): >>45674738 #
1. cyberax ◴[] No.45674738{5}[source]
Yeah, because they have a team of engineers working on it. They can afford that.

I have never seen SELinux used on a regular server. Heck, Amazon Linux AMIs on AWS even disable it by default.

Yeah, yeah, personal experience and all that.