Am 02.02.2017 um 19:28 schrieb Leonid Isaev:
On Thu, Feb 02, 2017 at 03:24:11AM +0100, sivmu wrote:
Please take a look at bubblewrap https://github.com/projectatomic/bubblewrap On the default arch kernel it does not use user namespaces.
And? Why do you point out such projects?
I already described an approach when one always runs browsers, pdf readers, etc, inside an lxc container, as an unprivileged user. That container resides on a filesystem mounted with nosuid (so things like ping, su, sudo won't work), and has a locked root account. On top of that, it connects to a xephyr session running on the host, to avoid X11 sniffing attacks.
I have been using such setup on all my desktops for over a year now. The only way to break out of such a container is a local kernel privilege escalation. Of course, having *privileged* userns *might* help because inside container UID=0 will map to smth like UID=123456 on the host, but this doesn't seem worth doing given all the ussues with userns.
Form what I have seen so far, it is pretty simular to what bubblewrap does and also provides isolation with namespaces. I just noticed this can be used by unprivileged users too, so it might be worth a try. Bubblewrap is however very lightweight which is a nice feat I think. (Plus with a few hunderd lines of code I can actually audit it to some extend)
Any distribution that says "we focus on security" is garbage because security depends on the user's threat model. A distro should provide the *basic* tools that enable the user to implement his security demands.
But tails is worse than garbage -- it is malicious, because it also focuses on privacy, forgetting that user's privacy is almost synonomous to his education. So, there is no such thing as "easy privacy" or "easy security".
And no, pls don't bring up the breakage that you call OpenBSD...
I won't, trust me :) Although they do contribute to many successful security innovations that get adapted by linux and others. openssh is also a great example of secure coding and sandboxing. Anyway, while i somewhat share your opinion that without the user inclusion and threat model consideration, there is something missing. But for what they intend tails does provide what they promise and its not that bad.
And chromium actually uses quite some nice sandboxing and has become quite famous for being nearly unbreakable. They also have a bug bounty programm, so if you find a way to break out of their sandbox you can get up to 100k. Good luck :)
Why? My sandbox is better than that of chromium.
No your sandbox, as mine, is a cage that surrounds the contained applications Chromiums has a nice coat that fits perfectly and is adapted to the applications. That is actually better.
grsecurity has user namespaces enabled but restricted to privileged users only. This allows privileged apps like docker to use this feature. I think they know what they are doing.
Docker is not a security mechanism because its mission is totally different.
I did not say that.
Also, SECURITY != TOOL. So, unless you understand what grsecurity does, don't use it.
Although I know quite well what they are doing, I disagree with you here. Grsecurity is in part a great feature because it does not need konfoguration/interaction to work. Everyone can use it as long as the don't mess with it without understanding what they do.