On Thu, 2017-02-02 at 17:06 +0200, Francisco Barbee via arch-general wrote:
So what's your alternatives/setup usable on Arch (not android, not ChromeOS)? We heave disabled SElinux, disabled Apparmor, disabled user namespaces, PIE not enabled by default and only partial relro. What's left then? Swimming naked?
You're venturing totally off-topic here, but I'll respond anyway.
The intention is to enable PIE by default but no one is stepping up to help Allan with it. There are binutils test failures that need to be triaged, and either fixed or ignored if they are not real failures.
Arch has a hardened linux-grsec kernel package which offers multiple MAC options enabled. The reason for SELinux and AppArmor not being enabled for linux or linux-grsec has to do with audit. If people were willing to do a bit of work, all of the MAC implementations rather than only grsecurity RBAC and TOMOYO could be available. I don't see much value in a huge amount of choice here anyway. None of it is particularly relevant to sandboxing desktop applications due to X11,
theory Wayland was supposed to be forward
depends on the Wayland compositor choosing to
model.
Unprivileged access to user namespaces is an anti-security feature, not a security feature. User namespaces themselves offer essentially zero value to application containers. The uid/gid mapping is superfluous when using a different approach and it isn't even
----- Reply to message ----- Subject: Re: [arch-general] user namespaces Date: 2 February 2017 at 18:22:36 From: "Daniel Micay" <danielmicay@gmail.com> To: "General Discussion about Arch Linux" <arch-general@archlinux.org> : pulseaudio, dbus, etc. In progress on that front but it provide a real security properly supported since
there's so much missing. The distribution would be significantly less secure with them enabled for unprivileged use. You should be thankful that the feature is not exposed by default if you really care about security rather than just being a concern troll.
So your advice for now would be to use grsecurity kernel and forget all those jails and namespaces until someone figure out proper security solution?