undefined | Better HN

0 pointscommandersaki1y ago0 comments

> Well that's nonsense. SELinux can protect against anything AppArmor can since AppArmor provides only a subset of features.

This is from Dan Walsh who is quite famous in the SELinux community [1]. See the part "Why didn't SELinux block it?"

Sure you can configure SELinux with a stricter policy, but virtually nobody does that in practice, they use the defaults, mostly because SELinux policies are really only used to fix stuff SELinux default policies break, usually using the audit2allow or whatever its called.

> I sense you might not be interested in this since you've said you just want benchmarks

If the EDR/antivirus industry can have various test suites and testing organisations, the same methodologies can apply to OS security subsystems. Let's see what happens with your default RH/SELinux, Ubuntu/Debian & AppArmor, and for shits and giggles OpenBSD, and see how they fare against exploits and vulnerabilities harvested over the years, and make reproducible labs. That's what I'm asking; I'm not going to scour security advisories to do tit for tat comparisons, I would rather see a well thought approach to this.

We do this kind of comprehensive benchmarking with all sorts of software such as compression, cryptographic libraries, compilers / languages, etc. Traditionally this would've been harder in the days when virtualisation and utility computing was nascent, but the infrastructure part is pretty achievable these days. Just need to someone to expend the effort (and I'm not volunteering).

[1]: https://danwalsh.livejournal.com/71122.html

0 comments

ruthmarx1y ago

> Dan Walsh who is quite famous in the SELinux community

Yes, I know who Dan Walsh is, it's part of why I linked to his article in this case.

> See the part "Why didn't SELinux block it?"

Yes....did you understand it? Or just read the title and assume you were right?

SELinux didn't prevent the exploit code from running, which is exactly normal and exactly the same as AppArmor.

What it did was prevent the code from being able to do anything.

So in that sense, SELinux absolutely stopped Shellshock to the same extent AppArmor would have.

> If the EDR/antivirus industry can have various test suites and testing organisations, the same methodologies can apply to OS security subsystems.

There's fundamentally less need because thees are open source systems and the design is sufficient to judge. You're just being incredibly lazy and justifying not wanting to learn these designs, or you otherwise don't want to put in the work to do so.

Imagine you see the design for a speedboat and a submarine. It's sufficient look at the designs alone to see that one cannot operate submerged underwater for an extended period of time. There is no need for tests to demonstrate that point.

The reason for EDR/antivirus test suites is because most solutions were closed source black magic and some kind of comparison is needed. That isn't as true in this case.

> Let's see what happens with your default RH/SELinux, Ubuntu/Debian & AppArmor, and for shits and giggles OpenBSD, and see how they fare against exploits and vulnerabilities harvested over the years, and make reproducible labs.

This already exists in the form of security advisories, as I said you are just being very lazy. As I said, feel free to check or ask an LLM to do it for you, to ask how many Debian security advisories were mitigated by AppArmor vs how many RedHat says were mitigated by SELinux. OpenBSD doesn't apply since it has no type of similar system.

> I'm not going to scour security advisories to do tit for tat comparisons, I would rather see a well thought approach to this.

Right, as I said you're being lazy. The information exists, you just don't want to put in the effort, you want a nice blog post you can blindly refer to.

> Just need to someone to expend the effort (and I'm not volunteering).

No one will because there is no need. The designs of these systems show what they can and cannot restrict and that is enough. You should put in, at least, a minimum of effort to understand why these abstract systems are not really comparable to antivirus solutions and why the testsuites you think make sense, don't.

j / k navigate · click thread line to collapse