Thanks Simon for your insightful feedback :) Indeed appreciated.
On 27/11/2025 11.24, Mark Wielaard wrote:
Hi Simon,
On Thu, Nov 27, 2025 at 08:19:30AM +0100, Simon de Vlieger wrote:
I've kept out of the ptrace discussion largely because I felt
trenches have been dug and they've been dug deep over time. For
some reason I do feel the need to chime in today. I hope you give
my opinion some consideration.
Thanks, feedback appreciated.
On Wed, Nov 26, 2025, at 11:49 PM, Mark Wielaard wrote:
There's a third persona here that is overlooked and that is the person
with ill intent. We can call them Mallory since I don't think anyone is
actually called Mallory on this list (I apologize if so).
Right. If this was really about percieved security vulnerabilities
then it would be all about Mallory.
I guess this all boils down to if people expect separate processes
as some form of a security boundary or not.
And that indeed is the real insight. When Mallary already breached the
real security boundary and is able to execute arbitrary code under
your user id then the game is already over. There isn't really any
additional security boundary that would prevent Mallary to execute
anything or access any of your files, etc.. Which brings us to your
other observation:
We see very little of it in the public supply chain attacks as
of late. Perhaps that has to do with everyone and their dog
running their workloads containerized and under SECCOMP.
Right, because those are real security boundaries. And that, plus
having selinux mandatory access control and running untrusted code
inside flatpaks/bubblewrap, is where we should concentrate our efforts
if we really care about security.
In general, I am actually not sure if we read the same from Simon's feedback,
however, I would leave it now for others to interpret it for themselves, and I
would prefer to not open the same discussion again, as most you bring up has been
already discussed, so I would not open the circle again. However, while it was
also already mentioned earlier, that one I feel urged to highlight again: SELinux
is not active within the user account, and does not add security/isolation here.
Enabling SELinux within user accounts leads to confined users, and that I
elaborated in the proposal -> this does not work reliably and would regularly
break a lot: at the moment for example, confinement broke Firefox and Thunderbird
partially (no downloads possible), not to say that video conferencing in browsers
is broken for long, and cockpit also regularly breaks after updates. We cannot
maintain SELinux confinement reliably.
Thanks,
Mark
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
