On 03.10.2017 19:27, Christos Zoulas wrote: > On Oct 3, 7:03pm, max%m00nbsd.net@localhost (Maxime Villard) wrote: > -- Subject: Re: CVS commit: src/sys > > | What about you both cut the drama and the bullshit right here. What has been > | said already repeatedly, again, and again, is that choosing one side over the > | other just does not work. There is no "most secure", there is no "most usable". > | There is the *middle* of it; some security with features that are still > | compiled but not accessible by unpriv user by default, some usability with a > | way to enable the feature that requires the least effort possible. > > > How about the most usable is what we have now, and the most secure we can > get via a sysctl? Or the other way around? We do need a decision on where > we are heading though, because we keep disabling features piecemeal in the > name of security. > > christos > I think that the approach in the middle is to use secmodel_securelevel(9). Add fine-grained switch at which level compat_* stops to work with default "1". Desktop users will use INSECURE, server ones SECURE. I run Opera with compat_linux and from time to time bootstrap something from Linux executables. I don't care about extra hardening, my desktop does not serve any public services. For a server or a product I wouldn't want to run such executables and I would use SECURE or HIGHLY-SECURE mode. MODULAR vs non-MODULAR kernel approach appears to me too complex.
Attachment:
signature.asc
Description: OpenPGP digital signature