Comment by PrimeMcFly
2 years ago
> OpenBSD maybe gets there eventually.
Nah they won't. The devs have an irrational resistance to the very idea.
I disagree with your analogies. OpenBSD has a focus on auditing to remove all bugs, which is great, but they provide very little to help prevent what can be done if a bug is exploited, and they've certainly had no shortage of serious bugs.
> What use is MAC/RBAC if someone can gain kernel access with a 0 day exploit?
Kernel exploits are pretty rare. Most exploits are in userland.
I actually still think my analogy is apt.
Their safe is very hard, but once you are in, you are in. And I think I agree with your assessment, they aren’t likely to start creating MAC/RBAC solutions.
I think pledge(2) and unveil(2) would help to prevent "what can be done if a bug is exploited", yes?
Ever so slightly, but still a long ways off from proper mac or rbac support.