> "For a security focused OS, OpenBSD is terrible in this regard. Pledge and Unveil are simply not sufficient."
Does that mean that OpenBSD's mitigations are trivial to exploit? "Terrible" and "simply not sufficient" are strong words. If so, can you provide a working proof-of-concept? I keep asking this of people who make this statement because I'm genuinely interested in seeing it demonstrated as it has negative implications for me, but no one wants to spend time proving their point.
It'll never happen. Every single time this comes up it turns into the same thing over and over again. You must remember the person that said they'd "write a blogpost bypassing OpenBSD mitigations next week" and that's been well over a month now and, surprise, there's no blog about this.
Everything OpenBSD does is wrong and trivial to bypass but everyone's too busy to do it. Maybe the dumbest part about this is that nobody on the other side of this is making claims that these mitigations are perfect in any way.
Qualys has bypassed some OpenBSD malloc hardening features recently but then they don't go around making wild or insulting claims about how wrong and trivial they are either. Go figure.
Just replying to provide some context [1] for those who come across this comment as I think it's pretty interesting. Also OpenBSD are working on something for this [2].
It means if you look at any number of the security vulnerabilities that affected OpenBSD base system that they disclosed, or any number of bugs in third party software they haven't audieted, out of the vulns that allow root and/or rce, a lot of damage can be done on a 'secure' OpenBSD system, which something like SELinux can prevent.
Lets say Apache or something had a remote root bug (despite not running as root) that granted a shell was was pretty easy to exploit. An SELinux system can protect an unkown but actively exploited bug like that more than OpenBSD can.
The OpenBSD approach is just to keep looking and hope you've found every bug that would possibly allow for anything like that, and hope they've found them all.
Yes, SELinux and AppArmour can cover these angles in a kind of "application-agnostic" fashion. If anyone would bother using them. Practically nobody does. In the case of SELinux it's usually such a hassle that administrators immediately set the thing to permissive/disabled mode and forget about it. I think OpenBSD's efforts in securing the base system without users having to configure or meddle with the details is a pretty good compromise.
The whole thing about SELinux being so bad it's always just disabled simply isn't true.
Red Hat and Fedora have been using it in the default setup for ages, with permissive roles for unknown stuff but things that ship with RHAT locked down, and their support will even help with that.
OpenBSD's efforts in auditing are not a good compromise. It's not any compromise. It's best practices that do very little to help in the event of an actual breach.
> "OpenBSD's efforts in auditing are not a good compromise. It's not any compromise. It's best practices that do very little to help in the event of an actual breach."
> "... a remote root bug (despite not running as root) that granted a shell ..."
This example of yours would begin with an exploit (or feature) of the third-party software, which in turn managed to pivot into an exploitable hole in the kernel/base system in order to gain these escalated privileges. Securing the kernel/base system is where their focus is.
I'm not challenging the idea of a blanketing solution like AppArmor, just the notion that the OpenBSD team's efforts are "terrible" and "simply not sufficient".
> This example of yours would begin with an exploit (or feature) of the third-party software, which in turn managed to pivot into an exploitable hole in the kernel/base system in order to gain these escalated privileges. Securing the kernel/base system is where their focus is.
Sure, but the 'base' system doesn't really have anything that people use or that is going to have bugs. It's kind of a copout.
> just the notion that the OpenBSD team's efforts are "terrible" and "simply not sufficient".
Terrible is maybe a bit strong, but they certainly are not sufficient. There are numerous exploits and exploitation paths that pledge and unveil won't prevent, but MAC/RBAC or other DAC alternatives will.
Take a breath. Read it again. If you still don't understand something, think about what it is you don't understand, then state your issue clearly so I can help you.
I'm not sure what to tell you. It didn't make sense. It doesn't make sense. There was nothing technical about what you wrote. Other people don't need to confirm that something doesn't make sense to me. I'm not making a claim, I'm telling you that it didn't make sense. What do you not understand about this?
I'm not trying to insult you or dispute what you wrote. I'm just telling you, again, that it does not make sense.
You keep repeating that all OpenBSD tries to do is audit to find bugs, but that is very obviously not all that they do to prevent exploitation and post-exploitation issues. I'm not sure why you keep doing that. This is one of the parts that doesn't make sense to me.
You say that unveil or pledge aren't enough or aren't as good as SELinux. There is nothing technical about saying that. That's just your opinion that others do not share. I'm not even commenting on whether or not I agree or disagree with you about that. However, you aren't making a point in expressing this opinion. That's something else that doesn't make sense to me.
So, do you want to try to explain what point you're trying to make again? The whole thing. All I'm getting from the things you're saying is that you love SELinux and you have almost no understanding of any other aspect of what OpenBSD does beyond auditing code.
No, you ARE making a claim, and that claim is bullshit. Certain knowledge is required to understand what I wrote and why it makes sense. And it does make sense, which is why other people were able to meaningfully respond to what I wrote.
It's fine that it doesn't make sense to YOU, but you shouldn't confuse that with it not making sense objectively, which it does.
OpenBSD doesn't literally ONLY try to audit bugs, but it is the bulk of their work and they prioritize that over addin or improving mechanisms to lockdown and prevent exploitation issues.
Others can disagree that pledge or unveil are not as good as SELinux, but they would be wrong. It isn't a subjective issue, and you would have to be rather ignorant of the differences to insist it is. SELinux removes the concept of an all powerful root user, and can grant every process the specific minimum access it needs. Pledge and unveil don't come close to offering anything like that.
Then you say I'm not making a point...even though you clearly here disagree with the point I supposedly didn't make. Are you by chance on the spectrum? Just trying to understand your issues with what I wrote, it's quite odd.
I'm not interested to explain anything further as I don't think it would be productive in proportion to the effort I would have to expend. I'm mainly just curious to see where this goes at this point.
Not trying to fight at all, but no time for someone that has such trouble comprehending something and then blames the author instead of being able to self-reflect.
Does that mean that OpenBSD's mitigations are trivial to exploit? "Terrible" and "simply not sufficient" are strong words. If so, can you provide a working proof-of-concept? I keep asking this of people who make this statement because I'm genuinely interested in seeing it demonstrated as it has negative implications for me, but no one wants to spend time proving their point.