Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://grapheneos.social/users/GrapheneOS/statuses/113943974954938954">GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 04-Feb-2025 15:25:39 JST</a><a href="https://grapheneos.social/@GrapheneOS" title="grapheneos@grapheneos.social"><img src="https://gnusocial.jp/avatar/99224-48-20240219114657.webp" width="48" height="48" alt="GrapheneOS" style="position: absolute; left: 0; top: 0;">GrapheneOS</a><div><a href="https://hachyderm.io/@dalias/113943938093220223" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://hachyderm.io/@dalias">@dalias</a> Access control is primarily for securing userspace rather than the kernel itself. SELinux offers a large amount of capabilities for securing userspace which aren't available through other access control mechanisms. Linux doesn't have any modern object capability system and there would still be a need for static, declarative policies if it did. Android also heavily uses SELinux for kernel attack surface reduction too. There isn't any serious alternative upstream. It's the only option.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4504772#notice-8820970">In conversation</a><time datetime="2025-02-04T15:25:39+09:00" title="Tuesday, 04-Feb-2025 15:25:39 JST">about 18 days ago</time> <span>from <span><a href="https://grapheneos.social/@GrapheneOS/113943974954938954" rel="external" title="Sent from grapheneos.social via ActivityPub">grapheneos.social</a></span></span><a href="https://grapheneos.social/@GrapheneOS/113943974954938954">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
GrapheneOS (grapheneos@grapheneos.social)'s status on Tuesday, 04-Feb-2025 15:25:39 JSTGrapheneOS
in reply to
- Rich Felker
@dalias Access control is primarily for securing userspace rather than the kernel itself. SELinux offers a large amount of capabilities for securing userspace which aren't available through other access control mechanisms. Linux doesn't have any modern object capability system and there would still be a need for static, declarative policies if it did. Android also heavily uses SELinux for kernel attack surface reduction too. There isn't any serious alternative upstream. It's the only option.
In conversationabout 18 days ago from grapheneos.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice