On Wed, Jul 21, 2021, 10:38 AM Reco <recovery...@enotuniq.net> wrote:
> On Wed, Jul 21, 2021 at 10:51:40AM -0400, Celejar wrote: > > On Wed, 21 Jul 2021 11:16:46 +0300 > > Reco <recovery...@enotuniq.net> wrote: > > > > > > browsers are just full of vulnerabilities, > > True. Every version of Chromium and Firefox fixes at least one. > Most of said vulnerabilities do cannot be used to get Remote Code > Execution (RCE) though. Which leaves us with "random download" scenario, > which I've discussed above. > > > so why couldn't ransomware get in that way? > > It could. In a lack of a proper execution environment (be it JRE, > flatpak, snap or whatever) - what should it do next? Wait for a user to > execute it? > AFAICS the only solution with any finality is multilevel granular security on any OS with connectivity. This means SElinux in true multilevel-security mode, a bit beyond what RedHat used to call "targeted mode". The US DoD called it mandatory access-control in its Rainbow Books in the 1990s, B-level security. The Rainbow Books are freely available online today. It doesn't have to be SElinux, I don't know if RSBAC is still an active project for example. The key to getting this granularity is configuring the security rule-base for any given desktop or server in an unattended way (YOURS for example :-) There are templated rulesets but what seems to be lacking is an easy way to refine that ruleset into something that works right for you personally, your desktop or server. Ideally without your intervention IOW. And without removing any lower-stack security mechanisms, just using them as building blocks. As mandatory builds on "discretionary" access-control, which is built into the Linux filesystem model. Reco > >
