Browsers are terrible, because the web is terrible, because browsers are terrible. This is a feedback loop.

I swear I'm switching to mothra, I'm gonna just use mothra forever.

@r000t That's the 00s. The 90s, software didn't talk to the network unless there was a reason, and it was usually concerned with getting the data from the net to the local disk so you could do things with it locally.

@p @r000t Shit, I wanna go to that time…

@lanodan @r000t I imagine that your setup is probably still pretty close to that. (Mine is, anyway.)

@p @r000t Yeah, I even had a default AppArmor profile to prevent things like network requests on my system for a bit, sadly AppArmor is quite annoying to use and pretty sure SELinux is the same.

@lanodan @r000t Oh, yeah, I've never played with AppArmor but SELinux is a huge pain.

Current plan is to stop using Firefox outside a container of some sort.

@p @lanodan @r000t SELinux is far worse. Apparmor is simpler but you run into situations where it's impossible to lock down apps because of the way they're architected. I used to have a good, working custom apparmor profile for Firefox, but they made many changes that broke my profile and made it seemingly impossible to lock down again.

@Moon @p @lanodan @r000t i remember in the grsec days they had a tool that basically made exploits impossible if a program didn't need to dynamically allocate executable memory. which all the browsers do because of JITs in javascript. and there is no way to turn the JIT off.

@icedquinn @lanodan @p @r000t I used to use grsecurity extensively. I'm probably moving my mail server to OpenBSD.

@Moon @icedquinn @p @r000t @lanodan I just don't think OpenBSD in mail server role is going to be any more secure than Fedora. And why would it? Now of course locking down Firefox is different. Even then, some of the arguments you advanced in this thread look a little hockey, I'm sorry! You literally said "AppArmor was unable to lock down Firefox, but SElinux is worse". Yes, it's worse -- because it works and AppArmor does not! So yeah, I'm not losing sleep about Postfix on Fedora at all.

@pro @icedquinn @lanodan @p @r000t selinux is worse user experience, it doesn't work worse. Also I am not convinced that you can lock down all apps better with selinux. Some yes, some no.

anyway I nixed the openbsd thing because it's not well supported on beaglebone black.

@pro IMO, the only way that OpenBSD would be more secure is if the Fedora install has something open by default than OpenBSD doesn't, or if they're using a library with a security hole that is not the same library that is in use on OpenBSD. The vulnerabilities with the mail packages themselves should be the same. If you know how to lock down Fedora and keep it up to date, it should be basically as secure.

@kazriko I think it's more than open services. We're talking about break-in prevention and containment with things like ASLR and limits to syscall arguments that used to be provided by things like grsecurity and OpenBSD, and now are a common part of e.g. Fedora.