ASLR and PIE disabled by default
Carsten Mattner
carstenmattner at gmail.com
Mon Apr 3 17:25:14 PDT 2017
Another criteria for a system sandboxing mechanism I would have is
that your Firefox or mpv gets temporary of shadow mounted versions
of stuff that exists for real and permanently and then is allowed
to mess with it. When it exits the profile for the application will
determine what parts may, if any, percolate out and be applied to
the shared outside world. This should be seldom used and limited
to special cases like selectively setting the flag that says
"you may exec jit in this binariy's temporary process space".
More information about the Users
mailing list