Using some kind of Mandatory Access Control, such as GrSecurity, AppArmor or SELinux, would make exploitation of security issues in bundled software harder.
grsecurity, along with more kernel hardening features, provides Role-Based Access Control. Some of its bonus features are slowly implemented upstream though (ASLR stack/heap protection, information leakage through the proc and sys filesystems, ways to disable module loading, etc).
A feature that might be problematic is the "admin role" which is a superuser (more then root in grsec) that has the ability to modify/(des)activate grsecurity. How to implement this in a Tails environment, where passwords aren't that secret? Should users of Tails be able to login in that role, and if so, how could we provide a way to do so without lower grsec security by revealing worldwide this password?
Hardened Gentoo offers a grsec-enabled kernel. RBAC policy?
Although Liberte Linux uses PaX (Address space modification protection) it does not include grsecurity RBAC feature.
Work to add a grsec kernel flavour to Debian seems to be stalled: Debian bug #605090.
Ubuntu developers used to actively work to upstream grsec features mainline, but this effort seems to have stalled, or rather moved to another employer along with Kees Cook.
Developed initially by big brother (NSA).
It is pretty hard to write and maintain policies, but such policies exist and they can "mostly" be used by different Linux distributions.
Poor support in Debian, improved in Squeeze, does not look like it's going to improve that much.
- selinux policies are part of Squeeze
- GNOME, policykit, etc. are supported by Debian-packaged policies, but who is actually using them to confirm they work well?
Some (MAC for files) of the TOMOYO Linux LSM (homepage) was mainlined in 2.6.30; more of it was merged in 2.6.34 and 2.6.36.
It is compiled into Debian Squeeze's kernel.
The out-of-tree patch has far more features, see the comparison of versions for details.
A "tomoyo learning daemon" is actually being developed by a third party : tomld, might be worst having a look and test it.
For informations on the ongoing tests of this solution, see the tomoyo subpage.
RSBAC is a Rule Set Based Access Control. It has a lot of other features. It's just a patch to the linux kernel, and probably won't be integrated upstream. Seems no distributions did integrate it or provide easy ways to do so.
Ubuntu has a package of the rsbac-admin utility.
- Comparing SELinux/AppArmor/GRSecurity
- Another comparison from gentoo
- yet another comparison
- An exploit that was able to bypass SELinux and AppArmor protections by the author of grsecurity, which was safe.