So the NSA baseline of Linux + SELinux (that they helped develop) does not meet your needs but MacOS does? Please educate me.
So the NSA baseline of Linux + SELinux (that they helped develop) does not meet your needs but MacOS does? Please educate me.
SELinux is a framework not a solution. Main places that gap is closed are Android and ChromeOS, not normal distros.
MacOS has:
- Serious integrity story
- Actual kernel hardening
- No reams and reams of garbage in their kernel (wouldn't have equivalents to the recent AF_ALG vulns coz they don't have dumb stuff like AF_ALG).
- Filesystem security boundaries retrofitted onto the Unix model (interesting user data, browser creds etc are gated by special permissions that are tied to the application build, backed by the integrity story - a `curl | bash` command cannot dump your ~/Documents)
When people escalate privileges on MacOS it's news, when they do it on Linux it's Tuesday (you might think the recent spate of privesc vulns on Linux was unusual but that is totally normal).
I say this as someone who works on Linux security every day (I am a kernel developer) and uses Linux on every computer I have, both at work and at home, BTW. I am not a Linux hater or Apple fanboy by any means.
These are all solvable problems at EU scale too. Just, I think they should solve other problems first in the priority list of delivering sovereign IT.