Re: Comparison of SubDomain, SELinux and systrace

["Jared W. Robinson" <jared_robinson () email com>]

Hi Crispin,

Thanks for the detailed response and comparison of SubDomain to SELinux 
and systrace.


As I understand it, if SubDomain-restricted program A starts program B, 
then B is governed by the SubDomain rules for B, and not by the rules of 
A. Correct?


In theory, an attacker that compromises program A may be able to break 
out of "jail" if he can invoke another vulnerable program that either 
isn't restricted by a SubDomain rule set, or by one that has too lax of 
a rule set.


Is it possible to have separate SubDomain rule sets for each user of an 
application? For example, if I set up a guest account on a machine, I 
may want the account to have far less access than a more trusted user.


- Jared

Crispin Cowan wrote:

No, Immunix is proprietary. We are a technology company; our goal is 
to license Immunix technologies (including SubDomain) to server 
appliance vendors to enable them to enhance their product security and 
reduce their cost of achieving security in their products.


I hope that the message gets out to vendors, and that they care enough 
about security to implement SubDomain and/or other technologies for 
their appliances.



What percentage of
applications have SubDomain policies written for them?

"Percent" is not a meaningful question. 


Good point.

- Jared