Re: [SC-L] Re: Application Sandboxing, communication limiting, etc.

2004-03-16 Thread Jared W. Robinson
On Fri, Mar 12, 2004 at 04:03:34PM -0800, Crispin Cowan wrote: > Jose Nazario wrote: > > >SELinux. LIDS. systrace (Linux, BSD, MacOS X). a few things on FreeBSD i > >can't recall. > > > SubDomain predates all of these except for SELinux (which has roots that > go back nearly 20 years) and LIDS go

Re: [SC-L] Re: Application Sandboxing, communication limiting, etc.

2004-03-16 Thread Jared W. Robinson
> This is exactly what Immunix SubDomain does: define the files and > network activities that each program may access. We use use regular > expressions to specify policy, so for instance, fingerd could be > permitted to read /home/*/.plan and not read anything else. I'm glad to hear that SubDomain

Re: [SC-L] Re: Application Sandboxing, communication limiting, etc.

2004-03-16 Thread Crispin Cowan
Jared W. Robinson wrote: This is exactly what Immunix SubDomain does: define the files and network activities that each program may access. We use use regular expressions to specify policy, so for instance, fingerd could be permitted to read /home/*/.plan and not read anything else. I'm glad

[SC-L] Re: Comparison of SubDomain, SELinux and systrace

2004-03-16 Thread Jared W. Robinson
Hi Crispin, Thanks for the detailed response and comparison of SubDomain to SELinux and systrace. As I understand it, if SubDomain-restricted program A starts program B, then B is governed by the SubDomain rules for B, and not by the rules of A. Correct? In theory, an attacker that compromise