Secure Coding mailing list archives
Re: Comparison of SubDomain, SELinux and systrace
From: "Jared W. Robinson" <jared_robinson () email com>
Date: Wed, 17 Mar 2004 07:22:28 +0000
Hi Crispin, Thanks for the detailed response and comparison of SubDomain to SELinux and systrace. As I understand it, if SubDomain-restricted program A starts program B, then B is governed by the SubDomain rules for B, and not by the rules of A. Correct? In theory, an attacker that compromises program A may be able to break out of "jail" if he can invoke another vulnerable program that either isn't restricted by a SubDomain rule set, or by one that has too lax of a rule set. Is it possible to have separate SubDomain rule sets for each user of an application? For example, if I set up a guest account on a machine, I may want the account to have far less access than a more trusted user. - Jared Crispin Cowan wrote: No, Immunix is proprietary. We are a technology company; our goal is to license Immunix technologies (including SubDomain) to server appliance vendors to enable them to enhance their product security and reduce their cost of achieving security in their products. I hope that the message gets out to vendors, and that they care enough about security to implement SubDomain and/or other technologies for their appliances. What percentage of applications have SubDomain policies written for them? "Percent" is not a meaningful question. Good point. - Jared
Current thread:
- Re: Opinion re an interesting article on Linux security in Linux Journal, (continued)
- Re: Opinion re an interesting article on Linux security in Linux Journal der Mouse (Mar 10)
- Re: Opinion re an interesting article on Linux security in Linux Journal Bill Cheswick (Mar 10)
- Re: Application Sandboxing, communication limiting, etc. Jared W. Robinson (Mar 10)
- Re: Application Sandboxing, communication limiting, etc. ljknews (Mar 10)
- Re: Re: Application Sandboxing, communication limiting, etc. Jose Nazario (Mar 10)
- Re: Re: Application Sandboxing, communication limiting, etc. Crispin Cowan (Mar 13)
- Re: Re: Application Sandboxing, communication limiting, etc. Jared W. Robinson (Mar 16)
- Re: Application Sandboxing, communication limiting, etc. Jared W. Robinson (Mar 10)
- Re: Re: Application Sandboxing, communication limiting, etc. Crispin Cowan (Mar 14)
- Re: Re: Application Sandboxing, communication limiting, etc. Jared W. Robinson (Mar 16)
- Re: Re: Application Sandboxing, communication limiting, etc. Crispin Cowan (Mar 16)
- Re: Comparison of SubDomain, SELinux and systrace Jared W. Robinson (Mar 16)