Reinventing the wheel?
When I look at the given examples in this article I can't help wonder..
"Using the tool, Java, for example, could be enabled for intranet applications but blocked when it comes to sourcing anything from the wilds of the worldwide web."
That's a poor example to start with ("Java" being what? Java webstart, Java applications which use the network?) but wouldn't a properly set up firewall make more sense here? It'll have no problems with separating network streams which go out onto a (trusted) Intranet or into the Internet.
But when taking closer look at the actual explanation it becomes even more bothersome. For starters this thing is for i386 (32bit) environments only, that doesn't sound too reassuring to me. I also don't quite grasp the potential of this still being a userland process.
Maybe I'm spoiled or have been brainwashed but when I think about security the first thing popping up in my mind is kernelspace. Can't be easily touched from userland, and can basically dictate just about everything.
# sysctl security.bsd.see_other_uids=0
After issuing this on my FreeBSD box you're going to have a good time trying to poke around using ps, procstat, pstat or even by trying to access procfs directly (mount it on /proc for example). Not gonna work; after that my kernel won't let you. It won't simply block you from accessing processes to which you have no access too (think PID 1 (init)); it'll simply tell you that those processes don't even exist at all :-)
THAT is a display of security for me. And but one example of the extensive things I can pull off with this stuff. And process accounting (which seems to be related to all this) has been around for quite some time on Unix(-like) environments. But the thing is; the actions taken based on that are always actions after the fact. I think the best thing is to be one step ahead.