Though I have no _specific_ reason for this concern, I am concerned about
potential privelege-escalation attacks on systrace.  In particular, I'm
concerned that if there are such holes in systrace, since ordinary users
can invoke systrace it may be possible for them to gain root priveleges.

What I'd actually like to do is limit use of systrace on my system to the
root user -- but still be able to run systraced applications with the
privileges of non-root users unless the relevant policy specifies "as root"
for specific operations.  It looks like this would take some changes to
systrace since you can't just setuid() then invoke the systrace kernel
machinery any more.

Has anyone made the necessary changes to do this, or thought about this
issue harder?

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com

"The inconsistency is startling, though admittedly, if consistency is to be
 abandoned or transcended, there is no problem."		- Noam Chomsky