>What I intend would be to extend veriexec so that a given executable
>can have both its own fingerprint _and the fingerprint and pathname
>of an associated systrace policy_ added.  When the executable where
>invoked, the kernel would invoke it under the control of
>/bin/systrace -c <invoking uid> but run /bin/systrace itself as root;
>if the policy were not present in the filesystem or its fingerprint
>did not match, the executable would not run at all.

>It would in fact be nice to decouple this so that a systrace policy
>path and fingerprint could be loaded without loading a fingerprint
>for the executable -- that would have the result "whatever executable's
>at that path, so long as you run it under this systrace policy".  And

I think this would be better - for some reason I assumed systrace already
worked this way ie. load a bunch of policy/path tupples into the kernel
in much the same way that veriexec fingerprints are done.  Thus telling 
the kernel "this app always gets run with this policy".

--sjg