>I believe the idea of having capabilities was to enable a ``fast path''

I don't consider capabilities as a fast path - rather something that can
be enforced - especially if capabilities associated with files are
loaded via veriexec. 

>It's important to remember that for systrace to be useful, you have to
>run the program through it. At the moment we have no way to enforce that
>yet. We also might want to supply default policies for some programs
>and/or daemons...

This is my big problem.  I need to make convincing arguments to
evaluation agencies to show that the system cannot run except in a
secure manner.

I'd rather have ping etc as normal binaries that can be run by normal
users and magically still be able to open raw sockets - capabilities
meets that requirement handily.  More importantly, when run by the
super-user, all capabilities other than that to open raw sockets
should be dropped during exec.

Otherwise you may just have a false sense of security.

--sjg