> I guess, we could provide some 'privileges bracketing', using functions > defined in <priv.h>, allowing the 'file_dac_write' to be enabled only > when needed and will be disabled for the most part.
What is the threat model we're concerned about here? If the privilege is still in the limit set, then it's trivial for an exploit to acquire the privilege and do whatever. -- meem
