not really commenting on the proposal itself, but .. > Let us not forget that you need a binary inside the chroot that can > call fexecve() on a file descriptor or the ability to build such a > binary.
this is only one buffer overflow away... ie, strength in layers would imply you should not rely this. .mrg.
