One of the problems with security mechanisms based around system-call interposition (such as systrace) is that it's very hard to avoid concurrency vulnerabilities. To avoid this, you need to push the security mechanisms down into the kernel, as with SELinux. The downside is that configurable policy becomes harder that way. Capsicum is all about configurable and extensible security policy using capabilities.
There's a nice explanation of concurrency vulnerabilities in chapter 2 of Robert Watson's thesis, and a comparison of Capsicum vs other security mechanisms in chapter 5. It's worth looking at, if you're interested in these issues:
There's a nice explanation of concurrency vulnerabilities in chapter 2 of Robert Watson's thesis, and a comparison of Capsicum vs other security mechanisms in chapter 5. It's worth looking at, if you're interested in these issues:
http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-818.html