29.7 Limitations of systrace
Despite its many features, systrace has a number of limitations that bear mentioning. First, it lacks a facility to specify that you can “permit once” for a system call, such as binding to a socket. This can allow an attacker to recycle a system call, potentially at elevated privilege.
Second, system calls have no exclusive or. For example, an application might be permitted to open a ﬁle or a device, but not both. This weakness could ultimately be leveraged by an attacker who seeks to do more than a program was intended to do.
Lastly, the parent process has no control over spawned processes. For example, if you allow /bin/sh to be executed, you cannot control it beyond its own systrace policy. One way to get around this limitation is to specify a policy for the child process to inherit if it is to be less liberal than the normal system policy. This would be done via systrace -i.