Security

Assume that adversary can exploit a programming error to take over the slave.
Can make any system call in the slave, etc.
Lets also assume that the system call interface is secure :-)

Potential problems:
Signal or ptrace other processes to get further access.
Not possible.
Signal or ptrace slave processes of other sessions.
Not possible because of P_SUGID!
Change file system: named pipes or device nodes.
Not possible due to chroot and read-only.
Initiate network connections to abuse trust relations.
Possible, use external policy enforcement like Systrace.
Gather information about the system.
Some information may be exported only via the file system.