Implementation

Policy statements can be predicated:

native-fsread: filename eq "/etc" then deny[eperm], if group != wheel

Kernel informs policy daemon about changes in uid and gid.

Privilege elevation via policy language extension:

native-bind: sockaddr eq "inet-[0.0.0.0]:22" then permit as root


Policies are inherited across fork.

Policies can be switched on execve.
The name of the application is used as new policy.
Policies reside in global or user specific directories.