Given that it is likely almost impossible to eliminate *all* security bugs
in Linux, even all root-granting bugs in the kernel, and is certainly
impossible to prove that they're all gone, what would you recommend? That
we give up implementing *any* other security mechanisms until, what? Until
you say the kernel is secure enough now?
Perhaps we should just junk Linux and switch to a proper capability-
based-security system, that's of course thoroughly non-POSIX but at least
can be proven secure more easily... and then realise that SMM holes and
FireWire's lovely remote-DMA features mean that we're *still* insecure...