What stops root from modifying the source code to, for example, record user passwords?

It seems that, for this to really work, you'd need to run it on a machine running, i.e. SELinux and MCS. You'd have to restrict physical (console) access as well, so 1) no running it on a VM and 2) enforce the "two-man rule" for access to the server room as well.

That said, I guess it's certainly a big step up from nothing.

If you are root, you can also strace the process and grab the password, without modifying anything.

If the platform isn't secure, the app can't be trusted. Basic defense rule.

I may very well be wrong (I'm far from an expert on SELinux) but I believe that the kernel would prevent that, assuming MCS.

1. You have fewer root operators than missile launchers or whatever. This allows you to extend the circle of people who can do X (change a DNS entry), but only by cooperating.

2. You need to do that in advance. root can't just wake up one day and decide to go crazy.

The strangeness I see is that the /delegate call isn't specific. I can't say that I want Joe to be able to decrypt LaunchCode3, so I could end up inadvertently allowing Mary to decrypt SecretLocation without really wanting to - it is wide open to timing attacks. This doesn't seem like a fundamental flaw, just something (maybe) overlooked in v1. Very cool stuff.