> but can't user a race and
> replace the path after validation?

yes, it's what i meant.

> say:
> 
> 	1. userland: open(/bin/ls)
> 	2. kernel: copies in path, '/bin/ls', veriexec check, passes
> 	3. userland: mv /tmp/evil /bin/ls
> 	4. kernel: second namei(), proceeds to open the file
> 
> classic toctou. ideas?

if it's a problem for you, you shouldn't do namei twice.
(unless you are going to introduce transactions for this. :-)

YAMAMOTO Takashi