> > - it seems quite racy.  i don't know if it's a problem for veriexec, tho.
> >   first and second namei() can see different
> >   pathnames (if userland pathname buffer is modified) and/or
> >   vnode (if any components in the pathname is renamed).
> 
> that's what I was worried about: we do two consequtive namei() calls.
> 
> do you think there's a way we could have a single namei() in vn_open()
> to avoid it? or maybe we can copy the pathname to the kernel in
> vn_open(), and then in consequent namei() calls just use that. because
> veriexec doesn't care about permissions but relies on internal tables
> it shouldn't matter, I *think*.

for the pathname problem, i suggested a solution in PR/35278.

YAMAMOTO Takashi