On Fri, 09 Apr 2021 08:06:21 -0700, Andi Kleen said:

> Thinking more about it what I wrote above wasn't quite right. The cache
> would only need to be as big as the number of attackable services/suid
> binaries. Presumably on many production systems that's rather small,
> so a cache (which wouldn't actually be a cache, but a complete database)
> might actually work.

You also need to consider non-suid things called by suid things that don't
sanitize input sufficiently before invocation...

Thinking about at - is it really a good thing to try to do this in kernelspace?
Or is 'echo 1 > /proc/sys/kernel/print-fatal-signals' and a program to watch
the dmesg and take action more appropriate?  A userspace monitor would
have more options (though a slightly higher risk of race conditions).