Hi everyone I briefly discussed this topic at LSS NA 2023, but I wanted to have an opinion from a broader audience. In short: I wanted to execute some kernel workloads in a fully isolated user space process, started from a binary statically linked with klibc, connected to the kernel only through a pipe. I also wanted that, for the root user, tampering with that process is as hard as if the same code runs in kernel space. I would use the fully isolated process to parse and convert unsupported data formats to a supported one, after the kernel verified the authenticity of the original format (that already exists and cannot change). Preventing tampering of the process ensures that the conversion goes as expected. Also, the integrity of the binary needs to be verified. List of wished data formats: PGP: verify the authenticity of RPM/DEB/... headers RPM/DEB/... headers: extract reference file checksums for (kernel-based) file integrity check (e.g. with IMA) Alternative #1: Write the parsers to run in kernel space. That was rejected due to security and scalability concerns. If that changed, please let me know. Alternative #2: Linux distributions could provide what the kernel supports. However, from personal experience, the effort seems orders of magnitude higher than just writing a tiny component to support the original format. And there is no guarantee that all Linux distributions will do it. Full process isolation could be achieved in this way: process -> outside: set seccomp strict profile at process creation so that the process can only read/write/close the pipe and exit, no other system calls are allowed outside -> process: deny ptrace/kill with the process as target Anything else? The only risk I see is that a new feature allowing to interact with another process is added to the kernel, without the ptrace permission being asked. With the restrictions above, can we say that the code inside the process is as safe (against tampering) to execute as if it runs in kernel space? Thanks Roberto