Hello. Luiz found a bug that when an execve() request was rejected by CaitSith's policy, retrying the same execve() request causes being granted due to incomplete error handling in previous execve() request. For example, this bug affects when running a program shown below when there is a CaitSith's policy which rejects execution of /usr/bin/top . ---------- #include <unistd.h> int main(int argc, char *argv[]) { execl("/usr/bin/top", "top", NULL); // <= Rejected by policy. execl("/usr/bin/top", "top", NULL); // <= By error granted. return 0; } ---------- This bug existed in both AKARI and LKM-based LSM version of CaitSith since Linux 2.6.29 where a LSM hook which is always called when an execve() request finishes was removed. This bug does not exist in TOMOYO 1.8 and fully featured version of CaitSith. (AKARI is LKM-based LSM version of TOMOYO 1.8.) Therefore, please update if you are using AKARI or LKM-based LSM version of CaitSith. Regards. MD5 Filename 666667388cb548898521c2f64bc84979 akari-1.0.48-20230527.tar.gz 3333fd38701319b60a0f35ae413eea44 caitsith-patch-0.2-20230527.tar.gz aaaa00bcf527233be826b58b57dc58f6 ccs-patch-1.8.9-20230527.tar.gz