Kernel Version: 4.18.5 Problem Description: search_binary_handler() should be called after setting bprm using prepare_binprm(), and in prepare_binprm(), there’s a LSM hook security_bprm_set_creds(), which can make a decision that binfmt cares. We found a leaking path In fs/binfmt_misc.c:235, that don’t ask LSM’s decision. - Tong