> I guess the main fear is that the attacker can put a malicious (and likely > explicitly crafted for a certain bug in NetBSD's linux compat) binary on > your machine and exectue it. Yes, I guess that's the (valid) point.
My impression (I stay corrected) is that compat_linux is mostly used to run a very restricted set of Linux binaries (proprietary software not available for NetBSD) on a NetBSD host. So what would actually be needed (I guess) is a way to restrict emulation (actually running that emulation, not auto-loading the module) to a known set of binaries. I have no idea whether that's possible.