memfd_secret() in 5.14

Since the only real usecase I can see for this is protecting DRM like Widevine (i. e. don't let the user inspect the code running), it doesn't matter much if the module is killed when going into suspend.

It just needs to run when you're trying to access DRM protected content in e. g. Firefox or Chrome, and when waking from suspend it can just get reloaded and check that it is running in an environment that the user hasn't messed with again.

Assuming I'm right, this is going to be fun. The API exposed to DRM modules is already pretty extensive (I remember at least including file IO and some network access in CDM11), but it is kind of limited now because on Linux you just have the "lowest" security level. They can't "trust" the operating system because the user has too much access to their own devices (except on Android).

But with this I'm assuming the goal is to allow the next level and will include API for the black box CDM binaries to inspect the whole system.