Ok, another exploit and I explain: [revol@patrick /boot/home/devel/mmap]$ ./mmtest2 libmoreposix:_init() __init_mmap_stuff(): mmap_driver_fd = 3 open(/boot/home/testret, O_RDONLY)) mmap(00000000, 4096, 00000004, 00000001, 4, 0) func = mmap( PROT_READ|PROT_EXEC) @func: 0x90, 0xc3, 0x90, 0xc3 calling ! returned from func ! libmoreposix:_fini() --- [revol@patrick /boot/home]$ listarea 1352|grep mmap 30281 mmap_user a0000000 1000 1000 0 0 0 What I did is I hacked the JBQ mmap driver a bit further, and even did some kernel H4cK1nG :) because filedes in drivers are owned by kernel_team, not the calling thread... I'll maybe write a newsletter article explaining in detail, this is also informative for OBOS btw... (there's sys_read() and user_read() involved :) Of course this one isn't a full blown mmap(), as it doesn't deal with pages, only whole file :-( But it still may help in the mean time. Also, looking at Plex86 sources (*grin*), it seems Linux can mmap() device drivers... I think we could include this behaviour too, either using ioctl() or a new entry in the driver_hook struct... but this is GE stuff btw. François.