Well, *this* is solvable - you can issue cryptographic capabilities
to inodes that don't let someone forge an inode number.
Hash together a persistent secret, the inode number, the mount point,
the client's IP address, and anything else that identifies the attempt
to read the file and include that in the handle. That way, nobody can
create a handle without passing the permission checks at least once.
The file stays open forever, but at least you can be sure that all the
open checks have been performed.
You can use the full SHA in the kernel for serious security, or the corrupted
MD4 that's used in the TCP secure sequence number code.
You couls also arrange for open file handles to time out occasionally.
Reserve one or more bits for a "secret number", and generate new secrets
periodically, say once a day. With a 3-bit secret number, a file can be open
for at most 8 days before the handle goes stale. But you're guaranteed a
week, which seems reasonable for most applications. You can vary the numbers
as you wish; with k bits of secret number, a file handle will last at most
2^k secret change intervals, at at least 2^k - 1, depending on when in the
interval it was first issued.
-- -Colin