A sneakier way to try to change kernel memory is to get the kernel to do it for you by passing a kernel address as an output parameter to a system call. Since the output buffer will be filled in the kernel, kernel memory is write-enabled, so this offers a potential way to get around the write-protection that's in effect in user mode.
This problem is mostly taken care of by the generic kernel with the help of some architecture-specific code in asm/uaccess.h, notably verify_area. This checks the buffer address by hand to make sure it's a userspace address and not a kernel address.
This works perfectly well in 'jail' mode, but it's more complicated in 'honeypot' mode because of some peculiarities of that mode. This will be discussed in detail later.