Should mprotect(..., PROT_EXEC) be checked by IMA?

Matthew Garrett mjg59 at
Tue Apr 2 22:31:16 UTC 2019

On Fri, Mar 29, 2019 at 5:50 AM Igor Zhbanov <i.zhbanov at> wrote:
> I want to be sure that no unsigned code page could be executed. So exploits
> could only be of ROP kind and not being able to download any extra code
> from their servers. That's why I found that disabling of anonymous executable
> pages could be useful for that (as well as disabling of making executable
> pages writable to modify already mapped code). In conjunction with IMA it
> should guarantee that no untrusted code could be executed.

Remember that many interpreted languages allow execution of code
provided to them on the command line (eg, python -c) and also grant
access to arbitrary syscalls, so there's still no guarantee that
you're only executing trusted code.

More information about the Linux-security-module-archive mailing list