Should mprotect(..., PROT_EXEC) be checked by IMA?

Perez Yves-Alexis yves-alexis.perez at
Wed Apr 3 13:18:00 UTC 2019

Le 03/04/2019 à 14:11, Mimi Zohar a écrit :
> On Tue, 2019-04-02 at 15:31 -0700, Matthew Garrett wrote:
>> On Fri, Mar 29, 2019 at 5:50 AM Igor Zhbanov <i.zhbanov at> wrote:
>>> I want to be sure that no unsigned code page could be executed. So exploits
>>> could only be of ROP kind and not being able to download any extra code
>>> from their servers. That's why I found that disabling of anonymous executable
>>> pages could be useful for that (as well as disabling of making executable
>>> pages writable to modify already mapped code). In conjunction with IMA it
>>> should guarantee that no untrusted code could be executed.
>> Remember that many interpreted languages allow execution of code
>> provided to them on the command line (eg, python -c) and also grant
>> access to arbitrary syscalls, so there's still no guarantee that
>> you're only executing trusted code.
> Interpreters are a known concern, as Yves-Alexis Perez pointed out in
> his LSS-2018 Europe talk[1].
> Mimi
> [1]
> x-Kernel-Security-Contributions-by-ANSSI-Yves-Alexis-Perez-ANSSI.pdf
And Mickaël Salaün posted the O_MAYEXEC patch RFC back in December

Yves-Alexis Perez
Les données à caractère personnel recueillies et traitées dans le cadre de cet échange, le sont à seule fin d’exécution d’une relation professionnelle et s’opèrent dans cette seule finalité et pour la durée nécessaire à cette relation. Si vous souhaitez faire usage de vos droits de consultation, de rectification et de suppression de vos données, veuillez contacter contact.rgpd at Si vous avez reçu ce message par erreur, nous vous remercions d’en informer l’expéditeur et de détruire le message. The personal data collected and processed during this exchange aims solely at completing a business relationship and is limited to the necessary duration of that relationship. If you wish to use your rights of consultation, rectification and deletion of your data, please contact: contact.rgpd at If you have received this message in error, we thank you for informing the sender and destroying the message.

More information about the Linux-security-module-archive mailing list