On Tue, Mar 19, 2019 at 5:19 AM Igor Zhbanov <i.zhbanov@xxxxxxxxxxxx> wrote: > I think that checking the integrity at least in the case when the file is > still open is better than not checking at all. Because as I said it would > be possible to use mmap+mprotect to bypass IMA for shared libraries checking. Remember that an application can also open a file read-only and then execute the code under an interpreter. If you have code that's deliberately trying to undermine IMA then it can do so - the goal is to use IMA to ensure that you have appropriate measurement or appraisal in order to avoid that in the first place.