On Wed, Mar 20, 2019 at 1:11 AM Igor Zhbanov <i.zhbanov@xxxxxxxxxxxx> wrote: > As for scripts interpreters like bash, yes, it will not protect against it. > But IMA can check e.g. all files read by root including non-executable ones. Non-JIT x86 emulators are basically just interpreters. > My point was about better protecting of shared libraries making life harder > for exploits that are downloading extra code from external servers. Like you said, they can implement this by copying the code from read-only pages to separate executable pages. It does make it harder, but not to a huge degree - anything that's mprotect()ing file-backed pages to PROT_EXEC later is presumably doing so to avoid IMA, and making this change will just encourage them to add further workarounds. Since this is a fight we literally can't win, what's the benefit?
