Or if you are deploying stuff at large shops with decent devops staffing, you can use ima as part if your OS build pipeline. Basically to make sure what you tested and published from dev is the only thing that can run in prod. But is it possible to code inject with ptrace or /proc/self/mem? If someone can run code, can they ROP using existing binaries only and disable IMA verification? One thing I might try would be to drop unsigned/unauthenticated versions of a distro install somewhere and chroot, if the OS allows chroot it that easy to bypass IMA? because you can mount --bind anything into the chroot environment. So is it a defense only if you are restricted as a non-root user?