I have a somewhat crazy idea to run JIT code with mprotect enforced: instead of putting the generated code into anonymous memory, why not put it as a shared library inside a tmpfs, the the host program simply call dlopen on it? This way, we would have JIT code (faster than interpreted code), ahead-of-time compiled code keeps all mprotect restrictions in place. JIT code would also benefit from ASLR.
What do you think?
