Please make a system app, that will prevent strange executables and wrappers to be launched.
For developers: 1. this app must allow an execution only executables with certain hashes and deny execution of files, hashes of which are not prescribed in a control file. 2. the control file (of list of allowed executables and their hashes) and a configuration file of the app may be changed by 2 factor authentication (by sending an email with 8-digits 1-hour living password***** (do not forget a delay of 5 seconds against guessing the password)) after a first configuration. 3. by installation of the app there must be a prompt to enter an email for 2 factor authentication process, email server settings for ability to send an email for 2 factor authentication. 4. for building a control file the app scans for all executables in the os, makes their (for example, sha1) hashes and writes full path and hash of each of them to the control file. 5. for stopping or killing the app must be the 2 factor authentication I suppose, too (or write the source code of /bin/kill binary so that if it is the app then nothing to do (pretermit action), but the original `/bin/kill` binary one can copy to a usb flash drive with a different name (for example, /media/ubuntu/usbflash/flwr) and if one needs to kill the app then he connects the usb flash and copies that binary /media/ubuntu/usbflash/flwr to the system and launches against the app (but for prevent a theft of /media/ubuntu/usbflash/flwr using for example, sh -c "while:; do sleep 10; inotifywait -rmq -e access /media/ubuntu/usbflash/ | while read line; do cp $line /path/to/;done; done" source code of /bin/cp or /bin/mv files can be written so that they can copy or move /media/ubuntu/usbflash/flwr file only to special path on the system not to somewhere else)).
