Dmytro Spivak <obya...@gmail.com> writes: > Please make a system app, that will prevent strange executables and > wrappers to be launched.
This is doable as an LSM for executables. Pretty sure there's a working version of this on Android that uses hashes stored with the file and signed. (I recall seeing something in LWN about it.) However, a major challenge is interpreted languages. Do you allow people to run /usr/bin/perl or not? Both answers imply a lot of difficult problems. Java, Python, Node, and anything else in that family have the same issue. You can otherwise set this up with a Linux distribution with existing tools and maybe a few additions, but in practice you would have to bless Perl and Python (at least), and then it's not clear if you're getting enough security benefit. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
