I think If somebody would need python or perl language he would have to rewrite the library to allow only certain files to execute. And still he have to rewrite /bin/mv, /bin/cp source code to restrict actions with that library if they (mv, cp) are allowed by the app to execute.
------------------------------------------------------------------------------------------------------- This is doable as an LSM for executables. Pretty sure there's a working version of this on Android that uses hashes stored with the file and signed. (I recall seeing something in LWN about it.) However, a major challenge is interpreted languages. Do you allow people to run /usr/bin/perl or not? Both answers imply a lot of difficult problems. Java, Python, Node, and anything else in that family have the same issue. You can otherwise set this up with a Linux distribution with existing tools and maybe a few additions, but in practice you would have to bless Perl and Python (at least), and then it's not clear if you're getting enough security benefit. -- Russ Allbery (r...@debian.org)
