[$] Restricting execution of scripts — the third approach

The kernel will not consent to execute just any file that happens to besitting in a filesystem; there are formalities, such as the checking ofexecute permission and consulting security policies, to get through first.On some systems, security policies have been established to limit executionto specifically approved programs. But there are files that are notexecuted directly by the kernel; these include scripts fed to languageinterpreters like Python, Perl, or a shell. An attacker who is able to getan interpreter to execute a file may be able to bypass a system's securitypolicies. Mickael Salaun has been working on closing this hole for years;the latestattempt takes the form of a new flag to the execveat()system call.