[$] Restricting execution of scripts — the third approach

The kernel will not consent to execute just any file that happens to be
sitting in a filesystem; there are formalities, such as the checking of
execute permission and consulting security policies, to get through first.
On some systems, security policies have been established to limit execution
to specifically approved programs. But there are files that are not
executed directly by the kernel; these include scripts fed to language
interpreters like Python, Perl, or a shell. An attacker who is able to get
an interpreter to execute a file may be able to bypass a system's security
policies. Mickaël Salaün has been working on closing this hole for years;
the latest
attempt takes the form of a new flag to the execveat()
system call.