Linux - fanotify, but for exec()?

Question

Is there a facility like fanotify, but for exec() operations? Something like kauth in MacOS, but in userland.

fanotify only seems to notify on (and allow/deny) file open/close/read/write.

I've seen code that can notify on fork and exec by other means (also here), but there is no way to allow or deny an exec. Also, it seems there are drawbacks to this approach, because not all kernels are compiled with netlink/proc connector, and it can get overwhelmed with events.

Answer 1

Perhaps you are looking for SELinux, a Linux kernel module which provides the enforcement of fine-grained security policies, like who or what gets to execute a certain file.

Answer 2

Looks like Linux finally added this feature to fanotify in kernel 5.0 (shipped in e.g. Ubuntu 19.04).

See man 2 fanotify_mark for details. The relevant flags are FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM.