>> Not to close the security loophole -- we agree on the right place for
>> that -- but to give cleaner semantics to anyone fishing for loopholes.
>
>This could be done trivially at the time of open(2) using fstatfs(2).

No, I was suggesting something more paranoid: check all the path
components, and if any of them traverse a nonexec filesystem, discard
that element of the searchpath.  fstatfs() checks only the terminal
component. iterating over all components of the path works, tho.

(In the sandbox world, if users can write to a filesystem, you can't
trust any directories on that filesystem not to point to untrusted places.)