> >And of course all that boils down to only allowing chmod +x in single
> >user mode :-)
> 
> That is very true and an interesting point.  If all the files are tied
> down with immutable flags then this would do the job neatly.  I think
> that you would have to do it in the open call as well though :-)

Just to clarify, I meant that you could not (by any means) make a file
executable while the system is running at whatever secure-level turns
your feature on and you clear execute permissions when a file is
written to.  It would not need to be single-user, except that you
cannot lower secure-level once raised so it might as well be
single-user that you go to to chmod +x.

Of course to be complete you need to deal with 

sh /bin/modified-tool

ie. if /bin/modified-tool is not executable, the above should fail.
same goes for perl and all the other script interpreters.
I'm not at all sure that that can be done without breaking so many
things you'd wish you'd never bothered :-)

--sjg