>Yes, highly verbotten.  There is another way to accomplish this.  I'll
>take a look, but I would suggest making THAT check dependent on a sysctl
>variable that defaults to "off".

I already suggested the sysctl.  Problem is, this check doesnt
acutally close the loophole Thor is worried about, unless you also
(at a minimum) prohibit anyone from setting x bits on files on a
filesystem mounted writable-but-noexec.

(quite aside from the VTOI/i_ffs_mode)