We don't have a proof of concept for the LSM module. I agree with
you that in practice
it would probably need to implement some kind of "list of files we care
about",
but I do not have an intelligent opinion about that.
Based on Roberto's comment in a different sub-thread, there could be some ongoing
work
integrating with IMA that might be past the hypothetical stage?
IPE supports fs-verity and dm-verity, and allows to write a policy such as "only
allow execution of binaries/libraries from fs-verity verified files or dm-verity verified
volumes):
https://lore.kernel.org/lkml/81d5e825-1ee2-8f6b-cd9d-07b0f8bd36d3@linux.m...
https://microsoft.github.io/ipe/