noexec bypasses using /run #304
Description
systemd mounts $XDG_RUNTIME_DIR (/run/user/$UID) as exec, and $XDG_RUNTIME_DIR is always user writable. Apparently this behaviour is hardcoded in systemd: https://github.com/systemd/systemd/blob/main/src/shared/mount-setup.c#L99.
There is also similarly writable and executable fuse-portal mounted at /run/user/1000/doc.
The presence of these mount makes it trivial to bypass noexec even with ordinary binaries rather than scripts. Is there a workaround available?
See also: https://askubuntu.com/a/1432445.