My workaround uses a dedicated directory for apt that is noexec as well but becomes temporally during installs:
/etc/fstab:
tmpfs /tmp tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777,size=512M 0 0 tmpfs /var/tmp/apt tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777,size=512M 0 0
/etc/apt/apt.conf.d/71tmpapt (or whatever):
DPkg { Pre-Invoke { "mount /var/tmp/apt -o remount,exec" }; Post-Invoke { "mount /var/tmp/apt -o remount,noexec" }; };
APT::ExtractTemplates::TempDir "/var/tmp/apt";
Since the mount point must(?) exist for any mount point specified in /etc/fstab I put the apt dir into /var/tmp because its contents are persistent (unlike /tmp's). It's not very throughly tested yet... ymmv.
My workaround uses a dedicated directory for apt that is noexec as well but becomes temporally during installs:
/etc/fstab:
tmpfs /tmp tmpfs defaults, noatime, nosuid, nodev,noexec, mode=1777, size=512M 0 0 noatime, nosuid, nodev,noexec, mode=1777, size=512M 0 0
tmpfs /var/tmp/apt tmpfs defaults,
/etc/apt/ apt.conf. d/71tmpapt (or whatever):
DPkg
{
Pre-Invoke { "mount /var/tmp/apt -o remount,exec" };
Post-Invoke { "mount /var/tmp/apt -o remount,noexec" };
};
APT: :ExtractTemplat es::TempDir "/var/tmp/apt";
Since the mount point must(?) exist for any mount point specified in /etc/fstab I put the apt dir into /var/tmp because its contents are persistent (unlike /tmp's). It's not very throughly tested yet... ymmv.