The /boot partition (with another directory for _ONLY_ setuid/setgid/capability
privileged programs) is one obvious solution that is transparent to existing
sysadmin and distro pragma's: Add symlinks into the /boot/suid (or
whatever) partition that isolates privileged programs from being hardlinked.
And then mount / with nosuid if you _REALLY_ want to prevent any other
buggy & privileged programs from being hardlinked.
The /boot partition (with another directory for _ONLY_ setuid/ setgid/ capability
privileged programs) is one obvious solution that is transparent to existing
sysadmin and distro pragma's: Add symlinks into the /boot/suid (or
whatever) partition that isolates privileged programs from being hardlinked.
And then mount / with nosuid if you _REALLY_ want to prevent any other
buggy & privileged programs from being hardlinked.
Q.E.D. Total time to solution: 20 minutes.
But honk away at RPM CVE's if you must.