Consider mounting /var/lib with exec and /var with noexec #347
Description
https://github.com/Kicksecure/security-misc/blob/master/usr/bin/remount-secure%23security-misc-shared#L281-L287
https://github.com/cynicsketch/nix-mineral/blob/main/filesystems/normal.nix#L149-L156
It is possible to mount /var/lib with the exec mount option independent of the top level /var in order to preserve the function of any software that keeps executables in /var/lib, whilst still reducing attack surface in the rest of /var.