This evening I implemented the optional hardcoded_path feature for tpe-lkm. It’s a way to be very strict on what on the system can be executed. When set, anything outside of the given path can’t be executed, regardless of permissions or ownership. This includes shared libraries, so use this feature with caution. Read the entry in the FAQ about it.
When used properly, the security of your system is tightened, especially if you combined it with the “paranoid” option and the recently implemented lock feature.
Have fun with this!