Not a perfect solution, but you could mount as noexec by default and whenever you want to install packages you can do a quick