We have been using /proc/${PID}/cmdline for identifying apps but that
can be overwritten by app itself very easily. Instead we look at what
/proc/${PID}/exe is pointing to. The only way an app/agent can fool
geoclue now is by overwriting the binary of a whitelisted agent or
authorized app.

We can make things a lot more secure by only allowing binaries to be in
privileged directories (e.g /usr/bin and /usr/libexec etc) since then a
random unprivileged binary can't just overwrite known binaries. However,
this will break geoclue for developers (think jhbuild). Perhaps we
should do this but provide an option in conf file to either disable
these checks or provide the whitelists binary directories?

Thanks to Lennart Poettering for advice.