Cook: seccomp filter now in Ubuntu

That would be an absolutely horrible idea. seccomp does not replace a proper access control model. First of all it only restricts what syscalls can be called and not how they may be called. Second it relies on each and every program to tell it what it needs. There is nothing in seccomp that says what files a particular confined process may touch. Whether it be SELinux/GRSecurity/Apparmor/SMACK/TOMOYO you need an actual access control model to control what resources are accessed in the system. The GRSecurity people have a point that the LSM is less than ideal as it provides convenient hook points for malicious code but there is no removing them without settling on one security model for the kernel to replace LSM and that is never going to happen.

The way LSM works for most if not all of the modules only provide the mechanism. Its up to the user to plug in the policy (Smack is the exception from what I understand). The whole purpose of things like SELinux and other LSMs is to separate policy from mechanism. Original MAC implementations hardcoded policy into the operating system. Modern systems separate the policy out to provide flexibility.