Speaking of FollowSymlinksIfOwner, on Sunday (of last week) I developed a proper race-free, group-based kernel implementation. As of yesterday, it was also pushed to both stable branches of grsecurity (so we have implementations for 2.6.32, 3.2, and 3.4). My checks are performed correctly against every link followed while walking a path (and against the actual targets used along the way to produce the final resolved path). I've noted that it's not possible to implement an equivalent protection by anything but GPL code, as you need to interpose at a location deep in VFS internals. The only exported GPL'd LSM API even is called prior to the necessary interception point.
So I have to question the merit of using closed source to do a weakened form of something that's already done correctly, for free under the GPL ;)