LSM stacking (again)

LSM stacking (again)

My perspective is that we're in a "pick one" scenario, with the options being roughly:

• The kernel team provides LSM stacking.
• Someone writes an LSM which implements "LSM stacking" by some godawful collection of shims.
• Someone writes a mindblowingly generic LSM in which everything is possible but nothing is easy. World+dog are happy up until they want to do something that conflicts with their distro defaults, at which point they meet Pain.
• End users get stuck with the choice of either putting up with what the "big boys" want to implement in their LSMs, or using a "boutique" LSM that covers a particular case but doesn't really handle general security well enough.