Security requirements for new kernel features

Security modules do have to deal with the hideousness of ioctls. SELinux introduces a sophisticated set of classes for them, but it's still somewhat wonkey. Smack relies on the correct use of ioctl command conventions (_IOC) by the driver implementations, even though the reliability of that is at best questionable. Neither is especially satisfactory. That's one reason there's a flap over io_uring_cmd. The collective community has had the opportunity to learn the lesson. It's disappointing that we have to have this bruhaha over and over.