Post Syndicated from original https://lwn.net/Articles/903580/

The Linux Security Module (LSM) subsystem works by way of an extensive set
of hooks placed strategically throughout the kernel. Any specific security
module can attach to the hooks for the behavior it intends to govern and be
consulted whenever a decision needs to be made. The placement of LSM hooks
often comes with a bit of controversy; developers have been known to object
to the
performance cost of hooks in hot code paths, and sometimes there are misunderstandings over how integration with
LSMs should be handled. The disagreement over a security hook for the
creation of user namespaces, though, is based on a different sort of
concern.