The “kernel runtime security instrumentation” (KRSI) patch set has been
making the rounds over the past few months; the idea is to use the Linux
security module (LSM) hooks as a way to detect, and potentially deflect,
active attacks against a running system.
It does so by allowing BPF programs to be attached to the LSM hooks. That has
caused some concern in the past about exposing the
security hooks as external kernel APIs, which makes them potentially
subject to the “don’t break user space” edict. But
there has been no real objection
to the goals of KRSI. The fourth version
of the patch set was posted
by KP Singh on February 20; the concerns raised this time are about
its impact on the LSM infrastructure.

Source: LWN.net – [$] Impedance matching for BPF and LSM