Hi James, Let's see how this one goes. I've moved the lockdown code into an LSM hook and provided an internal enum of lockdown reasons that LSMs can either group or expose at whatever level of granularity is appropriate. I've also included a static LSM that mimics the behaviour of the existing patchset. I think there's a reasonable discussion to have about what sort of granularity other LSMs might want to offer, but I don't think that necessarily needs to be a blocker to merging this. As with the last implementation, this can be enabled via static kernel configuration, the kernel command line or via securityfs, depending on usecase. Distributions may wish to tie it to UEFI Secure Boot state, but we can save that conversation to later. Thoughts?
