No, because the interface for configuring it would be rejected... I have
a /proc file which I write a binary configuration file to. This works
fine for me but it would take a lot of work to write a proper interface
- which I'm still not sure how to do*.
That doesn't solve the problem that it's no longer possible to reload LSM
modules to make changes at runtime. Why should I have to reboot to change
something from now on when it works ok? The reasoning seems to be based
around a dislike of some out of tree modules. (Although it doesn't look
like there's appropriate locking around the register/unregister process.)
* (I've got a list of access rules which are scanned in order until one of
them matches, and an array of one bit for every port for per-port default
allow/deny - although the latter could be removed.