There's an upside of having no stable in-kernel ABI: it's much harder to write a portable kernel rootkit. (Or a downside, depending on how you look at it :)
Conversation
Replying to
LSM hooks were always helpful for this. Not sure what the state of the art is now though.
3
Replying to
It also complicates efforts for defenders who are trying to observe kernel behavior and state.
1