The new 5.4 kernel has gotten final approval to include new lockdown features to prevent many attacks. It is optional and can break some things in userspace, but it is very interesting to see this sort of change finally getting out of experimental stages.
From the notes:
The lockdown module is intended to allow for kernels to be locked down
early in boot - sufficiently early that we don’t have the ability to
kmalloc() yet. Add support for early initialisation of some LSMs, and
then add them to the list of names when we do full initialisation later.