Its purpose is rather simple—much simpler than the two current mainline users of the LSM interface—intercept system calls for networking and call out to user space to determine if they are to be allowed.
The idea is to be able to create Linux versions of the "personal firewall" that is popular on Windows machines. Reaction to snet was mixed, partially because of a disdain for that type of security tool, but also because it is implemented using LSM.
The main idea is to capture events coming from userspace, whenever a processus is doing some network syscall (sys_listen, sys_bind, ..). For that, it's seems that LSM structure is the most simple, as far as we just have to connect on LSM hooks with struct security_operations {}
From The Director of "Autant on emporte les IO", Samir Bellabes