Comment 5 for bug 1692582

I think performance, and flexibility wise, the best solution would be to move mediation entirely to userspace.

Use the key/value store to provide flexibility on what match ordering to use, userspace policy caching so we don't have to round trip the kernel except when the policy is invalidated by a policy reload, etc.

This would be the most flexible and performant solution and if done right.