I interpret the reasoning as: if we can't do a AND b we won't bother with b. Which is confusing because b is many orders of magnitudes more important than a.
Supposedly yes, but shoudln't it vastly reduce the attack surface by not having to worry (compared to now) about all device drivers that use DMA (which otherwise is just impossible to keep track of).
In my opinion reducing that attack surface alone on b) has a much higher impact than a) could ever achieve.
The stuff lockdown impacts is stuff that only root can do right now, so in theory it's only handling channels that are irrelevant to b). Users should already be prevented from triggering arbitrary DMA, for instance.
a) prevents a temporary breach of b) from turning into a persistent attack. b) is still very important, so important that when b) breaks it is considered a CVE!
a) locking root out of kernel
b) locking users from becoming root
I interpret the reasoning as: if we can't do a AND b we won't bother with b. Which is confusing because b is many orders of magnitudes more important than a.