Although I thought maybe I should release it before the state support, anyway, after I finished the lidstools part support, and the kernel part code seems easy to do. The only problem let me stop for a while is the a new file/inode created in a privilege directory. Before that, it is easy, just copy what the current dir's inode-i_security, but now, the default acl and current state's acl need to copy into the new one.
One problem I always think is the dynamic inode, which has the same filename. for example, /etc/shadow will be change the inode after a new user has been added/detected. for now, it will just be the same as the "/etc/", can not be hidden any longer.
inode,dentry, file, dir.