System provenance models the interactions between system subjects and objects, enabling post-mortem and root-cause analyses of cyberattacks. Despite numerous contributions to provenance systems, there remains little consensus on the reliability of existing telemetry collection methods. Linux Security Module (LSM) interfaces present a promising alternative thanks to their inherent stability and safety for production environments. However, since LSM do not capture the full granularity of system calls, it is unclear whether they can support the creation of sound provenance graphs. In this work, we study the evolution of these kernel interfaces and their coverage.