[PATCH] xfrm: force flush upon NETDEV_UNREGISTER event
Paul Moore
paul at paul-moore.com
Mon Jan 26 22:41:46 UTC 2026
On Thu, Jan 22, 2026 at 7:00 AM Steffen Klassert
<steffen.klassert at secunet.com> wrote:
> On Thu, Jan 22, 2026 at 05:24:22PM +0900, Tetsuo Handa wrote:
...
> > Therefore, I wonder what are security_xfrm_state_delete() and security_xfrm_policy_delete()
> > for. Can I kill xfrm_dev_state_flush_secctx_check() and xfrm_dev_policy_flush_secctx_check() ?
>
> This might violate a LSM policy then.
Exactly. SELinux is currently the only LSM that enforces any access
controls on the XFRM/IPsec code, but it does use both of these LSM
hooks to authorize deletion of SPD/SA objects.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list