Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check()

[PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2026-01-23
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Paul Moore <paul@paul-moore.com> · 2026-01-26
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2026-01-27
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Paul Moore <paul@paul-moore.com> · 2026-01-27
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2026-01-28
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Paul Moore <paul@paul-moore.com> · 2026-01-30
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2026-01-31
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Paul Moore <paul@paul-moore.com> · 2026-02-02
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2026-02-03
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Paul Moore <paul@paul-moore.com> · 2026-02-03
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2026-02-04
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2026-02-04
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Steffen Klassert <steffen.klassert@secunet.com> · 2026-02-09
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2026-02-09
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Steffen Klassert <steffen.klassert@secunet.com> · 2026-02-09
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2026-02-09
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Steffen Klassert <steffen.klassert@secunet.com> · 2026-02-13
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> · 2026-02-13
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Steffen Klassert <steffen.klassert@secunet.com> · 2026-02-18
Re: [PATCH] xfrm: kill xfrm_dev_{state,policy}_flush_secctx_check() · Paul Moore <paul@paul-moore.com> · 2026-02-27

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: 2026-01-28 10:28:09
Also in: linux-security-module, selinux

On 2026/01/28 6:59, Paul Moore wrote:

It sounds like we either need to confirm that
security_xfrm_{policy,state}_delete() is already present in all code
paths that result in SPD/SAD deletions (in a place that can safely
fail and return an error),

Yes.

                           or we need to place
xfrm_dev_{policy,state}_flush_secctx_check() in a location that can
safely fail.

Did you mean xfrm_{policy,state}_flush_secctx_check() ?

Regarding xfrm_policy_flush() as an example, we can observe that we are
calling LSM hooks for must-not-fail callers. If the task_valid argument was
meant to be interpreted as whether to call LSM hooks, xfrm_policy_flush() needs
below change.

 int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)
 {
 (...snipped...)
-	err = xfrm_policy_flush_secctx_check(net, type, task_valid);
+	err = task_valid ? xfrm_policy_flush_secctx_check(net, type, task_valid) : 0;
 (...snipped...)
 }

              The patch doesn't relocate
xfrm_dev_{policy,state}_flush_secctx_check() and I don't really see
any mention about security_xfrm_{policy,state}_delete() in the patch
or description;
                have you verified that the LSM xfrm hooks are still
being called to authorize the removals?

Please distinguish caller for "delete" and caller for "release".
LSM xfrm hooks need to be called for "delete" callers, but
LSM xfrm hooks need to be bypassed for "release" callers.

Maybe task_valid == true is for "delete" callers and task_valid == false is
for "release" callers; though it seems that some locations are passing wrong
task_valid flag (e.g. xfrm_dev_down() is passing task_valid == true despite
it is a "release" caller).

If 'task_valid == true is for "delete" callers and task_valid == false is for
"release" callers' does not hold, we might need to add a "forced" flag
(which is interpreted as whether LSM hooks must be bypassed) like
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit?h=next-20260123&id=fc0f090e41e652d158f946c616cdd82baed3c8f4
does.

Anyway, this patch which kills xfrm_dev_{state,policy}_flush_secctx_check()
can be applied as-is because all callers are "release" callers.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help