From: Paul Moore <[email protected]> Date: Wed, 6 Apr 2016 10:07:27 -0400
> "While marking the LSM hook structure doesn't directly affect the > SELinux netfilter hooks, once we remove the ability to deregister the > LSM hooks we will have no need to support deregistering netfilter > hooks and I expect we will drop that functionality as well to help > decrease the risk of tampering." This is not a reasonable postiion. The performance implications are non-trivial for using netfilter hooks when they aren't actually needed.
