lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20170714045123.GO2631@secunet.com>
Date:   Fri, 14 Jul 2017 06:51:23 +0200
From:   Steffen Klassert <steffen.klassert@...unet.com>
To:     Stephan Müller <smueller@...onox.de>
CC:     Christian Langrock <christian.langrock@...unet.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>,
        <linux-crypto@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] Crypto_user: Make crypto user API available for all net
 ns

On Thu, Jul 13, 2017 at 04:51:10PM +0200, Stephan Müller wrote:
> Am Donnerstag, 13. Juli 2017, 16:22:32 CEST schrieb Christian Langrock:
> 
> Hi Christian,
> 
> > With this patch it's possible to use crypto user API form all
> > network namespaces, not only form the initial net ns.
> 
> Is this wise?
> 
> The crypto_user interface allows root users to change settings in the kernel 
> with a global scope. For example, you can deregister ciphers, change the prio 
> of ciphers and so on. All of that is visible on a global scale and thus should 
> not be possible from namespaces, IMHO.

It is possible to use crypto from all namespaces, so would be nice if
it would be possible to choose which algorithm to use. The problem is that
you can change the global crypto configuration from within a namespace
with this. Maybe crypto_alg_list etc. should be namespace aware first,
then each namespace can have its own configuration.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ