| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAG48ez0jY6xV+nQdYRy4aT3oH+8FwAM_6MOVFQ3jwYe4Nz+KnA@mail.gmail.com>
Date: Sat, 25 Aug 2018 01:17:37 +0200
From: Jann Horn <jannh@...gle.com>
To: Casey Schaufler <casey.schaufler@...el.com>
Cc: Kernel Hardening <kernel-hardening@...ts.openwall.com>,
kernel list <linux-kernel@...r.kernel.org>,
linux-security-module <linux-security-module@...r.kernel.org>,
selinux@...ho.nsa.gov, Dave Hansen <dave.hansen@...el.com>,
deneen.t.dock@...el.com, kristen@...ux.intel.com,
Arjan van de Ven <arjan@...ux.intel.com>
Subject: Re: [PATCH v4 3/5] LSM: Security module checking for side-channel dangers
On Sat, Aug 25, 2018 at 12:42 AM Casey Schaufler
<casey.schaufler@...el.com> wrote:
> +config SECURITY_SIDECHANNEL_CAPABILITIES
> + bool "Sidechannel check on capability sets"
> + depends on SECURITY_SIDECHANNEL
> + depends on !SECURITY_SIDECHANNEL_ALWAYS
> + default n
> + select SECURITY_SIDECHANNEL_NAMESPACES if USER_NS
> + help
> + Assume that tasks with different sets of privilege may be
> + subject to side-channel attacks. Potential interactions
> + where the attacker lacks capabilities the attacked has
> + are blocked. Selecting this when user namespaces (USER_NS)
> + are enabled will enable SECURITY_SIDECHANNEL_NAMESPACES.
Thanks!
Powered by blists - more mailing lists