Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAG48ez0jY6xV+nQdYRy4aT3oH+8FwAM_6MOVFQ3jwYe4Nz+KnA@mail.gmail.com>
Date: Sat, 25 Aug 2018 01:17:37 +0200
From: Jann Horn <jannh@...gle.com>
To: Casey Schaufler <casey.schaufler@...el.com>
Cc: Kernel Hardening <kernel-hardening@...ts.openwall.com>, 
	kernel list <linux-kernel@...r.kernel.org>, 
	linux-security-module <linux-security-module@...r.kernel.org>, selinux@...ho.nsa.gov, 
	Dave Hansen <dave.hansen@...el.com>, deneen.t.dock@...el.com, kristen@...ux.intel.com, 
	Arjan van de Ven <arjan@...ux.intel.com>
Subject: Re: [PATCH v4 3/5] LSM: Security module checking for side-channel dangers

On Sat, Aug 25, 2018 at 12:42 AM Casey Schaufler
<casey.schaufler@...el.com> wrote:
> +config SECURITY_SIDECHANNEL_CAPABILITIES
> +       bool "Sidechannel check on capability sets"
> +       depends on SECURITY_SIDECHANNEL
> +       depends on !SECURITY_SIDECHANNEL_ALWAYS
> +       default n
> +       select SECURITY_SIDECHANNEL_NAMESPACES if USER_NS
> +       help
> +         Assume that tasks with different sets of privilege may be
> +         subject to side-channel attacks. Potential interactions
> +         where the attacker lacks capabilities the attacked has
> +         are blocked. Selecting this when user namespaces (USER_NS)
> +         are enabled will enable SECURITY_SIDECHANNEL_NAMESPACES.

Thanks!

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.