[PATCH v4 3/5] LSM: Security module checking for side-channel dangers
Jann Horn
jannh at google.com
Fri Aug 24 23:17:37 UTC 2018
On Sat, Aug 25, 2018 at 12:42 AM Casey Schaufler
<casey.schaufler at intel.com> wrote:
> +config SECURITY_SIDECHANNEL_CAPABILITIES
> + bool "Sidechannel check on capability sets"
> + depends on SECURITY_SIDECHANNEL
> + depends on !SECURITY_SIDECHANNEL_ALWAYS
> + default n
> + select SECURITY_SIDECHANNEL_NAMESPACES if USER_NS
> + help
> + Assume that tasks with different sets of privilege may be
> + subject to side-channel attacks. Potential interactions
> + where the attacker lacks capabilities the attacked has
> + are blocked. Selecting this when user namespaces (USER_NS)
> + are enabled will enable SECURITY_SIDECHANNEL_NAMESPACES.
Thanks!
More information about the Linux-security-module-archive
mailing list