[PATCH] xfrm: redact SA secret with lockdown confidentiality
Antony Antony
antony.antony at secunet.com
Tue Nov 17 16:46:07 UTC 2020
On Sat, Oct 31, 2020 at 11:49:11 +0100, Steffen Klassert wrote:
> On Fri, Oct 16, 2020 at 03:36:12PM +0200, Antony Antony wrote:
> > redact XFRM SA secret in the netlink response to xfrm_get_sa()
> > or dumpall sa.
> > Enable this at build time and set kernel lockdown to confidentiality.
>
> Wouldn't it be better to enable is at boot or runtime? This defaults
> to 'No' at build time, so distibutions will not compile it in. That
> means that noone who uses a kernel that comes with a Linux distribution
> can use that.
It is a good idea. I will send new version soon.
thanks,
-antony
More information about the Linux-security-module-archive
mailing list