[PATCH] xfrm: redact SA secret with lockdown confidentiality

Steffen Klassert steffen.klassert at secunet.com
Sat Oct 31 10:49:11 UTC 2020


On Fri, Oct 16, 2020 at 03:36:12PM +0200, Antony Antony wrote:
> redact XFRM SA secret in the netlink response to xfrm_get_sa()
> or dumpall sa.
> Enable this at build time and set kernel lockdown to confidentiality.

Wouldn't it be better to enable is at boot or runtime? This defaults
to 'No' at build time, so distibutions will not compile it in. That
means that noone who uses a kernel that comes with a Linux distribution
can use that.



More information about the Linux-security-module-archive mailing list