Re: [PATCH] Crypto_user: Make crypto user API available for all net ns

From: Steffen Klassert
Date: Fri Jul 14 2017 - 00:52:06 EST

Next message: Leon Romanovsky: "Re: linux-next: manual merge of the rdma tree with Linus' tree"
Previous message: Anshuman Khandual: "Re: [PATCH] mm/mremap: Fail map duplication attempts for private mappings"
In reply to: Stephan Müller: "Re: [PATCH] Crypto_user: Make crypto user API available for all net ns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 13, 2017 at 04:51:10PM +0200, Stephan Müller wrote:
> Am Donnerstag, 13. Juli 2017, 16:22:32 CEST schrieb Christian Langrock:
>
> Hi Christian,
>
> > With this patch it's possible to use crypto user API form all
> > network namespaces, not only form the initial net ns.
>
> Is this wise?
>
> The crypto_user interface allows root users to change settings in the kernel
> with a global scope. For example, you can deregister ciphers, change the prio
> of ciphers and so on. All of that is visible on a global scale and thus should
> not be possible from namespaces, IMHO.

It is possible to use crypto from all namespaces, so would be nice if
it would be possible to choose which algorithm to use. The problem is that
you can change the global crypto configuration from within a namespace
with this. Maybe crypto_alg_list etc. should be namespace aware first,
then each namespace can have its own configuration.

Next message: Leon Romanovsky: "Re: linux-next: manual merge of the rdma tree with Linus' tree"
Previous message: Anshuman Khandual: "Re: [PATCH] mm/mremap: Fail map duplication attempts for private mappings"
In reply to: Stephan Müller: "Re: [PATCH] Crypto_user: Make crypto user API available for all net ns"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]