Re: [PATCH] Crypto_user: Make crypto user API available for all net ns
From: Steffen Klassert
Date: Fri Jul 14 2017 - 00:52:06 EST
On Thu, Jul 13, 2017 at 04:51:10PM +0200, Stephan Müller wrote:
> Am Donnerstag, 13. Juli 2017, 16:22:32 CEST schrieb Christian Langrock:
>
> Hi Christian,
>
> > With this patch it's possible to use crypto user API form all
> > network namespaces, not only form the initial net ns.
>
> Is this wise?
>
> The crypto_user interface allows root users to change settings in the kernel
> with a global scope. For example, you can deregister ciphers, change the prio
> of ciphers and so on. All of that is visible on a global scale and thus should
> not be possible from namespaces, IMHO.
It is possible to use crypto from all namespaces, so would be nice if
it would be possible to choose which algorithm to use. The problem is that
you can change the global crypto configuration from within a namespace
with this. Maybe crypto_alg_list etc. should be namespace aware first,
then each namespace can have its own configuration.