Re: [PATCH v4 3/5] LSM: Security module checking for side-channel dangers
From: Jann Horn
Date: Fri Aug 24 2018 - 19:18:07 EST
On Sat, Aug 25, 2018 at 12:42 AM Casey Schaufler
<casey.schaufler@xxxxxxxxx> wrote:
> +config SECURITY_SIDECHANNEL_CAPABILITIES
> + bool "Sidechannel check on capability sets"
> + depends on SECURITY_SIDECHANNEL
> + depends on !SECURITY_SIDECHANNEL_ALWAYS
> + default n
> + select SECURITY_SIDECHANNEL_NAMESPACES if USER_NS
> + help
> + Assume that tasks with different sets of privilege may be
> + subject to side-channel attacks. Potential interactions
> + where the attacker lacks capabilities the attacked has
> + are blocked. Selecting this when user namespaces (USER_NS)
> + are enabled will enable SECURITY_SIDECHANNEL_NAMESPACES.
Thanks!