nsen, Dave ; linux-security-module mod...@vger.kernel.org>; selinux@tycho.nsa.gov; Arjan van de Ven
>
> Subject: Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel
>
> On Fri, 28 Sep 2018, Jann Horn wrote:
>
> > > so with this hard-coded logic, you are say
On Fri, 28 Sep 2018, Jann Horn wrote:
> > so with this hard-coded logic, you are saying this case is
> > 'safe' in a sidechannel context.
> >
> > Which hints at the deeper issue that containers are a userland
> > abstraction. Protection of containers needs to be defined by userland
> > policy.
>
On Fri, Sep 28, 2018 at 1:43 AM James Morris wrote:
> On Thu, 27 Sep 2018, Schaufler, Casey wrote:
> > > > On 9/27/2018 2:45 PM, James Morris wrote:
> > > > > On Wed, 26 Sep 2018, Casey Schaufler wrote:
> > > > >
> > > > >> + /*
> > > > >> + * Namespace checks. Considered safe if:
> >
On Thu, 27 Sep 2018, Casey Schaufler wrote:
> On 9/27/2018 2:45 PM, James Morris wrote:
> > On Wed, 26 Sep 2018, Casey Schaufler wrote:
> >
> >> + /*
> >> + * Namespace checks. Considered safe if:
> >> + * cgroup namespace is the same
> >> + * User namespace is the same
> >> +
On Thu, 27 Sep 2018, Schaufler, Casey wrote:
> > > On 9/27/2018 2:45 PM, James Morris wrote:
> > > > On Wed, 26 Sep 2018, Casey Schaufler wrote:
> > > >
> > > >> + /*
> > > >> + * Namespace checks. Considered safe if:
> > > >> + * cgroup namespace is the same
> > > >> +
nel.org; Hansen, Dave
> ; linux-security-mod...@vger.kernel.org;
> selinux@tycho.nsa.gov; ar...@linux.intel.com
> Subject: Re: [PATCH v5 5/5] sidechannel: Linux Security Module for sidechannel
>
> On Thu, 27 Sep 2018, Casey Schaufler wrote:
>
> > On 9/27/2018 2:45 PM, James M
On 9/27/2018 2:45 PM, James Morris wrote:
> On Wed, 26 Sep 2018, Casey Schaufler wrote:
>
>> +/*
>> + * Namespace checks. Considered safe if:
>> + * cgroup namespace is the same
>> + * User namespace is the same
>> + * PID namespace is the same
>> + */
>> +
On Wed, 26 Sep 2018, Casey Schaufler wrote:
> + /*
> + * Namespace checks. Considered safe if:
> + * cgroup namespace is the same
> + * User namespace is the same
> + * PID namespace is the same
> + */
> + if (current->nsproxy)
> + ccgn
From: Casey Schaufler
This is a new Linux Security Module (LSM) that checks for
potential sidechannel issues that are not covered in the
ptrace PTRACE_MODE_SCHED option. Namespace differences are
checked in this intitial version. Additional checks should
be added when they are determined to be