From: Steffen Klassert <steffen.klassert@secunet.com>
To: "Stephan Müller" <smueller@chronox.de>
Cc: Christian Langrock <christian.langrock@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
<linux-crypto@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] Crypto_user: Make crypto user API available for all net ns
Date: Fri, 14 Jul 2017 06:51:23 +0200 [thread overview]
Message-ID: <20170714045123.GO2631@secunet.com> (raw)
In-Reply-To: <2290757.F5Nm8BLmaV@tauon.chronox.de>
On Thu, Jul 13, 2017 at 04:51:10PM +0200, Stephan Müller wrote:
> Am Donnerstag, 13. Juli 2017, 16:22:32 CEST schrieb Christian Langrock:
>
> Hi Christian,
>
> > With this patch it's possible to use crypto user API form all
> > network namespaces, not only form the initial net ns.
>
> Is this wise?
>
> The crypto_user interface allows root users to change settings in the kernel
> with a global scope. For example, you can deregister ciphers, change the prio
> of ciphers and so on. All of that is visible on a global scale and thus should
> not be possible from namespaces, IMHO.
It is possible to use crypto from all namespaces, so would be nice if
it would be possible to choose which algorithm to use. The problem is that
you can change the global crypto configuration from within a namespace
with this. Maybe crypto_alg_list etc. should be namespace aware first,
then each namespace can have its own configuration.
prev parent reply other threads:[~2017-07-14 4:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-13 14:22 [PATCH] Crypto_user: Make crypto user API available for all net ns Christian Langrock
2017-07-13 14:51 ` Stephan Müller
2017-07-14 4:51 ` Steffen Klassert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170714045123.GO2631@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=christian.langrock@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.