Date: Sun, 8 Dec 2019 06:36:40 +0000 From: Patrick Schleizer <adrelanos@...eup.net> To: lkrg-users@...ts.openwall.com Subject: Re: bug: LKRG kills VirtualBox host VMs Solar Designer: > As to your concerns on having an extra security-sensitive flag, we > already have some other sysctl's that also affect LKRG in > security-relevant ways. I think we need to come up with a common > approach and framework for protecting all of those flags from easy > one-shot overwrites or/and making such overwrites ineffective (read-only > pages or/and checking against a keyed hash or redundant copies), and > use it for all of LKRG's security-sensitive rarely-changing variables. > > Right now, LKRG's approach to these issues is inconsistent: some > settings are security-sensitive yet runtime configurable, and some > others are compile-time only. We need to make LKRG consistent. Maybe a single call "sudo sysctl -w lkrg.fuse=1" could make all LKRG settings ready-only until reboot? Before that, all settings are read/write? I am also looking for a sysctl command to fuse all (not only LKRG) sysctl settings, but I don't know if that would be overreaching LKRG's scope. (Similar to linux "lockdown" feature.) Kind regards, Patrick
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.