On Sun, May 10, 2020 at 11:53:00PM +0100, Alexander Nasonov wrote: > Taylor R Campbell wrote: > > Log Message: > > Implement swap encryption. > > > > Enabled by sysctl -w vm.swap_encrypt=1. > > If secmodel_securelevel(9) is still a thing, locking down this sysctl > at high securelevel may improve our security. Prior to this change, > swap devices were readable (even if enrypted with cgd). With this > sysctl set to 1, all new swap devices will be encrypted, the only > thing to worry about is if it's set back to 0 on a compromised host.
Well, the ability to turn it off should be locked down. Enabling it for securelevel>0 seems fine? Joerg
