On Thu, 4 Jan 2007 10:19:00 +0900 (JST)
Curt Sampson <cjs@cynic.net> wrote:

> On Wed, 13 Dec 2006, Steven M. Bellovin wrote:
> > Is there any way to list all active cgd devices?  I want to add
> > code /etc/apm/suspend to cgdconfig all such devices....
> Just out of curiousity, what are you going to do to them?
> The suspend thing has been an issue I've been grappling with for a
> while. Eventually, I ended up taking the debugger out of the kernel,
> running xlock on suspend, and running shutdown with a two minute
> timeout on wakeup. (The idea is that that limits the amount of time
> an attacker has to get to the contents of memory before it goes away.)

My tentative thought is to do 'umount -f' and 'cgdconfig -U'.  The
two-minute shutdown after resume is intriguing.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb