On Tue, 2015-10-20 at 21:42 +0300, Petko Manolov wrote: > On 15-10-20 14:32:10, Mimi Zohar wrote: > > On Tue, 2015-10-20 at 18:33 +0300, Petko Manolov wrote: > > > > > > As far as i know there is no concept of write-once to a keyring in the > > > kernel. David will correct me if i am wrong. I wonder how hard would it > > > be > > > to add such functionality, in case it is missing? > > > > > > Ideally a revoked key should stay in .blacklist until it expire or the > > > system is rebooted. > > > > Keys currently revoked return -EKEYREVOKED for a certain amount of time, > > before being garbage collected. Perhaps for trusted keys we could piggy > > back > > on this option, returning -EKEYREVOKED, but prevent them from being garbage > > collected? > > I need to think about this. Should -EKEYREVOKED be the same as -ENOKEY in > this > case? I guess the end result is pretty much the same from IMA view point, > but > there may be a requirement to list all revoked keys...
When checking the blacklist, getting -EKEYREVOKED is definitely different than -ENOKEY. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html