Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > Thinking about the blacklist keyring some more...
Are we talking about a blacklist keyring that userspace can use - or can it be only usable by the kernel? > My concern is more that keys can be added and removed at run time from > either of the .ima or the ima_mok keyrings. The need for a blacklist > keyring is to prevent the key from being removed and at a later point > re-added. Unfortunately, keys can be added and removed similarly from the > blacklist keyring as well. Unless keys can be added, without the ability of > removing them, I'm not sure of the benefit of a blacklist keyring. I assume > adding and removing keys requires the same write privilege. The operations that modify the contents of a keyring in some way (link, unlink, clear) all operate under Write privilege. That said, we could add a flag that suppresses unlink and clear on a keyring. This could also suppress garbage collection of revoked and invalidated keys. Note, however, that keyring searches also skip revoked and invalidated keys, so that would also need dealing with. > (We previously resolved the problem of keyrings being removed by > userspace, even by a privileged user, by dot prefixing the keyrings.) That doesn't stop keys being addressed directly for invalidation and revocation, but you can probably manage that with permissions. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
