Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > > I need to think about this. Should -EKEYREVOKED be the same as -ENOKEY in > > this case? I guess the end result is pretty much the same from IMA view > > point, but there may be a requirement to list all revoked keys... > > When checking the blacklist, getting -EKEYREVOKED is definitely > different than -ENOKEY.
Actually, I misspoke earlier. Revoked keys are only skipped by the search if a live key is found. Should all the keys in the blacklist just be revoked so that the search of the list returns either -ENOKEY (no key there) or -EKEYREVOKED (the key is blacklisted)? That might be getting too over-complicated though. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html