On 15-10-21 11:55:40, David Howells wrote: > Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > > > > I need to think about this. Should -EKEYREVOKED be the same as -ENOKEY > > > in > > > this case? I guess the end result is pretty much the same from IMA view > > > point, but there may be a requirement to list all revoked keys... > > > > When checking the blacklist, getting -EKEYREVOKED is definitely different > > than -ENOKEY. > > Actually, I misspoke earlier. Revoked keys are only skipped by the search if > a live key is found. Should all the keys in the blacklist just be revoked so > that the search of the list returns either -ENOKEY (no key there) or > -EKEYREVOKED (the key is blacklisted)? That might be getting too > over-complicated though.
>From IMA point of view both errors have the same effect - the requested operation is rejected. I guess searching the blacklist keyring should return -EKEYREVOKED, which properly describes it's state. cheers, Petko -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
