Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread Mimi Zohar
On Tue, 2016-03-08 at 15:32 +, David Howells wrote: > Mimi Zohar wrote: > > > > The problem boils down to a difficulty in concocting a name that > > > describes a > > > complex situation that may change depending on the configuration. I can > > > make > > > it

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread Mimi Zohar
On Tue, 2016-03-08 at 15:32 +, David Howells wrote: > Mimi Zohar wrote: > > > > The problem boils down to a difficulty in concocting a name that > > > describes a > > > complex situation that may change depending on the configuration. I can > > > make > > > it

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread David Howells
Mimi Zohar wrote: > > The problem boils down to a difficulty in concocting a name that describes a > > complex situation that may change depending on the configuration. I can > > make > > it "restrict_link_by_any_system_trusted" if you'd prefer. > > > > That's why I

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread David Howells
Mimi Zohar wrote: > > The problem boils down to a difficulty in concocting a name that describes a > > complex situation that may change depending on the configuration. I can > > make > > it "restrict_link_by_any_system_trusted" if you'd prefer. > > > > That's why I want "system trusted

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread Mimi Zohar
On Tue, 2016-03-08 at 14:43 +, David Howells wrote: > The problem boils down to a difficulty in concocting a name that describes a > complex situation that may change depending on the configuration. I can make > it "restrict_link_by_any_system_trusted" if you'd prefer. > > That's why I want

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread Mimi Zohar
On Tue, 2016-03-08 at 14:43 +, David Howells wrote: > The problem boils down to a difficulty in concocting a name that describes a > complex situation that may change depending on the configuration. I can make > it "restrict_link_by_any_system_trusted" if you'd prefer. > > That's why I want

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread David Howells
Mimi Zohar wrote: > Would then restrict_link_to_system_trusted imply both the builtin and > secondary keyrings or just the builtin keyrings? Both, if available; just builtin if the secondary is not available. restrict_link_by_builtin_trusted() does only the builtin.

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread David Howells
Mimi Zohar wrote: > Would then restrict_link_to_system_trusted imply both the builtin and > secondary keyrings or just the builtin keyrings? Both, if available; just builtin if the secondary is not available. restrict_link_by_builtin_trusted() does only the builtin. > Changing the system

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread Mimi Zohar
On Tue, 2016-03-08 at 13:13 +, David Howells wrote: > Mimi Zohar wrote: > > > but we're left with a lot of references to "system_trusted" (eg. > > restrict_link_to_system_trusted, depends on SYSTEM_TRUSTED_KEYRING > > How about I pluralise it to

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread Mimi Zohar
On Tue, 2016-03-08 at 13:13 +, David Howells wrote: > Mimi Zohar wrote: > > > but we're left with a lot of references to "system_trusted" (eg. > > restrict_link_to_system_trusted, depends on SYSTEM_TRUSTED_KEYRING > > How about I pluralise it to SYSTEM_TRUSTED_KEYRINGS? The fact that one

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread Petko Manolov
On 16-03-08 13:13:59, David Howells wrote: > Mimi Zohar wrote: > > > but we're left with a lot of references to "system_trusted" (eg. > > restrict_link_to_system_trusted, depends on SYSTEM_TRUSTED_KEYRING > > How about I pluralise it to SYSTEM_TRUSTED_KEYRINGS? The

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread Petko Manolov
On 16-03-08 13:13:59, David Howells wrote: > Mimi Zohar wrote: > > > but we're left with a lot of references to "system_trusted" (eg. > > restrict_link_to_system_trusted, depends on SYSTEM_TRUSTED_KEYRING > > How about I pluralise it to SYSTEM_TRUSTED_KEYRINGS? The fact that one is > called

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread David Howells
Mimi Zohar wrote: > but we're left with a lot of references to "system_trusted" (eg. > restrict_link_to_system_trusted, depends on SYSTEM_TRUSTED_KEYRING How about I pluralise it to SYSTEM_TRUSTED_KEYRINGS? The fact that one is called builtin and the other secondary

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-08 Thread David Howells
Mimi Zohar wrote: > but we're left with a lot of references to "system_trusted" (eg. > restrict_link_to_system_trusted, depends on SYSTEM_TRUSTED_KEYRING How about I pluralise it to SYSTEM_TRUSTED_KEYRINGS? The fact that one is called builtin and the other secondary doesn't detract from the

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-07 Thread Mimi Zohar
On Fri, 2016-03-04 at 15:01 +, David Howells wrote: > Add a secondary system keyring that can be added to by root whilst the > system is running - provided the key being added is vouched for by a key > built into the kernel or already added to the secondary keyring. > > Rename .system_keyring

Re: [RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-07 Thread Mimi Zohar
On Fri, 2016-03-04 at 15:01 +, David Howells wrote: > Add a secondary system keyring that can be added to by root whilst the > system is running - provided the key being added is vouched for by a key > built into the kernel or already added to the secondary keyring. > > Rename .system_keyring

[RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-04 Thread David Howells
Add a secondary system keyring that can be added to by root whilst the system is running - provided the key being added is vouched for by a key built into the kernel or already added to the secondary keyring. Rename .system_keyring to .builtin_trusted_keys to distinguish it more obviously from

[RFC PATCH 11/12] certs: Add a secondary system keyring that can be added to dynamically [ver #2]

2016-03-04 Thread David Howells
Add a secondary system keyring that can be added to by root whilst the system is running - provided the key being added is vouched for by a key built into the kernel or already added to the secondary keyring. Rename .system_keyring to .builtin_trusted_keys to distinguish it more obviously from