On 15-10-20 14:32:10, Mimi Zohar wrote:
> On Tue, 2015-10-20 at 18:33 +0300, Petko Manolov wrote:
> >
> > As far as i know there is no concept of write-once to a keyring in the
> > kernel. David will correct me if i am wrong. I wonder how hard would it
> > be
> > to add such functionality, in case it is missing?
> >
> > Ideally a revoked key should stay in .blacklist until it expire or the
> > system is rebooted.
>
> Keys currently revoked return -EKEYREVOKED for a certain amount of time,
> before being garbage collected. Perhaps for trusted keys we could piggy back
> on this option, returning -EKEYREVOKED, but prevent them from being garbage
> collected?
I need to think about this. Should -EKEYREVOKED be the same as -ENOKEY in this
case? I guess the end result is pretty much the same from IMA view point, but
there may be a requirement to list all revoked keys...
Petko
--
To unsubscribe from this list: send the line "unsubscribe
linux-security-module" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
