On 15-10-20 14:32:10, Mimi Zohar wrote: > On Tue, 2015-10-20 at 18:33 +0300, Petko Manolov wrote: > > > > As far as i know there is no concept of write-once to a keyring in the > > kernel. David will correct me if i am wrong. I wonder how hard would it > > be > > to add such functionality, in case it is missing? > > > > Ideally a revoked key should stay in .blacklist until it expire or the > > system is rebooted. > > Keys currently revoked return -EKEYREVOKED for a certain amount of time, > before being garbage collected. Perhaps for trusted keys we could piggy back > on this option, returning -EKEYREVOKED, but prevent them from being garbage > collected?
I need to think about this. Should -EKEYREVOKED be the same as -ENOKEY in this case? I guess the end result is pretty much the same from IMA view point, but there may be a requirement to list all revoked keys... Petko -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html