Petko Manolov <pet...@mip-labs.com> wrote: > As far as i know there is no concept of write-once to a keyring in the > kernel. David will correct me if i am wrong. I wonder how hard would it be > to add such functionality, in case it is missing?
Not hard, particularly if it's only an attribute that the kernel can set. > Ideally a revoked key should stay in .blacklist until it expire or the > system is rebooted. That's not quite sufficient. Search would also need to be modified otherwise the revoked key would be skipped. David -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html