On Wed, 2015-10-21 at 11:55 +0100, David Howells wrote: > Mimi Zohar <zo...@linux.vnet.ibm.com> wrote: > > > > I need to think about this. Should -EKEYREVOKED be the same as -ENOKEY in > > > this case? I guess the end result is pretty much the same from IMA view > > > point, but there may be a requirement to list all revoked keys... > > > > When checking the blacklist, getting -EKEYREVOKED is definitely > > different than -ENOKEY. > > Actually, I misspoke earlier. Revoked keys are only skipped by the search if > a live key is found. Should all the keys in the blacklist just be revoked so > that the search of the list returns either -ENOKEY (no key there) or > -EKEYREVOKED (the key is blacklisted)? That might be getting too > over-complicated though.
Right, your suggestion of adding a new flag on the keyring itself is definitely preferable. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html