Jan Lübbe <j...@pengutronix.de> wrote: > ... But at this point, you can still do 'keyctl read' on that key, exposing > the key material to user space.
I wonder if it would help to provide a keyctl function to mark a key as being permanently unreadable - so that it overrides the READ permission bit. Alternatively, you can disable READ and SETATTR permission - but that then prevents you from removing other perms if you want to :-/ David
