Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]

From: David Howells
Date: Mon Feb 08 2016 - 08:55:21 EST

Next message: Tomas Henzl: "Re: [mpt3sas driver 07/10] mpt3sas: Add support for configurable Chain Frame Size"
Previous message: Guenter Roeck: "Re: [PATCH v2] watchdog: w83627hf: Added NCT6102D support."
In reply to: Mimi Zohar: "Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]"
Next in thread: Mimi Zohar: "Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> In addition, this patch set removes the IMA blacklist without any method for
> adding blacklisted IMA keys to the system blacklist keyring.

That's not true.

Patch 18 enables userspace to add keys to the system blacklist keyring,
provided those keys are validly signed:

- KEY_USR_SEARCH,
+ KEY_USR_SEARCH | KEY_USR_WRITE,
KEY_ALLOC_NOT_IN_QUOTA |
KEY_FLAG_KEEP,
- NULL, NULL);
+ restrict_link_by_system_trusted, NULL);

After this commit, you can do everything with the system blacklist keyring
that you can currently do with the IMA blacklist keyring.

David

Next message: Tomas Henzl: "Re: [mpt3sas driver 07/10] mpt3sas: Add support for configurable Chain Frame Size"
Previous message: Guenter Roeck: "Re: [PATCH v2] watchdog: w83627hf: Added NCT6102D support."
In reply to: Mimi Zohar: "Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]"
Next in thread: Mimi Zohar: "Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]