Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]

From: David Howells
Date: Mon Feb 08 2016 - 08:55:21 EST


Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> In addition, this patch set removes the IMA blacklist without any method for
> adding blacklisted IMA keys to the system blacklist keyring.

That's not true.

Patch 18 enables userspace to add keys to the system blacklist keyring,
provided those keys are validly signed:

- KEY_USR_SEARCH,
+ KEY_USR_SEARCH | KEY_USR_WRITE,
KEY_ALLOC_NOT_IN_QUOTA |
KEY_FLAG_KEEP,
- NULL, NULL);
+ restrict_link_by_system_trusted, NULL);

After this commit, you can do everything with the system blacklist keyring
that you can currently do with the IMA blacklist keyring.

David