Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2]
From: David Howells
Date: Mon Feb 08 2016 - 08:55:21 EST
Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> In addition, this patch set removes the IMA blacklist without any method for
> adding blacklisted IMA keys to the system blacklist keyring.
That's not true.
Patch 18 enables userspace to add keys to the system blacklist keyring,
provided those keys are validly signed:
- KEY_USR_SEARCH,
+ KEY_USR_SEARCH | KEY_USR_WRITE,
KEY_ALLOC_NOT_IN_QUOTA |
KEY_FLAG_KEEP,
- NULL, NULL);
+ restrict_link_by_system_trusted, NULL);
After this commit, you can do everything with the system blacklist keyring
that you can currently do with the IMA blacklist keyring.
David