Mimi Zohar <zo...@linux.vnet.ibm.com> wrote:
> In addition, this patch set removes the IMA blacklist without any method for
> adding blacklisted IMA keys to the system blacklist keyring.
That's not true.
Patch 18 enables userspace to add keys to the system blacklist keyring,
provided those keys are validly signed:
- KEY_USR_SEARCH,
+ KEY_USR_SEARCH | KEY_USR_WRITE,
KEY_ALLOC_NOT_IN_QUOTA |
KEY_FLAG_KEEP,
- NULL, NULL);
+ restrict_link_by_system_trusted, NULL);
After this commit, you can do everything with the system blacklist keyring
that you can currently do with the IMA blacklist keyring.
David
