Hi David, On Tue, 2016-01-19 at 11:32 +0000, David Howells wrote:
> @@ -145,10 +165,10 @@ static int __init blacklist_init(void) > current_cred(), > (KEY_POS_ALL & ~KEY_POS_SETATTR) | > KEY_USR_VIEW | KEY_USR_READ | > - KEY_USR_SEARCH, > + KEY_USR_SEARCH | KEY_USR_WRITE, > KEY_ALLOC_NOT_IN_QUOTA | > KEY_FLAG_KEEP, > - NULL, NULL); > + restrict_link_by_system_trusted, NULL); As discussed, "restrict_link_by_system_trusted" is not enough. The certificate being added should be in a revoked list as well. We should defer this patch until that is possible or at least add a Kconfig option to permit black listing x509 certificates. Mimi
