From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753221AbcBIKnt (ORCPT ); Tue, 9 Feb 2016 05:43:49 -0500 Received: from mx1.redhat.com ([209.132.183.28]:54177 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756750AbcBIKml (ORCPT ); Tue, 9 Feb 2016 05:42:41 -0500 Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <1454959682.3037.22.camel@linux.vnet.ibm.com> References: <1454959682.3037.22.camel@linux.vnet.ibm.com> <1454949148.2648.215.camel@linux.vnet.ibm.com> <1454943785.2648.195.camel@linux.vnet.ibm.com> <1454938472.2648.173.camel@linux.vnet.ibm.com> <1453318283.2858.27.camel@linux.vnet.ibm.com> <20160119113026.23238.4498.stgit@warthog.procyon.org.uk> <20160119113041.23238.44728.stgit@warthog.procyon.org.uk> <24522.1454513272@warthog.procyon.org.uk> <25433.1454939711@warthog.procyon.org.uk> <14858.1454946832@warthog.procyon.org.uk> <6781.1454949802@warthog.procyon.org.uk> To: Mimi Zohar Cc: dhowells@redhat.com, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, petkan@mip-labs.com, linux-kernel@vger.kernel.org Subject: Re: How to add additional blacklist entries? MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <2617.1455014559.1@warthog.procyon.org.uk> Date: Tue, 09 Feb 2016 10:42:39 +0000 Message-ID: <2618.1455014559@warthog.procyon.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Mimi Zohar wrote: > > You can link from any key you have LINK permission on. Further, add_key() > > can add directly. > > Oh, for some reason I thought the system blacklist keyring was limited > to the new key type with just a description. I was able to add, but > also remove a key from the system blacklist. I guess the KEY_FLAG_KEEP > is not set on the system blacklist. With patch 18 you can. Prior to that it's not possible to modify it from userspace at all. > The keys being added to the IMA keyring are signed x509 certs (eg. > openssl ca -ss_cert). It would be nice to be able to include the skid > in the description, without a payload, and sign that. I have no idea if > that Is possible or if it makes sense. I'm open to suggestions. I think we need a new keyctl or syscall for this. We need to run through the X.509 parser, but we don't actually want to keep any of the payload - and, in fact, we don't even necessarily want to create an asymmetric-type key, though it's not a complete loss if we do that and create one with a blacklist subtype. The blacklist subtype would just return an error from all operation points, but would otherwise be handled as normal. David