| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 08 Feb 2016 10:03:05 -0500 From: Mimi Zohar <zohar@...ux.vnet.ibm.com> To: David Howells <dhowells@...hat.com> Cc: linux-security-module@...r.kernel.org, keyrings@...r.kernel.org, petkan@...-labs.com, linux-kernel@...r.kernel.org Subject: Re: [RFC PATCH 02/20] KEYS: Add a system blacklist keyring [ver #2] On Mon, 2016-02-08 at 13:55 +0000, David Howells wrote: > Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote: > > > In addition, this patch set removes the IMA blacklist without any method for > > adding blacklisted IMA keys to the system blacklist keyring. > > That's not true. > > Patch 18 enables userspace to add keys to the system blacklist keyring, > provided those keys are validly signed: > > - KEY_USR_SEARCH, > + KEY_USR_SEARCH | KEY_USR_WRITE, > KEY_ALLOC_NOT_IN_QUOTA | > KEY_FLAG_KEEP, > - NULL, NULL); > + restrict_link_by_system_trusted, NULL); > > After this commit, you can do everything with the system blacklist keyring > that you can currently do with the IMA blacklist keyring. Right, this patch makes the system blacklist keyring writable by userspace and removes the IMA blacklist. What I don't understand is how to add a key that is currently on the IMA keyring to the system blacklist? With the IMA blacklist, the same certificate that was added to the IMA keyring could be added to the blacklist. (Probably not the best idea.) The system black list currently only supports the TBSCertificate hash, not the key-id. I have the signed certificate being added to the IMA keyring. I'm missing the step of getting the TBSCertificate hash based on the certificate. Mimi
Powered by blists - more mailing lists