| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2618.1455014559@warthog.procyon.org.uk> Date: Tue, 09 Feb 2016 10:42:39 +0000 From: David Howells <dhowells@...hat.com> To: Mimi Zohar <zohar@...ux.vnet.ibm.com> Cc: dhowells@...hat.com, linux-security-module@...r.kernel.org, keyrings@...r.kernel.org, petkan@...-labs.com, linux-kernel@...r.kernel.org Subject: Re: How to add additional blacklist entries? Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote: > > You can link from any key you have LINK permission on. Further, add_key() > > can add directly. > > Oh, for some reason I thought the system blacklist keyring was limited > to the new key type with just a description. I was able to add, but > also remove a key from the system blacklist. I guess the KEY_FLAG_KEEP > is not set on the system blacklist. With patch 18 you can. Prior to that it's not possible to modify it from userspace at all. > The keys being added to the IMA keyring are signed x509 certs (eg. > openssl ca -ss_cert). It would be nice to be able to include the skid > in the description, without a payload, and sign that. I have no idea if > that Is possible or if it makes sense. I'm open to suggestions. I think we need a new keyctl or syscall for this. We need to run through the X.509 parser, but we don't actually want to keep any of the payload - and, in fact, we don't even necessarily want to create an asymmetric-type key, though it's not a complete loss if we do that and create one with a blacklist subtype. The blacklist subtype would just return an error from all operation points, but would otherwise be handled as normal. David
Powered by blists - more mailing lists