2016-11-01 15:43:33 +00:00
|
|
|
.\"
|
|
|
|
.\" Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
|
|
|
|
.\" Written by David Howells (dhowells@redhat.com)
|
|
|
|
.\"
|
2016-11-02 11:24:22 +00:00
|
|
|
.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
|
2016-11-01 15:43:33 +00:00
|
|
|
.\" This program is free software; you can redistribute it and/or
|
|
|
|
.\" modify it under the terms of the GNU General Public Licence
|
|
|
|
.\" as published by the Free Software Foundation; either version
|
|
|
|
.\" 2 of the Licence, or (at your option) any later version.
|
2016-11-02 11:24:22 +00:00
|
|
|
.\" %%%LICENSE_END
|
2016-11-01 15:43:33 +00:00
|
|
|
.\"
|
2016-11-01 17:16:43 +00:00
|
|
|
.TH "PERSISTENT-KEYRING" 7 2016-11-01 Linux "Linux Programmer's Manual"
|
2016-11-01 15:43:33 +00:00
|
|
|
.SH NAME
|
2016-11-01 17:26:22 +00:00
|
|
|
persistent-keyring \- per-user persistent keyring
|
2016-11-01 15:43:33 +00:00
|
|
|
.SH DESCRIPTION
|
2016-11-01 18:08:09 +00:00
|
|
|
The persistent keyring is a keyring used to anchor keys on behalf of a user.
|
2016-11-01 17:45:14 +00:00
|
|
|
Each UID the kernel deals with has its own persistent keyring that
|
|
|
|
is shared between all threads owned by that UID.
|
2016-11-01 15:43:33 +00:00
|
|
|
.P
|
2016-11-01 17:45:14 +00:00
|
|
|
The persistent keyring is created on demand when a thread requests it.
|
|
|
|
The keyring's expiration timer is reset every time it is accessed
|
|
|
|
to the value in:
|
2016-11-01 15:43:33 +00:00
|
|
|
.IP
|
|
|
|
/proc/sys/kernel/keys/persistent_keyring_expiry
|
|
|
|
.P
|
2016-11-02 02:52:46 +00:00
|
|
|
The persistent keyring is not searched by
|
|
|
|
.BR request_key (2)
|
|
|
|
unless it is
|
2016-11-01 15:43:33 +00:00
|
|
|
referred to by a keyring that is.
|
|
|
|
.P
|
|
|
|
The persistent keyring may not be accessed directly, even by processes with
|
2016-11-01 17:45:14 +00:00
|
|
|
the appropriate UID.
|
|
|
|
Instead it must be linked to one of a process's keyrings
|
2016-11-01 15:43:33 +00:00
|
|
|
first before that keyring can access it by virtue of its possessor permits.
|
2016-11-02 02:52:46 +00:00
|
|
|
This is done with
|
|
|
|
.BR keyctl_get_persistent (3).
|
2016-11-01 15:43:33 +00:00
|
|
|
.P
|
2016-11-01 17:45:14 +00:00
|
|
|
Persistent keyrings are independent of
|
2016-11-01 18:08:09 +00:00
|
|
|
.BR clone (2),
|
|
|
|
.BR fork (2),
|
|
|
|
.BR vfork (2),
|
|
|
|
.BR execve (2),
|
|
|
|
and
|
2016-11-01 18:11:11 +00:00
|
|
|
.BR _exit (2).
|
2016-11-01 17:45:14 +00:00
|
|
|
They persist until their expiration timers trigger - at which point
|
|
|
|
they are garbage collected.
|
|
|
|
This allows them to carry keys beyond the life of
|
2016-11-01 15:43:33 +00:00
|
|
|
the kernel's record of the corresponding UID (the destruction of which results
|
|
|
|
in the destruction of the user and user session keyrings).
|
|
|
|
.P
|
|
|
|
If a persistent keyring does not exist when it is accessed, it will be
|
|
|
|
created.
|
2016-11-01 20:45:39 +00:00
|
|
|
.SS Special operations
|
2016-11-01 15:43:33 +00:00
|
|
|
The keyutils library provides a special operation for manipulating persistent
|
|
|
|
keyrings:
|
2016-11-02 02:52:46 +00:00
|
|
|
.BR keyctl_get_persistent (3)
|
2016-11-01 15:43:33 +00:00
|
|
|
This operation allows the caller to get the persistent keyring corresponding
|
2016-11-01 18:08:09 +00:00
|
|
|
to their own UID or, if they have
|
|
|
|
.BR CAP_SETUID ,
|
|
|
|
the persistent keyring
|
2016-11-01 15:43:33 +00:00
|
|
|
corresponding to some other UID in the same user namespace.
|
|
|
|
.SH SEE ALSO
|
2016-11-01 17:12:21 +00:00
|
|
|
.ad l
|
|
|
|
.nh
|
2016-11-01 15:43:33 +00:00
|
|
|
.BR keyctl (1),
|
|
|
|
.BR keyctl (3),
|
|
|
|
.BR keyctl_get_persistent (3),
|
|
|
|
.BR keyrings (7),
|
2016-11-01 17:12:21 +00:00
|
|
|
.BR process\-keyring (7),
|
|
|
|
.BR session\-keyring (7),
|
|
|
|
.BR thread\-keyring (7),
|
|
|
|
.BR user\-keyring (7),
|
|
|
|
.BR user\-session\-keyring (7)
|