mirror of https://github.com/mkerrisk/man-pages
68 lines
2.5 KiB
Groff
68 lines
2.5 KiB
Groff
|
.\"
|
||
|
.\" Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
|
||
|
.\" Written by David Howells (dhowells@redhat.com)
|
||
|
.\"
|
||
|
.\" This program is free software; you can redistribute it and/or
|
||
|
.\" modify it under the terms of the GNU General Public Licence
|
||
|
.\" as published by the Free Software Foundation; either version
|
||
|
.\" 2 of the Licence, or (at your option) any later version.
|
||
|
.\"
|
||
|
.TH "PERSISTENT KEYRING" 7 "20 Feb 2014" Linux "Kernel key management"
|
||
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||
|
.SH NAME
|
||
|
persistent_keyring \- Per-user persistent keyring
|
||
|
.SH DESCRIPTION
|
||
|
The
|
||
|
.B persistent keyring
|
||
|
is a keyring used to anchor keys on behalf of a user. Each UID the kernel
|
||
|
deals with has its own persistent keyring that is shared between all threads
|
||
|
owned by that UID.
|
||
|
.P
|
||
|
The persistent keyring is created on demand when a thread requests it. The
|
||
|
keyring's expiration timer is reset every time it is accessed to the value in:
|
||
|
.IP
|
||
|
/proc/sys/kernel/keys/persistent_keyring_expiry
|
||
|
.P
|
||
|
The persistent keyring is not searched by \fBrequest_key\fP() unless it is
|
||
|
referred to by a keyring that is.
|
||
|
.P
|
||
|
The persistent keyring may not be accessed directly, even by processes with
|
||
|
the appropriate UID. Instead it must be linked to one of a process's keyrings
|
||
|
first before that keyring can access it by virtue of its possessor permits.
|
||
|
This is done with \fBkeyctl_get_persistent\fP().
|
||
|
.P
|
||
|
Persistent keyrings are independent of clone(), fork(), vfork(), execve() and
|
||
|
exit(). They persist until their expiration timers trigger - at which point
|
||
|
they are garbage collected. This allows them to carry keys beyond the life of
|
||
|
the kernel's record of the corresponding UID (the destruction of which results
|
||
|
in the destruction of the user and user session keyrings).
|
||
|
.P
|
||
|
If a persistent keyring does not exist when it is accessed, it will be
|
||
|
created.
|
||
|
.SH SPECIAL OPERATIONS
|
||
|
The keyutils library provides a special operation for manipulating persistent
|
||
|
keyrings:
|
||
|
.IP \fBkeyctl_get_persistent\fP()
|
||
|
This operation allows the caller to get the persistent keyring corresponding
|
||
|
to their own UID or, if they have \fBCAP_SETUID\fR, the persistent keyring
|
||
|
corresponding to some other UID in the same user namespace.
|
||
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||
|
.SH SEE ALSO
|
||
|
.BR keyctl (1),
|
||
|
.br
|
||
|
.BR keyctl (3),
|
||
|
.br
|
||
|
.BR keyctl_get_persistent (3),
|
||
|
.br
|
||
|
.BR keyrings (7),
|
||
|
.br
|
||
|
.BR process-keyring (7),
|
||
|
.br
|
||
|
.BR session-keyring (7),
|
||
|
.br
|
||
|
.BR thread-keyring (7),
|
||
|
.br
|
||
|
.BR user-keyring (7),
|
||
|
.br
|
||
|
.BR user-session-keyring (7)
|