mirror of https://github.com/mkerrisk/man-pages
keyctl.2: Minor fixes to Eugene's patch
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
54d5a1c72b
commit
0e840b4234
|
@ -1547,8 +1547,8 @@ as with SP800-108 (the counter KDF).
|
|||
.BR KEYCTL_RESTRICT_KEYRING " (since Linux 4.12)"
|
||||
.\" commit 6563c91fd645556c7801748f15bc727c77fcd311
|
||||
.\" commit 7228b66aaf723a623e578aa4db7d083bb39546c9
|
||||
Apply a key linking restriction to a keyring with the ID provided in
|
||||
.IR arg2 .
|
||||
Apply a key-linking restriction to the keyring with the ID provided in
|
||||
.IR arg2
|
||||
(cast to
|
||||
.IR key_serial_t ).
|
||||
The caller must have
|
||||
|
@ -1560,7 +1560,7 @@ is NULL, any attempt to add a key to the keyring is blocked;
|
|||
otherwise it contains a pointer to a string with a key type name and
|
||||
.I arg4
|
||||
contains a pointer to string that describes the type-specific restriction.
|
||||
As of Linux 4.12, only type "asymmetric" has the restrictions defined:
|
||||
As of Linux 4.12, only the type "asymmetric" has restrictions defined:
|
||||
.RS
|
||||
.TP
|
||||
.B builtin_trusted
|
||||
|
@ -1569,7 +1569,7 @@ Allows only keys that are signed by a key linked to the builtin keyring
|
|||
.TP
|
||||
.B builtin_and_secondary_trusted
|
||||
Allows only keys that are signed by a key linked to the secondary keyring
|
||||
(".secondary_trusted_keys") or, by extension, a key in builtin keyring,
|
||||
(".secondary_trusted_keys") or, by extension, a key in a builtin keyring,
|
||||
as the latter is linked to the former.
|
||||
.TP
|
||||
.BI key_or_keyring: key
|
||||
|
@ -1577,22 +1577,23 @@ as the latter is linked to the former.
|
|||
.BI key_or_keyring: key :chain
|
||||
If
|
||||
.I key
|
||||
specifies ID of a key of type "asymmetric", then only keys that are signed
|
||||
by this key are allowed.
|
||||
specifies the ID of a key of type "asymmetric",
|
||||
then only keys that are signed by this key are allowed.
|
||||
.IP
|
||||
If
|
||||
.I key
|
||||
specifies ID of a keyring, then only keys that are signed by a key linked
|
||||
specifies the ID of a keyring,
|
||||
then only keys that are signed by a key linked
|
||||
to this keyring are allowed.
|
||||
.IP
|
||||
If ":chain" is specified, keys that are signed by a keys linked to the
|
||||
destination keyring (that is, the keyring with ID specified in the
|
||||
destination keyring (that is, the keyring with the ID specified in the
|
||||
.I arg2
|
||||
argument) are also allowed.
|
||||
.RE
|
||||
.IP
|
||||
Note that a restriction can be configured only once for the specific keyring;
|
||||
once it is set, it can't be overridden.
|
||||
Note that a restriction can be configured only once for the specified keyring;
|
||||
once a restriction is set, it can't be overridden.
|
||||
.IP
|
||||
The argument
|
||||
.I arg5
|
||||
|
|
Loading…
Reference in New Issue