mirror of https://github.com/mkerrisk/man-pages
persistent-keyring.7: New page adopted from keyutils
Since this page documents kernel-user-space interfaces, it makes sense to have it as part of man-pages, rather than the keyutils package. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
6b71fd9aca
commit
33af8657ac
|
@ -0,0 +1,67 @@
|
||||||
|
.\"
|
||||||
|
.\" Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
|
||||||
|
.\" Written by David Howells (dhowells@redhat.com)
|
||||||
|
.\"
|
||||||
|
.\" This program is free software; you can redistribute it and/or
|
||||||
|
.\" modify it under the terms of the GNU General Public Licence
|
||||||
|
.\" as published by the Free Software Foundation; either version
|
||||||
|
.\" 2 of the Licence, or (at your option) any later version.
|
||||||
|
.\"
|
||||||
|
.TH "PERSISTENT KEYRING" 7 "20 Feb 2014" Linux "Kernel key management"
|
||||||
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||||
|
.SH NAME
|
||||||
|
persistent_keyring \- Per-user persistent keyring
|
||||||
|
.SH DESCRIPTION
|
||||||
|
The
|
||||||
|
.B persistent keyring
|
||||||
|
is a keyring used to anchor keys on behalf of a user. Each UID the kernel
|
||||||
|
deals with has its own persistent keyring that is shared between all threads
|
||||||
|
owned by that UID.
|
||||||
|
.P
|
||||||
|
The persistent keyring is created on demand when a thread requests it. The
|
||||||
|
keyring's expiration timer is reset every time it is accessed to the value in:
|
||||||
|
.IP
|
||||||
|
/proc/sys/kernel/keys/persistent_keyring_expiry
|
||||||
|
.P
|
||||||
|
The persistent keyring is not searched by \fBrequest_key\fP() unless it is
|
||||||
|
referred to by a keyring that is.
|
||||||
|
.P
|
||||||
|
The persistent keyring may not be accessed directly, even by processes with
|
||||||
|
the appropriate UID. Instead it must be linked to one of a process's keyrings
|
||||||
|
first before that keyring can access it by virtue of its possessor permits.
|
||||||
|
This is done with \fBkeyctl_get_persistent\fP().
|
||||||
|
.P
|
||||||
|
Persistent keyrings are independent of clone(), fork(), vfork(), execve() and
|
||||||
|
exit(). They persist until their expiration timers trigger - at which point
|
||||||
|
they are garbage collected. This allows them to carry keys beyond the life of
|
||||||
|
the kernel's record of the corresponding UID (the destruction of which results
|
||||||
|
in the destruction of the user and user session keyrings).
|
||||||
|
.P
|
||||||
|
If a persistent keyring does not exist when it is accessed, it will be
|
||||||
|
created.
|
||||||
|
.SH SPECIAL OPERATIONS
|
||||||
|
The keyutils library provides a special operation for manipulating persistent
|
||||||
|
keyrings:
|
||||||
|
.IP \fBkeyctl_get_persistent\fP()
|
||||||
|
This operation allows the caller to get the persistent keyring corresponding
|
||||||
|
to their own UID or, if they have \fBCAP_SETUID\fR, the persistent keyring
|
||||||
|
corresponding to some other UID in the same user namespace.
|
||||||
|
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
|
||||||
|
.SH SEE ALSO
|
||||||
|
.BR keyctl (1),
|
||||||
|
.br
|
||||||
|
.BR keyctl (3),
|
||||||
|
.br
|
||||||
|
.BR keyctl_get_persistent (3),
|
||||||
|
.br
|
||||||
|
.BR keyrings (7),
|
||||||
|
.br
|
||||||
|
.BR process-keyring (7),
|
||||||
|
.br
|
||||||
|
.BR session-keyring (7),
|
||||||
|
.br
|
||||||
|
.BR thread-keyring (7),
|
||||||
|
.br
|
||||||
|
.BR user-keyring (7),
|
||||||
|
.br
|
||||||
|
.BR user-session-keyring (7)
|
Loading…
Reference in New Issue