keyctl.2: Improve KEYCTL_SET_TIMEOUT details

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man2/keyctl.2

@@ -851,23 +851,33 @@ via the function
 .BR keyctl_set_reqkey_keyring (3).
 .TP
 .BR KEYCTL_SET_TIMEOUT " (since Linux 2.6.16)"
-Set timeout on a key.
-ID of a key provided in the
+Set a timeout on a key.
+
+The ID of the key is specified in
 .I arg2
-argument (cast to
-.IR key_serial_t ),
-timeout value (in seconds from current time) provided in the
+(cast to
+.IR key_serial_t ).
+The timeout value, in seconds from the current time,
+is specified in
 .I arg3
-argument (cast to
+(cast to
 .IR "unsigned int" ).
 
+Specifying the timeout value as 0 clears any existing timeout on the key.
+
 The caller must either have the
 .I setattr
-permission or hold an instantiation authorization token for the key.
+permission on the key
+or hold an instantiation authorization token for the key (see
+.BR request_key (2)).
 
-A timeout value of 0 clears the timeout.
 The key and any links to the key will be
 automatically garbage collected after the timeout expires.
+Subsequent attempts to access the key will then fail with the error
+.BR EKEYEXPIRED .
+
+This operation cannot be used to set timeouts on negative, revoked,
+or expired keys.
 
 The arguments
 .IR arg4