keyctl.2: Improve KEYCTL_CLEAR details

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2016-10-19 12:36:44 +02:00 · 2016-10-19 12:36:44 +02:00 · c97582e5d9
parent 015c82d521
commit c97582e5d9
1 changed files with 12 additions and 3 deletions
--- a/man2/keyctl.2
+++ b/man2/keyctl.2
@ -501,14 +501,23 @@ via the function
 .BR keyctl_describe (3).
 .TP
 .B KEYCTL_CLEAR
-Clear the contents of the keyring with the ID provided in the
+Clear the contents of (i.e., unlink all keys from) a keyring.
+
+The ID of the key
+(which must be of keyring type)
+.\" or the error ENOTDIR results
+is provided in
 .I arg2
-argument (cast to
+(cast to
 .IR key_serial_t ).
+.\" According to Documentation/security/keys.txt:
+.\"     This function can also be used to clear special kernel keyrings if they
+.\"     are appropriately marked if the user has CAP_SYS_ADMIN capability.  The
+.\"     DNS resolver cache keyring is an example of this.

 The caller must have
 .I write
-permission.
+permission on the keyring.

 The arguments
 .IR arg3 ,