diff options
author | David Howells <dhowells@redhat.com> | 2009-09-02 04:14:00 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-09-02 07:29:11 -0400 |
commit | 5d135440faf7db8d566de0c6fab36b16cf9cfc3b (patch) | |
tree | d9c022e73ed51dfe5729fde9a97150cb64b68196 /Documentation | |
parent | f041ae2f99d49adc914153a34a2d0e14e4389d90 (diff) |
KEYS: Add garbage collection for dead, revoked and expired keys. [try #6]
Add garbage collection for dead, revoked and expired keys. This involved
erasing all links to such keys from keyrings that point to them. At that
point, the key will be deleted in the normal manner.
Keyrings from which garbage collection occurs are shrunk and their quota
consumption reduced as appropriate.
Dead keys (for which the key type has been removed) will be garbage collected
immediately.
Revoked and expired keys will hang around for a number of seconds, as set in
/proc/sys/kernel/keys/gc_delay before being automatically removed. The default
is 5 minutes.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/keys.txt | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/Documentation/keys.txt b/Documentation/keys.txt index b56aacc1fff8..203487e9b1d8 100644 --- a/Documentation/keys.txt +++ b/Documentation/keys.txt | |||
@@ -26,7 +26,7 @@ This document has the following sections: | |||
26 | - Notes on accessing payload contents | 26 | - Notes on accessing payload contents |
27 | - Defining a key type | 27 | - Defining a key type |
28 | - Request-key callback service | 28 | - Request-key callback service |
29 | - Key access filesystem | 29 | - Garbage collection |
30 | 30 | ||
31 | 31 | ||
32 | ============ | 32 | ============ |
@@ -113,6 +113,9 @@ Each key has a number of attributes: | |||
113 | 113 | ||
114 | (*) Dead. The key's type was unregistered, and so the key is now useless. | 114 | (*) Dead. The key's type was unregistered, and so the key is now useless. |
115 | 115 | ||
116 | Keys in the last three states are subject to garbage collection. See the | ||
117 | section on "Garbage collection". | ||
118 | |||
116 | 119 | ||
117 | ==================== | 120 | ==================== |
118 | KEY SERVICE OVERVIEW | 121 | KEY SERVICE OVERVIEW |
@@ -1231,3 +1234,17 @@ by executing: | |||
1231 | 1234 | ||
1232 | In this case, the program isn't required to actually attach the key to a ring; | 1235 | In this case, the program isn't required to actually attach the key to a ring; |
1233 | the rings are provided for reference. | 1236 | the rings are provided for reference. |
1237 | |||
1238 | |||
1239 | ================== | ||
1240 | GARBAGE COLLECTION | ||
1241 | ================== | ||
1242 | |||
1243 | Dead keys (for which the type has been removed) will be automatically unlinked | ||
1244 | from those keyrings that point to them and deleted as soon as possible by a | ||
1245 | background garbage collector. | ||
1246 | |||
1247 | Similarly, revoked and expired keys will be garbage collected, but only after a | ||
1248 | certain amount of time has passed. This time is set as a number of seconds in: | ||
1249 | |||
1250 | /proc/sys/kernel/keys/gc_delay | ||