aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/keys.txt
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/keys.txt')
-rw-r--r--Documentation/keys.txt59
1 files changed, 53 insertions, 6 deletions
diff --git a/Documentation/keys.txt b/Documentation/keys.txt
index 51652d39e61c..d5c7a57d1700 100644
--- a/Documentation/keys.txt
+++ b/Documentation/keys.txt
@@ -170,7 +170,8 @@ The key service provides a number of features besides keys:
170 amount of description and payload space that can be consumed. 170 amount of description and payload space that can be consumed.
171 171
172 The user can view information on this and other statistics through procfs 172 The user can view information on this and other statistics through procfs
173 files. 173 files. The root user may also alter the quota limits through sysctl files
174 (see the section "New procfs files").
174 175
175 Process-specific and thread-specific keyrings are not counted towards a 176 Process-specific and thread-specific keyrings are not counted towards a
176 user's quota. 177 user's quota.
@@ -329,6 +330,27 @@ about the status of the key service:
329 <bytes>/<max> Key size quota 330 <bytes>/<max> Key size quota
330 331
331 332
333Four new sysctl files have been added also for the purpose of controlling the
334quota limits on keys:
335
336 (*) /proc/sys/kernel/keys/root_maxkeys
337 /proc/sys/kernel/keys/root_maxbytes
338
339 These files hold the maximum number of keys that root may have and the
340 maximum total number of bytes of data that root may have stored in those
341 keys.
342
343 (*) /proc/sys/kernel/keys/maxkeys
344 /proc/sys/kernel/keys/maxbytes
345
346 These files hold the maximum number of keys that each non-root user may
347 have and the maximum total number of bytes of data that each of those
348 users may have stored in their keys.
349
350Root may alter these by writing each new limit as a decimal number string to
351the appropriate file.
352
353
332=============================== 354===============================
333USERSPACE SYSTEM CALL INTERFACE 355USERSPACE SYSTEM CALL INTERFACE
334=============================== 356===============================
@@ -711,6 +733,27 @@ The keyctl syscall functions are:
711 The assumed authoritative key is inherited across fork and exec. 733 The assumed authoritative key is inherited across fork and exec.
712 734
713 735
736 (*) Get the LSM security context attached to a key.
737
738 long keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer,
739 size_t buflen)
740
741 This function returns a string that represents the LSM security context
742 attached to a key in the buffer provided.
743
744 Unless there's an error, it always returns the amount of data it could
745 produce, even if that's too big for the buffer, but it won't copy more
746 than requested to userspace. If the buffer pointer is NULL then no copy
747 will take place.
748
749 A NUL character is included at the end of the string if the buffer is
750 sufficiently big. This is included in the returned count. If no LSM is
751 in force then an empty string will be returned.
752
753 A process must have view permission on the key for this function to be
754 successful.
755
756
714=============== 757===============
715KERNEL SERVICES 758KERNEL SERVICES
716=============== 759===============
@@ -771,7 +814,7 @@ payload contents" for more information.
771 814
772 struct key *request_key(const struct key_type *type, 815 struct key *request_key(const struct key_type *type,
773 const char *description, 816 const char *description,
774 const char *callout_string); 817 const char *callout_info);
775 818
776 This is used to request a key or keyring with a description that matches 819 This is used to request a key or keyring with a description that matches
777 the description specified according to the key type's match function. This 820 the description specified according to the key type's match function. This
@@ -793,24 +836,28 @@ payload contents" for more information.
793 836
794 struct key *request_key_with_auxdata(const struct key_type *type, 837 struct key *request_key_with_auxdata(const struct key_type *type,
795 const char *description, 838 const char *description,
796 const char *callout_string, 839 const void *callout_info,
840 size_t callout_len,
797 void *aux); 841 void *aux);
798 842
799 This is identical to request_key(), except that the auxiliary data is 843 This is identical to request_key(), except that the auxiliary data is
800 passed to the key_type->request_key() op if it exists. 844 passed to the key_type->request_key() op if it exists, and the callout_info
845 is a blob of length callout_len, if given (the length may be 0).
801 846
802 847
803(*) A key can be requested asynchronously by calling one of: 848(*) A key can be requested asynchronously by calling one of:
804 849
805 struct key *request_key_async(const struct key_type *type, 850 struct key *request_key_async(const struct key_type *type,
806 const char *description, 851 const char *description,
807 const char *callout_string); 852 const void *callout_info,
853 size_t callout_len);
808 854
809 or: 855 or:
810 856
811 struct key *request_key_async_with_auxdata(const struct key_type *type, 857 struct key *request_key_async_with_auxdata(const struct key_type *type,
812 const char *description, 858 const char *description,
813 const char *callout_string, 859 const char *callout_info,
860 size_t callout_len,
814 void *aux); 861 void *aux);
815 862
816 which are asynchronous equivalents of request_key() and 863 which are asynchronous equivalents of request_key() and
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-17 07:25:12 -0500