diff options
Diffstat (limited to 'Documentation/keys.txt')
-rw-r--r-- | Documentation/keys.txt | 43 |
1 files changed, 42 insertions, 1 deletions
diff --git a/Documentation/keys.txt b/Documentation/keys.txt index 6304db59bfe4..aaa01b0e3ee9 100644 --- a/Documentation/keys.txt +++ b/Documentation/keys.txt | |||
@@ -308,6 +308,8 @@ process making the call: | |||
308 | KEY_SPEC_USER_KEYRING -4 UID-specific keyring | 308 | KEY_SPEC_USER_KEYRING -4 UID-specific keyring |
309 | KEY_SPEC_USER_SESSION_KEYRING -5 UID-session keyring | 309 | KEY_SPEC_USER_SESSION_KEYRING -5 UID-session keyring |
310 | KEY_SPEC_GROUP_KEYRING -6 GID-specific keyring | 310 | KEY_SPEC_GROUP_KEYRING -6 GID-specific keyring |
311 | KEY_SPEC_REQKEY_AUTH_KEY -7 assumed request_key() | ||
312 | authorisation key | ||
311 | 313 | ||
312 | 314 | ||
313 | The main syscalls are: | 315 | The main syscalls are: |
@@ -498,7 +500,11 @@ The keyctl syscall functions are: | |||
498 | keyring is full, error ENFILE will result. | 500 | keyring is full, error ENFILE will result. |
499 | 501 | ||
500 | The link procedure checks the nesting of the keyrings, returning ELOOP if | 502 | The link procedure checks the nesting of the keyrings, returning ELOOP if |
501 | it appears to deep or EDEADLK if the link would introduce a cycle. | 503 | it appears too deep or EDEADLK if the link would introduce a cycle. |
504 | |||
505 | Any links within the keyring to keys that match the new key in terms of | ||
506 | type and description will be discarded from the keyring as the new one is | ||
507 | added. | ||
502 | 508 | ||
503 | 509 | ||
504 | (*) Unlink a key or keyring from another keyring: | 510 | (*) Unlink a key or keyring from another keyring: |
@@ -628,6 +634,41 @@ The keyctl syscall functions are: | |||
628 | there is one, otherwise the user default session keyring. | 634 | there is one, otherwise the user default session keyring. |
629 | 635 | ||
630 | 636 | ||
637 | (*) Set the timeout on a key. | ||
638 | |||
639 | long keyctl(KEYCTL_SET_TIMEOUT, key_serial_t key, unsigned timeout); | ||
640 | |||
641 | This sets or clears the timeout on a key. The timeout can be 0 to clear | ||
642 | the timeout or a number of seconds to set the expiry time that far into | ||
643 | the future. | ||
644 | |||
645 | The process must have attribute modification access on a key to set its | ||
646 | timeout. Timeouts may not be set with this function on negative, revoked | ||
647 | or expired keys. | ||
648 | |||
649 | |||
650 | (*) Assume the authority granted to instantiate a key | ||
651 | |||
652 | long keyctl(KEYCTL_ASSUME_AUTHORITY, key_serial_t key); | ||
653 | |||
654 | This assumes or divests the authority required to instantiate the | ||
655 | specified key. Authority can only be assumed if the thread has the | ||
656 | authorisation key associated with the specified key in its keyrings | ||
657 | somewhere. | ||
658 | |||
659 | Once authority is assumed, searches for keys will also search the | ||
660 | requester's keyrings using the requester's security label, UID, GID and | ||
661 | groups. | ||
662 | |||
663 | If the requested authority is unavailable, error EPERM will be returned, | ||
664 | likewise if the authority has been revoked because the target key is | ||
665 | already instantiated. | ||
666 | |||
667 | If the specified key is 0, then any assumed authority will be divested. | ||
668 | |||
669 | The assumed authorititive key is inherited across fork and exec. | ||
670 | |||
671 | |||
631 | =============== | 672 | =============== |
632 | KERNEL SERVICES | 673 | KERNEL SERVICES |
633 | =============== | 674 | =============== |