diff options
author | Dmitry Torokhov <dmitry.torokhov@gmail.com> | 2012-07-04 13:13:55 -0700 |
---|---|---|
committer | Dmitry Torokhov <dmitry.torokhov@gmail.com> | 2012-07-04 13:13:55 -0700 |
commit | 404c3bc30cb1361e1b3533643326ab472d24a618 (patch) | |
tree | 156cc9032c8aee17167d926c5bdae009ba8f36d2 /Documentation/security/keys.txt | |
parent | Input: wacom - TPC2FG doesn't store touch id for slots (diff) | |
parent | Linux 3.5-rc5 (diff) | |
download | linux-dev-404c3bc30cb1361e1b3533643326ab472d24a618.tar.xz linux-dev-404c3bc30cb1361e1b3533643326ab472d24a618.zip |
Merge commit 'v3.5-rc5' into next
Diffstat (limited to 'Documentation/security/keys.txt')
-rw-r--r-- | Documentation/security/keys.txt | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/Documentation/security/keys.txt b/Documentation/security/keys.txt index 787717091421..aa0dbd74b71b 100644 --- a/Documentation/security/keys.txt +++ b/Documentation/security/keys.txt @@ -123,7 +123,7 @@ KEY SERVICE OVERVIEW The key service provides a number of features besides keys: - (*) The key service defines two special key types: + (*) The key service defines three special key types: (+) "keyring" @@ -137,6 +137,18 @@ The key service provides a number of features besides keys: blobs of data. These can be created, updated and read by userspace, and aren't intended for use by kernel services. + (+) "logon" + + Like a "user" key, a "logon" key has a payload that is an arbitrary + blob of data. It is intended as a place to store secrets which are + accessible to the kernel but not to userspace programs. + + The description can be arbitrary, but must be prefixed with a non-zero + length string that describes the key "subclass". The subclass is + separated from the rest of the description by a ':'. "logon" keys can + be created and updated from userspace, but the payload is only + readable from kernel space. + (*) Each process subscribes to three keyrings: a thread-specific keyring, a process-specific keyring, and a session-specific keyring. @@ -793,6 +805,23 @@ The keyctl syscall functions are: kernel and resumes executing userspace. + (*) Invalidate a key. + + long keyctl(KEYCTL_INVALIDATE, key_serial_t key); + + This function marks a key as being invalidated and then wakes up the + garbage collector. The garbage collector immediately removes invalidated + keys from all keyrings and deletes the key when its reference count + reaches zero. + + Keys that are marked invalidated become invisible to normal key operations + immediately, though they are still visible in /proc/keys until deleted + (they're marked with an 'i' flag). + + A process must have search permission on the key for this function to be + successful. + + =============== KERNEL SERVICES =============== |