NAME¶
persistent-keyring - Per-user persistent keyring
DESCRIPTION¶
The
persistent keyring is a keyring used to anchor keys on behalf of a
user. Each UID the kernel deals with has its own persistent keyring that is
shared between all threads owned by that UID.
The persistent keyring is created on demand when a thread requests it. The
keyring's expiration timer is reset every time it is accessed to the value in:
- /proc/sys/kernel/keys/persistent_keyring_expiry
The persistent keyring is not searched by
request_key() unless it is
referred to by a keyring that is.
The persistent keyring may not be accessed directly, even by processes with the
appropriate UID. Instead it must be linked to one of a process's keyrings
first before that keyring can access it by virtue of its possessor permits.
This is done with
keyctl_get_persistent().
Persistent keyrings are independent of clone(), fork(), vfork(), execve() and
exit(). They persist until their expiration timers trigger - at which point
they are garbage collected. This allows them to carry keys beyond the life of
the kernel's record of the corresponding UID (the destruction of which results
in the destruction of the user and user session keyrings).
If a persistent keyring does not exist when it is accessed, it will be created.
SPECIAL OPERATIONS¶
The keyutils library provides a special operation for manipulating persistent
keyrings:
- keyctl_get_persistent()
- This operation allows the caller to get the persistent keyring
corresponding to their own UID or, if they have CAP_SETUID, the
persistent keyring corresponding to some other UID in the same user
namespace.
SEE ALSO¶
keyctl(1),
keyctl(3),
keyctl_get_persistent(3),
keyrings(7),
process-keyring(7),
session-keyring(7),
thread-keyring(7),
user-keyring(7),
user-session-keyring(7)