Merge branch 'man_page_layout_fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mtk/keyutils into next
"Here are some more man page layout fixes.
The biggest change is reformatting or keyctl(1) so that it's
prettier and more readable."
Signed-off-by: David Howells <dhowells@redhat.com>
diff --git a/man/find_key_by_type_and_name.3 b/man/find_key_by_type_and_name.3
index ad8ae54..2fbd21e 100644
--- a/man/find_key_by_type_and_name.3
+++ b/man/find_key_by_type_and_name.3
@@ -54,7 +54,7 @@
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH LINKING
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/key.dns_resolver.8 b/man/key.dns_resolver.8
index c737768..e1882e0 100644
--- a/man/key.dns_resolver.8
+++ b/man/key.dns_resolver.8
@@ -13,17 +13,17 @@
.SH SYNOPSIS
\fB/sbin/key.dns_resolver \fR<key>
.br
-\fB/sbin/key.dns_resolver \fR-D [\-v] [\-v] <keydesc> <calloutinfo>
+\fB/sbin/key.dns_resolver \fR\-D [\-v] [\-v] <keydesc> <calloutinfo>
.SH DESCRIPTION
-This program is invoked by request-key on behalf of the kernel when kernel
+This program is invoked by request\-key on behalf of the kernel when kernel
services (such as NFS, CIFS and AFS) want to perform a hostname lookup and the
kernel does not have the key cached. It is not ordinarily intended to be
called directly.
.P
It can be called in debugging mode to test its functionality by passing a
-\fB-D\fR flag on the command line. For this to work, the key description and
+\fB\-D\fR flag on the command line. For this to work, the key description and
the callout information must be supplied. Verbosity can be increased by
-supplying one or more \fB-v\fR flags.
+supplying one or more \fB\-v\fR flags.
.SH ERRORS
All errors will be logged to the syslog.
.SH SEE ALSO
diff --git a/man/keyctl.1 b/man/keyctl.1
index cd8abf7..7060506 100644
--- a/man/keyctl.1
+++ b/man/keyctl.1
@@ -9,7 +9,7 @@
.\"
.TH KEYCTL 1 "20 Feb 2014" Linux "Linux Key Management Utilities"
.SH NAME
-keyctl - key management facility control
+keyctl \- key management facility control
.SH SYNOPSIS
\fBkeyctl\fR \-\-version
.br
@@ -65,7 +65,7 @@
.br
\fBkeyctl\fR session
.br
-\fBkeyctl\fR session - [<prog> <arg1> <arg2> ...]
+\fBkeyctl\fR session \- [<prog> <arg1> <arg2> ...]
.br
\fBkeyctl\fR session <name> [<prog> <arg1> <arg2> ...]
.br
@@ -96,61 +96,51 @@
This program is used to control the key management facility in various ways
using a variety of subcommands.
.SH KEY IDENTIFIERS
-.P
The key identifiers passed to or returned from keyctl are, in general, positive
integers. There are, however, some special values with special meanings that
can be passed as arguments:
-.P
-(*) No key: \fB0\fR
-.P
-(*) Thread keyring: \fB@t\fR or \fB-1\fR
-.P
+.TP
+No key: \fB0\fR
+.TP
+Thread keyring: \fB@t\fR or \fB\-1\fR
Each thread may have its own keyring. This is searched first, before all
others. The thread keyring is replaced by (v)fork, exec and clone.
-.P
-(*) Process keyring: \fB@p\fR or \fB-2\fR
-.P
+.TP
+Process keyring: \fB@p\fR or \fB\-2\fR
Each process (thread group) may have its own keyring. This is shared between
all members of a group and will be searched after the thread keyring. The
process keyring is replaced by (v)fork and exec.
-.P
-(*) Session keyring: \fB@s\fR or \fB-3\fR
-.P
+.TP
+Session keyring: \fB@s\fR or \fB\-3\fR
Each process subscribes to a session keyring that is inherited across (v)fork,
exec and clone. This is searched after the process keyring. Session keyrings
can be named and an extant keyring can be joined in place of a process's
current session keyring.
-.P
-(*) User specific keyring: \fB@u\fR or \fB-4\fR
-.P
+.TP
+User specific keyring: \fB@u\fR or \fB\-4\fR
This keyring is shared between all the processes owned by a particular user. It
isn't searched directly, but is normally linked to from the session keyring.
-.P
-(*) User default session keyring: \fB@us\fR or \fB-5\fR
-.P
+.TP
+User default session keyring: \fB@us\fR or \fB\-5\fR
This is the default session keyring for a particular user. Login processes that
change to a particular user will bind to this session until another session is
set.
-.P
-(*) Group specific keyring: \fB@g\fR or \fB-6\fR
-.P
+.TP
+Group specific keyring: \fB@g\fR or \fB\-6\fR
This is a place holder for a group specific keyring, but is not actually
implemented yet in the kernel.
-.P
-(*) Assumed request_key authorisation key: \fB@a\fR or \fB-7\fR
-.P
+.TP
+Assumed request_key authorisation key: \fB@a\fR or \fB\-7\fR
This selects the authorisation key provided to the
.BR request_key ()
helper to
permit it to access the callers keyrings and instantiate the target key.
-.P
-(*) Keyring by name: \fB%:<name>\fR
-.P
+.TP
+Keyring by name: \fB%:<name>\fR
A named keyring. This will be searched for in the process's keyrings and in
.IR /proc/keys .
-.P
-(*) Key by name: \fB%<type>:<name>\fR
-.P
+.TP
+Key by name: \fB%<type>:<name>\fR
A named key of the given type. This will be searched for in the process's
keyrings and in
.IR /proc/keys .
@@ -158,163 +148,152 @@
Any non-ambiguous shortening of a command name may be used in lieu of the full
command name. This facility should not be used in scripting as new commands may
be added in future that then cause ambiguity.
-.P
-(*) \fBDisplay the package version number\fR
-.P
+.SS Display the package version number
\fBkeyctl \-\-version\fR
-.P
+
This command prints the package version number and build date and exits:
-.P
+
.RS
-testbox>keyctl \-\-version
-.br
-keyctl from keyutils-1.5.3 (Built 2011-08-24)
+.nf
+$ keyctl \-\-version
+keyctl from keyutils\-1.5.3 (Built 2011\-08\-24)
+.fi
.RE
-.P
-(*) \fBShow process keyrings\fR
-.P
+.SS Show process keyrings
\fBkeyctl show [\-x] [<keyring>]\fR
-.P
+
By default this command recursively shows what keyrings a process is subscribed
to and what keys and keyrings they contain. If a keyring is specified then
-that keyring will be dumped instead. If \fB-x\fR is specified then the keyring
+that keyring will be dumped instead. If \fB\-x\fR is specified then the keyring
IDs will be dumped in hex instead of decimal.
-.P
-(*) \fBAdd a key to a keyring\fR
-.P
+.SS Add a key to a keyring
\fBkeyctl add\fR <type> <desc> <data> <keyring>
.br
\fBkeyctl padd\fR <type> <desc> <keyring>
-.P
+
This command creates a key of the specified type and description; instantiates
it with the given data and attaches it to the specified keyring. It then prints
the new key's ID on stdout:
-.P
+
.RS
-testbox>keyctl add user mykey stuff @u
-.br
+.nf
+$ keyctl add user mykey stuff @u
26
+.fi
.RE
-.P
+
The \fBpadd\fR variant of the command reads the data from stdin rather than
taking it from the command line:
-.P
+
.RS
-testbox>echo \-n stuff | keyctl padd user mykey @u
-.br
+.fi
+$ echo \-n stuff | keyctl padd user mykey @u
26
+.fi
.RE
-.P
-(*) \fBRequest a key\fR
-.P
+.SS Request a key
\fBkeyctl request\fR <type> <desc> [<dest_keyring>]
.br
\fBkeyctl request2\fR <type> <desc> <info> [<dest_keyring>]
.br
\fBkeyctl prequest2\fR <type> <desc> [<dest_keyring>]
-.P
+
These three commands request the lookup of a key of the given type and
description. The process's keyrings will be searched, and if a match is found
the matching key's ID will be printed to stdout; and if a destination keyring
is given, the key will be added to that keyring also.
-.P
+
If there is no key, the first command will simply return the error ENOKEY and
fail. The second and third commands will create a partial key with the type and
description, and call out to
-.IR /sbin/request-key
+.IR /sbin/request\-key
with that key and the
extra information supplied. This will then attempt to instantiate the key in
some manner, such that a valid key is obtained.
-.P
+
The third command is like the second, except that the callout information is
read from stdin rather than being passed on the command line.
-.P
+
If a valid key is obtained, the ID will be printed and the key attached as if
the original search had succeeded.
-.P
+
If there wasn't a valid key obtained, a temporary negative key will be attached
to the destination keyring if given and the error "Requested key not available"
will be given.
-.P
+
.RS
-testbox>keyctl request2 user debug:hello wibble
-.br
+.nf
+$ keyctl request2 user debug:hello wibble
23
-.br
-testbox>echo \-n wibble | keyctl prequest2 user debug:hello
-.br
+$ echo \-n wibble | keyctl prequest2 user debug:hello
23
-.br
-testbox>keyctl request user debug:hello
-.br
+$ keyctl request user debug:hello
23
+.fi
.RE
-.P
-(*) \fBUpdate a key\fR
-.P
+.SS Update a key
\fBkeyctl update\fR <key> <data>
.br
\fBkeyctl pupdate\fR <key>
-.P
+
This command replaces the data attached to a key with a new set of data. If the
type of the key doesn't support update then error "Operation not supported"
will be returned.
-.P
+
.RS
-testbox>keyctl update 23 zebra
+.nf
+$ keyctl update 23 zebra
+.fi
.RE
-.P
+
The \fBpupdate\fR variant of the command reads the data from stdin rather than
taking it from the command line:
-.P
+
.RS
-testbox>echo \-n zebra | keyctl pupdate 23
+.nf
+$ echo \-n zebra | keyctl pupdate 23
+.fi
.RE
-.P
-(*) \fBCreate a keyring\fR
-.P
+.SS Create a keyring
\fBkeyctl newring\fR <name> <keyring>
-.P
+
This command creates a new keyring of the specified name and attaches it to the
specified keyring. The ID of the new keyring will be printed to stdout if
successful.
-.P
+
.RS
-testbox>keyctl newring squelch @us
-.br
+.nf
+$ keyctl newring squelch @us
27
+.fi
.RE
-.P
-(*) \fBRevoke a key\fR
-.P
+.SS Revoke a key
\fBkeyctl revoke\fR <key>
-.P
+
This command marks a key as being revoked. Any further operations on that key
(apart from unlinking it) will return error "Key has been revoked".
-.P
+
.RS
-testbox>keyctl revoke 26
-.br
-testbox>keyctl describe 26
-.br
+.nf
+$ keyctl revoke 26
+$ keyctl describe 26
keyctl_describe: Key has been revoked
+.fi
.RE
-.P
-(*) \fBClear a keyring\fR
-.P
+.SS Clear a keyring
\fBkeyctl clear\fR <keyring>
-.P
+
This command unlinks all the keys attached to the specified keyring. Error
"Not a directory" will be returned if the key specified is not a keyring.
-.P
+
.RS
-testbox>keyctl clear 27
+.nf
+$ keyctl clear 27
+.fi
.RE
-.P
-(*) \fBLink a key to a keyring\fR
-.P
+.SS Link a key to a keyring
\fBkeyctl link\fR <key> <keyring>
-.P
+
This command makes a link from the key to the keyring if there's enough
capacity to do so. Error "Not a directory" will be returned if the destination
is not a keyring. Error "Permission denied" will be returned if the key doesn't
@@ -322,270 +301,233 @@
table overflow" will be returned if the keyring is full. Error "Resource
deadlock avoided" will be returned if an attempt was made to introduce a
recursive link.
-.P
+
.RS
-testbox>keyctl link 23 27
-.br
-testbox>keyctl link 27 27
-.br
+.nf
+$ keyctl link 23 27
+$ keyctl link 27 27
keyctl_link: Resource deadlock avoided
+.fi
.RE
-.P
-(*) \fBUnlink a key from a keyring or the session keyring tree\fR
-.P
+.SS Unlink a key from a keyring or the session keyring tree
\fBkeyctl unlink\fR <key> [<keyring>]
-.P
+
If the keyring is specified, this command removes a link to the key from the
keyring. Error "Not a directory" will be returned if the destination is not a
keyring. Error "Permission denied" will be returned if the keyring doesn't have
write permission. Error "No such file or directory" will be returned if the key
is not linked to by the keyring.
-.P
+
If the keyring is not specified, this command performs a depth-first search of
the session keyring tree and removes all the links to the nominated key that it
finds (and that it is permitted to remove). It prints the number of successful
unlinks before exiting.
-.P
+
.RS
-testbox>keyctl unlink 23 27
+.nf
+$ keyctl unlink 23 27
+.fi
.RE
-.P
-(*) \fBSearch a keyring\fR
-.P
+.SS Search a keyring
\fBkeyctl search\fR <keyring> <type> <desc> [<dest_keyring>]
-.P
+
This command non-recursively searches a keyring for a key of a particular type
and description. If found, the ID of the key will be printed on stdout and the
key will be attached to the destination keyring if present. Error "Requested
key not available" will be returned if the key is not found.
-.P
+
.RS
-testbox>keyctl search @us user debug:hello
-.br
+.nf
+$ keyctl search @us user debug:hello
23
-.br
-testbox>keyctl search @us user debug:bye
-.br
+$ keyctl search @us user debug:bye
keyctl_search: Requested key not available
+.fi
.RE
-.P
-(*) \fBRead a key\fR
-.P
+.SS Read a key
\fBkeyctl read\fR <key>
.br
\fBkeyctl pipe\fR <key>
.br
\fBkeyctl print\fR <key>
-.P
+
These commands read the payload of a key. "read" prints it on stdout as a hex
dump, "pipe" dumps the raw data to stdout and "print" dumps it to stdout
directly if it's entirely printable or as a hexdump preceded by ":hex:" if not.
-.P
+
If the key type does not support reading of the payload, then error "Operation
not supported" will be returned.
-.P
+
.RS
-testbox>keyctl read 26
-.br
+.nf
+$ keyctl read 26
1 bytes of data in key:
-.br
62
-.br
-testbox>keyctl print 26
-.br
+$ keyctl print 26
b
-.br
-testbox>keyctl pipe 26
-.br
-btestbox>
+$ keyctl pipe 26
+$
+.fi
.RE
-.P
-(*) \fBList a keyring\fR
-.P
+.SS List a keyring
\fBkeyctl list\fR <keyring>
.br
\fBkeyctl rlist\fR <keyring>
-.P
+
These commands list the contents of a key as a keyring. "list" pretty prints
the contents and "rlist" just produces a space-separated list of key IDs.
-.P
+
No attempt is made to check that the specified keyring is a keyring.
-.P
+
.RS
-testbox>keyctl list @us
-.br
+.nf
+$ keyctl list @us
2 keys in keyring:
-.br
- 22: vrwsl---------- 4043 \-1 keyring: _uid.4043
-.br
- 23: vrwsl---------- 4043 4043 user: debug:hello
-.br
-testbox>keyctl rlist @us
-.br
+ 22: vrwsl\-\-\-\-\-\-\-\-\-\- 4043 \-1 keyring: _uid.4043
+ 23: vrwsl\-\-\-\-\-\-\-\-\-\- 4043 4043 user: debug:hello
+$ keyctl rlist @us
22 23
+.fi
.RE
-.P
-(*) \fBDescribe a key\fR
-.P
+.SS Describe a key
\fBkeyctl describe\fR <keyring>
.br
\fBkeyctl rdescribe\fR <keyring> [sep]
-.P
+
These commands fetch a description of a keyring. "describe" pretty prints the
description in the same fashion as the "list" command; "rdescribe" prints the
raw data returned from the kernel.
-.P
+
.RS
-testbox>keyctl describe @us
- \-5: vrwsl---------- 4043 \-1 keyring: _uid_ses.4043
-testbox>keyctl rdescribe @us
-keyring;4043;-1;3f1f0000;_uid_ses.4043
+.nf
+$ keyctl describe @us
+ \-5: vrwsl\-\-\-\-\-\-\-\-\-\- 4043 \-1 keyring: _uid_ses.4043
+$ keyctl rdescribe @us
+keyring;4043;\-1;3f1f0000;_uid_ses.4043
+.fi
.RE
-.P
+
The raw string is "<type>;<uid>;<gid>;<perms>;<description>", where \fIuid\fR
and \fIgid\fR are the decimal user and group IDs, \fIperms\fR is the
permissions mask in hex, \fItype\fR and \fIdescription\fR are the type name and
description strings (neither of which will contain semicolons).
-.P
-(*) \fBChange the access controls on a key\fR
-.P
+.SS Change the access controls on a key
\fBkeyctl chown\fR <key> <uid>
.br
\fBkeyctl chgrp\fR <key> <gid>
-.P
+
These two commands change the UID and GID associated with evaluating a key's
permissions mask. The UID also governs which quota a key is taken out of.
-.P
+
The chown command is not currently supported; attempting it will earn the error
"Operation not supported" at best.
-.P
+
For non-superuser users, the GID may only be set to the process's GID or a GID
in the process's groups list. The superuser may set any GID it likes.
-.P
+
.RS
-testbox>sudo keyctl chown 27 0
-.br
+.nf
+$ sudo keyctl chown 27 0
keyctl_chown: Operation not supported
-.br
-testbox>sudo keyctl chgrp 27 0
+$ sudo keyctl chgrp 27 0
+.fi
.RE
-.P
-(*) \fBSet the permissions mask on a key\fR
-.P
+.SS Set the permissions mask on a key
\fBkeyctl setperm\fR <key> <mask>
-.P
+
This command changes the permission control mask on a key. The mask may be
specified as a hex number if it begins "0x", an octal number if it begins "0"
or a decimal number otherwise.
-.P
+
The hex numbers are a combination of:
-.P
+
.RS
+.nf
Possessor UID GID Other Permission Granted
-.br
======== ======== ======== ======== ==================
-.br
01000000 00010000 00000100 00000001 View
-.br
02000000 00020000 00000200 00000002 Read
-.br
04000000 00040000 00000400 00000004 Write
-.br
08000000 00080000 00000800 00000008 Search
-.br
10000000 00100000 00001000 00000010 Link
-.br
20000000 00200000 00002000 00000020 Set Attribute
-.br
3f000000 003f0000 00003f00 0000003f All
+.fi
.RE
-.P
+
\fIView\fR permits the type, description and other parameters of a key to be
viewed.
-.P
+
\fIRead\fR permits the payload (or keyring list) to be read if supported by the
type.
-.P
+
\fIWrite\fR permits the payload (or keyring list) to be modified or updated.
-.P
+
\fISearch\fR on a key permits it to be found when a keyring to which it is
linked is searched.
-.P
+
\fILink\fR permits a key to be linked to a keyring.
-.P
+
\fISet Attribute\fR permits a key to have its owner, group membership,
permissions mask and timeout changed.
-.P
+
.RS
-testbox>keyctl setperm 27 0x1f1f1f00
+.nf
+$ keyctl setperm 27 0x1f1f1f00
+.fi
.RE
-.P
-(*) \fBStart a new session with fresh keyrings\fR
-.P
+.SS Start a new session with fresh keyrings
\fBkeyctl session\fR
.br
-\fBkeyctl session\fR - [<prog> <arg1> <arg2> ...]
+\fBkeyctl session\fR \- [<prog> <arg1> <arg2> ...]
.br
\fBkeyctl session\fR <name> [<prog> <arg1> <arg2> ...]
-.P
+
These commands join or create a new keyring and then run a shell or other
program with that keyring as the session key.
-.P
+
The variation with no arguments just creates an anonymous session keyring and
attaches that as the session keyring; it then exec's $SHELL.
-.P
+
The variation with a dash in place of a name creates an anonymous session
keyring and attaches that as the session keyring; it then exec's the supplied
command, or $SHELL if one isn't supplied.
-.P
+
The variation with a name supplied creates or joins the named keyring and
attaches that as the session keyring; it then exec's the supplied command, or
$SHELL if one isn't supplied.
-.P
+
.RS
-testbox>keyctl rdescribe @s
-.br
-keyring;4043;-1;3f1f0000;_uid_ses.4043
-.P
-testbox>keyctl session
-.br
+.nf
+$ keyctl rdescribe @s
+keyring;4043;\-1;3f1f0000;_uid_ses.4043
+
+$ keyctl session
Joined session keyring: 28
-.br
-testbox>keyctl rdescribe @s
-.br
+
+$ keyctl rdescribe @s
keyring;4043;4043;3f1f0000;_ses.24082
-.P
-testbox>keyctl session -
-.br
+
+$ keyctl session \-
Joined session keyring: 29
-.br
-testbox>keyctl rdescribe @s
-.br
+$ keyctl rdescribe @s
keyring;4043;4043;3f1f0000;_ses.24139
-.P
-testbox>keyctl session - keyctl rdescribe @s
-.br
+
+$ keyctl session \- keyctl rdescribe @s
Joined session keyring: 30
-.br
keyring;4043;4043;3f1f0000;_ses.24185
-.P
-testbox>keyctl session fish
-.br
+
+$ keyctl session fish
Joined session keyring: 34
-.br
-testbox>keyctl rdescribe @s
-.br
+$ keyctl rdescribe @s
keyring;4043;4043;3f1f0000;fish
-.P
-testbox>keyctl session fish keyctl rdesc @s
-.br
+
+$ keyctl session fish keyctl rdesc @s
Joined session keyring: 35
-.br
keyring;4043;4043;3f1f0000;fish
+.fi
.RE
-.P
-(*) \fBInstantiate a key\fR
-.P
+.SS Instantiate a key
\fBkeyctl instantiate\fR <key> <data> <keyring>
.br
\fBkeyctl pinstantiate\fR <key> <keyring>
@@ -593,10 +535,10 @@
\fBkeyctl negate\fR <key> <timeout> <keyring>
.br
\fBkeyctl reject\fR <key> <timeout> <error> <keyring>
-.P
+
These commands are used to attach data to a partially set up key (as created by
the kernel and passed to
-.IR /sbin/request-key ).
+.IR /sbin/request\-key ).
"instantiate" marks a key as
being valid and attaches the data as the payload. "negate" and "reject" mark a
key as invalid and sets a timeout on it so that it'll go away after a while.
@@ -604,144 +546,130 @@
overmuch when they all fail, as all subsequent requests will then fail with
error "Requested key not found" (if negated) or the specified error (if
rejected) until the negative key has expired.
-.P
+
Reject's error argument can either be a UNIX error number or one of
.BR "" "'" rejected "', '" expired "' or '" revoked "'."
-.P
+
The newly instantiated key will be attached to the specified keyring.
-.P
-These commands may only be run from the program run by request-key - a special
-authorisation key is set up by the kernel and attached to the request-key's
+
+These commands may only be run from the program run by request\-key - a special
+authorisation key is set up by the kernel and attached to the request\-key's
session keyring. This special key is revoked once the key to which it refers
has been instantiated one way or another.
-.P
+
.RS
-testbox>keyctl instantiate $1 "Debug $3" $4
-.br
-testbox>keyctl negate $1 30 $4
-.br
-testbox>keyctl reject $1 30 64 $4
+.nf
+$ keyctl instantiate $1 "Debug $3" $4
+$ keyctl negate $1 30 $4
+$ keyctl reject $1 30 64 $4
+.fi
.RE
-.P
+
The \fBpinstantiate\fR variant of the command reads the data from stdin rather
than taking it from the command line:
-.P
+
.RS
-testbox>echo \-n "Debug $3" | keyctl pinstantiate $1 $4
+.nf
+$ echo \-n "Debug $3" | keyctl pinstantiate $1 $4
+.fi
.RE
-.P
-(*) \fBSet the expiry time on a key\fR
-.P
+.SS Set the expiry time on a key
\fBkeyctl timeout\fR <key> <timeout>
-.P
+
This command is used to set the timeout on a key, or clear an existing timeout
if the value specified is zero. The timeout is given as a number of seconds
into the future.
-.P
+
.RS
-testbox>keyctl timeout $1 45
+.nf
+$ keyctl timeout $1 45
+.fi
.RE
-.P
-(*) \fBRetrieve a key's security context\fR
-.P
+.SS Retrieve a key's security context
\fBkeyctl security\fR <key>
-.P
+
This command is used to retrieve a key's LSM security context. The label is
printed on stdout.
-.P
+
.RS
-testbox>keyctl security @s
-.br
-unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+.nf
+$ keyctl security @s
+unconfined_u:unconfined_r:unconfined_t:s0\-s0:c0.c1023
+.fi
.RE
-.P
-(*) \fBGive the parent process a new session keyring\fR
-.P
+.SS Give the parent process a new session keyring
\fBkeyctl new_session\fR
-.P
+
This command is used to give the invoking process (typically a shell) a new
session keyring, discarding its old session keyring.
-.P
+
.RS
-testbox> keyctl session foo
-.br
+.nf
+$ keyctl session foo
Joined session keyring: 723488146
-.br
-testbox> keyctl show
-.br
+$ keyctl show
Session Keyring
-.br
\-3 \-\-alswrv 0 0 keyring: foo
-.br
-testbox> keyctl new_session
-.br
+$ keyctl new_session
490511412
-.br
-testbox> keyctl show
-.br
+$ keyctl show
Session Keyring
-.br
\-3 \-\-alswrv 0 0 keyring: _ses
+.fi
.RE
-.P
+
Note that this affects the \fIparent\fP of the process that invokes the system
call, and so may only affect processes with matching credentials.
Furthermore, the change does not take effect till the parent process next
transitions from kernel space to user space - typically when the \fBwait\fP()
system call returns.
-.P
-(*) \fBRemove dead keys from the session keyring tree\fR
-.P
+.SS Remove dead keys from the session keyring tree
\fBkeyctl reap\fR
-.P
+
This command performs a depth-first search of the caller's session keyring tree
and attempts to unlink any key that it finds that is inaccessible due to
expiry, revocation, rejection or negation. It does not attempt to remove live
keys that are unavailable simply due to a lack of granted permission.
-.P
+
A key that is designated reapable will only be removed from a keyring if the
caller has Write permission on that keyring, and only keyrings that grant
Search permission to the caller will be searched.
-.P
-The command prints the number of keys reaped before it exits. If the \fB-v\fR
+
+The command prints the number of keys reaped before it exits. If the \fB\-v\fR
flag is passed then the reaped keys are listed as they're being reaped,
together with the success or failure of the unlink.
-.P
-(*) \fBRemove matching keys from the session keyring tree\fR
-.P
+.SS Remove matching keys from the session keyring tree
\fBkeyctl\fR purge <type>
.br
\fBkeyctl\fR purge [\-i] [\-p] <type> <desc>
.br
\fBkeyctl\fR purge \-s <type> <desc>
-.P
+
These commands perform a depth-first search to find matching keys in the
caller's session keyring tree and attempts to unlink them. The number of
keys successfully unlinked is printed at the end.
-.P
+
The keyrings must grant Read and View permission to the caller to be searched,
and the keys to be removed must also grant View permission. Keys can only be
removed from keyrings that grant Write permission.
-.P
+
The first variant purges all keys of the specified type.
-.P
+
The second variant purges all keys of the specified type that also match the
given description literally. The \-i flag allows a case-independent match and
the \-p flag allows a prefix match.
-.P
+
The third variant purges all keys of the specified type and matching
description using the key type's comparator in the kernel to match the
description. This permits the key type to match a key with a variety of
descriptions.
-.P
-(*) \fBGet persistent keyring\fR
-.P
+.SS Get persistent keyring
\fBkeyctl\fR get_persistent <keyring> [<uid>]
-.P
+
This command gets the persistent keyring for either the current UID or the
specified UID and attaches it to the nominated keyring. The persistent
keyring's ID will be printed on stdout.
-.P
+
The kernel will create the keyring if it doesn't exist and every time this
command is called, will reset the expiration timeout on the keyring to the
value in:
@@ -750,14 +678,12 @@
.P
(by default three days). Should the timeout be reached, the persistent keyring
will be removed and everything it pins can then be garbage collected.
-.P
+
If a UID other than the process's real or effective UIDs is specified, then an
error will be given if the process does not have the CAP_SETUID capability.
-.P
-(*) \fBCompute a Diffie-Hellman shared secret or public key\fR
-.P
+.SS Compute a Diffie-Hellman shared secret or public key
\fBkeyctl\fR dh_compute <private> <prime> <base>
-.P
+
This command computes either a Diffie-Hellman shared secret or the
public key corresponding to the provided private key using the
payloads of three keys. The computation is:
@@ -768,35 +694,35 @@
provided base key contains the shared generator value, the public key
will be computed. If the provided base key contains the remote public
key value, the shared secret will be computed.
-.P
-The result is printed to stdout as a hex dump.
-.P
-.RS
-testbox>keyctl dh_compute $1 $2 $3
-.br
-8 bytes of data in result:
-.br
-00010203 04050607
-.RE
-.P
-.SH ERRORS
-.P
-There are a number of common errors returned by this program:
-.P
-"Not a directory" - a key wasn't a keyring.
-.P
-"Requested key not found" - the looked for key isn't available.
-.P
-"Key has been revoked" - a revoked key was accessed.
-.P
-"Key has expired" - an expired key was accessed.
-.P
-"Permission denied" - permission was denied by a UID/GID/mask combination.
-.P
+The result is printed to stdout as a hex dump.
+
+.RS
+.nf
+$ keyctl dh_compute $1 $2 $3
+8 bytes of data in result:
+00010203 04050607
+.fi
+.RE
+.SH ERRORS
+There are a number of common errors returned by this program:
+
+"Not a directory" - a key wasn't a keyring.
+
+"Requested key not found" - the looked for key isn't available.
+
+"Key has been revoked" - a revoked key was accessed.
+
+"Key has expired" - an expired key was accessed.
+
+"Permission denied" - permission was denied by a UID/GID/mask combination.
.SH SEE ALSO
.ad l
.nh
.BR keyctl (1),
+.BR keyctl (2),
+.BR request_key (2),
+.BR keyctl (3),
.BR request\-key.conf (5),
-.BR keyrings (7)
+.BR keyrings (7),
+.BR request\-key (8)
diff --git a/man/keyctl.3 b/man/keyctl.3
index d9a2f85..81929c2 100644
--- a/man/keyctl.3
+++ b/man/keyctl.3
@@ -29,7 +29,7 @@
.sp
.RS
.nf
-.B -lkeyutils
+.B \-lkeyutils
.RE
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH KEYCTL FUNCTIONS
diff --git a/man/keyctl_chown.3 b/man/keyctl_chown.3
index 1db72ef..286bded 100644
--- a/man/keyctl_chown.3
+++ b/man/keyctl_chown.3
@@ -73,7 +73,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_clear.3 b/man/keyctl_clear.3
index da10fe8..21e0c26 100644
--- a/man/keyctl_clear.3
+++ b/man/keyctl_clear.3
@@ -58,7 +58,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_describe.3 b/man/keyctl_describe.3
index 3db2c20..b4f100e 100644
--- a/man/keyctl_describe.3
+++ b/man/keyctl_describe.3
@@ -97,7 +97,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_dh_compute.3 b/man/keyctl_dh_compute.3
index 9b1e6fe..3b04dba 100644
--- a/man/keyctl_dh_compute.3
+++ b/man/keyctl_dh_compute.3
@@ -96,7 +96,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_get_keyring_ID.3 b/man/keyctl_get_keyring_ID.3
index 44b07af..6525292 100644
--- a/man/keyctl_get_keyring_ID.3
+++ b/man/keyctl_get_keyring_ID.3
@@ -81,7 +81,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_get_persistent.3 b/man/keyctl_get_persistent.3
index 72088f8..8d79957 100644
--- a/man/keyctl_get_persistent.3
+++ b/man/keyctl_get_persistent.3
@@ -98,7 +98,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_get_security.3 b/man/keyctl_get_security.3
index 28b1675..a2c5b41 100644
--- a/man/keyctl_get_security.3
+++ b/man/keyctl_get_security.3
@@ -27,7 +27,7 @@
be rendered in a form appropriate to the LSM in force - for instance, with
SELinux, it may look like
.IP
-.B "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"
+.B "unconfined_u:unconfined_r:unconfined_t:s0\-s0:c0.c1023"
.P
The caller must have
.B view
@@ -87,7 +87,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_instantiate.3 b/man/keyctl_instantiate.3
index da72054..5ea3b98 100644
--- a/man/keyctl_instantiate.3
+++ b/man/keyctl_instantiate.3
@@ -175,7 +175,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_invalidate.3 b/man/keyctl_invalidate.3
index 82ee1df..120da45 100644
--- a/man/keyctl_invalidate.3
+++ b/man/keyctl_invalidate.3
@@ -61,7 +61,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_join_session_keyring.3 b/man/keyctl_join_session_keyring.3
index 5d7db93..4e27717 100644
--- a/man/keyctl_join_session_keyring.3
+++ b/man/keyctl_join_session_keyring.3
@@ -67,7 +67,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
@@ -81,4 +81,4 @@
.BR keyrings (7),
.BR keyutils (7),
.BR session\-keyring (7),
-.BR user\-session-keyring (7)
+.BR user\-session\-keyring (7)
diff --git a/man/keyctl_link.3 b/man/keyctl_link.3
index 2f51670..1185874 100644
--- a/man/keyctl_link.3
+++ b/man/keyctl_link.3
@@ -92,7 +92,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_read.3 b/man/keyctl_read.3
index 23d623b..25821ad 100644
--- a/man/keyctl_read.3
+++ b/man/keyctl_read.3
@@ -97,7 +97,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_revoke.3 b/man/keyctl_revoke.3
index dd0e152..914a253 100644
--- a/man/keyctl_revoke.3
+++ b/man/keyctl_revoke.3
@@ -58,7 +58,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_search.3 b/man/keyctl_search.3
index 7fb068b..f3e7bc5 100644
--- a/man/keyctl_search.3
+++ b/man/keyctl_search.3
@@ -123,7 +123,7 @@
but can be found rather in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_session_to_parent.3 b/man/keyctl_session_to_parent.3
index 343feb9..829b3be 100644
--- a/man/keyctl_session_to_parent.3
+++ b/man/keyctl_session_to_parent.3
@@ -60,7 +60,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_set_reqkey_keyring.3 b/man/keyctl_set_reqkey_keyring.3
index ed8e9e0..00da586 100644
--- a/man/keyctl_set_reqkey_keyring.3
+++ b/man/keyctl_set_reqkey_keyring.3
@@ -85,7 +85,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_set_timeout.3 b/man/keyctl_set_timeout.3
index e434ff5..1b7ec94 100644
--- a/man/keyctl_set_timeout.3
+++ b/man/keyctl_set_timeout.3
@@ -66,7 +66,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_setperm.3 b/man/keyctl_setperm.3
index 6a1bfbd..0a4426d 100644
--- a/man/keyctl_setperm.3
+++ b/man/keyctl_setperm.3
@@ -115,7 +115,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyctl_update.3 b/man/keyctl_update.3
index 9823dd8..17fbdb4 100644
--- a/man/keyctl_update.3
+++ b/man/keyctl_update.3
@@ -81,7 +81,7 @@
This is a library function that can be found in
.IR libkeyutils .
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/keyutils.7 b/man/keyutils.7
index ab245ce..e17253b 100644
--- a/man/keyutils.7
+++ b/man/keyutils.7
@@ -7,7 +7,7 @@
.\" as published by the Free Software Foundation; either version
.\" 2 of the Licence, or (at your option) any later version.
.\"
-.TH KEYRINGS 7 "21 Feb 2014" Linux "Kernel key management"
+.TH KEYUTILS 7 "21 Feb 2014" Linux "Kernel key management"
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH NAME
keyutils \- in-kernel key management utilities
@@ -28,17 +28,20 @@
To link with the library, the following:
.P
.RS
-.B -lkeyutils
+.B \-lkeyutils
.RE
.P
should be specified to the linker.
.P
Three system calls are provided:
-.BR \fBadd_key\fP()
+.TP
+.BR add_key (2)
Supply a new key to the kernel.
-.BR \fBrequest_key\fP()
+.TP
+.BR request_key (2)
Find an existing key for use, or, optionally, create one if one does not exist.
-.BR \fBkeyctl\fP()
+.TP
+.BR keyctl (2)
Control a key in various ways. The library provides a variety of wrappers
around this system call and those should be used rather than calling it
directly.
@@ -71,24 +74,20 @@
can be triggered by \fBrequest_key\fP(), but userspace is better off using
\fBadd_key\fP() instead if it possibly can.
.P
-The upcalling mechanism is usually routed via the:
-.P
-.RS
-.B request-key
-.RE
-.P
+The upcalling mechanism is usually routed via the
+.BR request\-key (8)
program. What this does with any particular key is configurable in:
.P
.RS
-.I /etc/request-key.conf
+.I /etc/request\-key.conf
.br
-.I /etc/request-key.d/
+.I /etc/request\-key.d/
.RE
.P
See the
-.BR request-key.conf (5)
+.BR request\-key.conf (5)
and the
-.BR request-key (8)
+.BR request\-key (8)
manual pages for more information.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
@@ -102,5 +101,5 @@
.BR session\-keyring (7),
.BR thread\-keyring (7),
.BR user\-keyring (7),
-.BR user\-session-keyring (7),
+.BR user\-session\-keyring (7),
.BR pam_keyinit (8)
diff --git a/man/recursive_key_scan.3 b/man/recursive_key_scan.3
index 689ff7a..8658002 100644
--- a/man/recursive_key_scan.3
+++ b/man/recursive_key_scan.3
@@ -79,7 +79,7 @@
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH LINKING
When linking,
-.B -lkeyutils
+.B \-lkeyutils
should be specified to the linker.
.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
.SH SEE ALSO
diff --git a/man/request-key.8 b/man/request-key.8
index 45cdeb1..b008d80 100644
--- a/man/request-key.8
+++ b/man/request-key.8
@@ -11,7 +11,7 @@
.SH NAME
request\-key \- handle key instantiation callback requests from the kernel
.SH SYNOPSIS
-\fB/sbin/request-key \fR<op> <key> <uid> <gid> <threadring> <processring>
+\fB/sbin/request\-key \fR<op> <key> <uid> <gid> <threadring> <processring>
<sessionring> [<info>]
.SH DESCRIPTION
This program is invoked by the kernel when the kernel is asked for a key that
@@ -22,12 +22,12 @@
All errors will be logged to the syslog.
.SH FILES
.ul
-/etc/request-key.conf
+/etc/request\-key.conf
.ul 0
Instantiation handler configuration file.
.P
.ul
-/etc/request-key.d/<keytype>.conf
+/etc/request\-key.d/<keytype>.conf
.ul 0
Keytype specific configuration file.
.SH SEE ALSO
diff --git a/man/request-key.conf.5 b/man/request-key.conf.5
index 73e0dcb..49facad 100644
--- a/man/request-key.conf.5
+++ b/man/request-key.conf.5
@@ -9,18 +9,18 @@
.\"
.TH REQUEST-KEY.CONF 5 "15 November 2011" Linux "Linux Key Management Utilities"
.SH NAME
-request-key.conf - Instantiation handler configuration file
+request\-key.conf \- Instantiation handler configuration file
.SH DESCRIPTION
.P
This file and its associated key-type specific variants are used by the
-/sbin/request-key program to determine which program it should run to
+/sbin/request\-key program to determine which program it should run to
instantiate a key.
.P
-request-key looks first in /etc/request-key.d/ for a file of the key type name
+request\-key looks first in /etc/request\-key.d/ for a file of the key type name
plus ".conf" that it can use. If that is not found, it will fall back to
-/etc/request-key.conf.
+/etc/request\-key.conf.
.P
-request-key scans through the chosen file one line at a time until it
+request\-key scans through the chosen file one line at a time until it
finds a match, which it will then use. If it doesn't find a match, it'll return
an error and the kernel will automatically negate the key.
.P
@@ -30,13 +30,13 @@
All other lines are assumed to be command lines with a number of white space
separated fields:
.P
-<op> <type> <description> <callout-info> <prog> <arg1> <arg2> ...
+<op> <type> <description> <callout\-info> <prog> <arg1> <arg2> ...
.P
-The first four fields are used to match the parameters passed to request-key by
+The first four fields are used to match the parameters passed to request\-key by
the kernel. \fIop\fR is the operation type; currently the only supported
operation is "create".
.P
-\fItype\fR, \fIdescription\fR and \fIcallout-info\fR match the three parameters
+\fItype\fR, \fIdescription\fR and \fIcallout\-info\fR match the three parameters
passed to \fBkeyctl request2\fR or the \fBrequest_key()\fR system call. Each of
these may contain one or more asterisk '*' characters as wildcards anywhere
within the string.
@@ -49,8 +49,8 @@
will be forked and exec'd attached to three pipes. The callout information will
be piped to it on it's stdin and the intended payload data will be retrieved
from its stdout. Anything sent to stderr will be posted in syslog. If the
-program exits 0, then /sbin/request-key will attempt to instantiate the key
-with the data read from stdout. If it fails in any other way, then request-key
+program exits 0, then /sbin/request\-key will attempt to instantiate the key
+with the data read from stdout. If it fails in any other way, then request\-key
will attempt to execute the appropriate 'negate' operation command.
.P
The program arguments can be substituted with various macros. Only complete
@@ -103,7 +103,7 @@
.br
create user debug:loop:* * |/bin/cat
.br
-create user debug:* * /usr/share/keyutils/request-key-debug.sh %k %d %c %S
+create user debug:* * /usr/share/keyutils/request\-key\-debug.sh %k %d %c %S
.br
negate * * * /bin/keyctl negate %k 30 %S
.RE
@@ -131,11 +131,11 @@
the payload.
.SH FILES
.ul
-/etc/request-key.conf
+/etc/request\-key.conf
.ul 0
.br
.ul
-/etc/request-key.d/<keytype>.conf
+/etc/request\-key.d/<keytype>.conf
.ul 0
.SH SEE ALSO
-\fBkeyctl\fR(1), \fBrequest-key.conf\fR(5)
+\fBkeyctl\fR(1), \fBrequest\-key.conf\fR(5)
