Re: Revised keyrings(7) man page for review
From: Michael Kerrisk (man-pages)
Date: Tue Dec 13 2016 - 07:43:36 EST
Hi David,
On 12/13/2016 12:35 PM, David Howells wrote:
> Michael Kerrisk <mtk@xxxxxxxx> wrote:
>
>> The Linux key-management facility is primarily a way for drivâ
>> ers to retain or cache security data, authentication keys,
>> encryption keys, and other data in the kernel.
>
> No comma before "and".
I use/Linux man-pages uses the "Oxford comma" convention.
>
>> access to the facility. See keyctl(1), keyctl(3), and keyuâ
>
> Ditto. (And some other dittos).
See above.
>> to the kernel when it was requested. (Details can be
>> found in request_key(2).)
>
> How about dropping the brackets and making that last sentence "For further
> details, see request_key(2)."
Done.
>> beyond the usual user, group, and other (see below).
>
> I think this needs to say what below one is supposed to see:
>
> "beyond the usual User, Group and Other (see 'Possession' below)."
Fixed.
>> Key types
>> The facility provides several basic types of key:
>
> Again, I think the keyring type needs to go either first or last.
Fixed.
>> "big_key" (since Linux 3.13)
>> This key type is similar to the "user" key type, but it
>> may hold a payload of up to 1MiB in size. The data may
>> be stored in the swap space rather than in kernel memory
>
> stored encrypted (as of 4.8).
Added "encrypted".
>
>> Anchoring keys
>> To prevent a key from being prematurely garbage collected, it
>> must anchored to keep its reference count elevated when it is
>> not in active use by the kernel.
>
> I think "prematurely" is unnecessary here.
Fixed.
>> (3) The search of the keyring tree is in preorder: each keyring
>> is searched first for a match, then the keyrings referred
>> to by that keyring are searched.
>
> "preorder"? How about "breadth-first order"?
Fixed.
>> The only keys included in the list are those that grant
>> view permission to the reading process, regardless of
>> whether or not it possesses them. LSM security checks
>> are still performed, and may filter out further keys
>> that the process is not authorized to view.
>
> This is correct. See proc_keys_show() in security/keys/proc.c:
>
> rc = key_task_permission(key_ref, ctx.cred, KEY_NEED_VIEW);
> if (rc < 0)
> return 0;
>
> Possibly it shouldn't be, but for now it is.
Okay -- thanks.
>> D The key is dead (i.e., has been deleted). (A
>> key may be briefly in this state during
>> garbage collection.)
>
> No - "dead" in this context means that the key type was unregistered.
Okay, so the text should read as:
D The key is dead (i.e., the key has been unregisâ
tered). (A key may be briefly in this state
during garbage collection.)
Right?
>
>> Description
>> The key description (name).
>>
>> Description
>> This field contains descriptive information about
>
> Merge?
Yup. Already found and fixed that one.
Cheers,
Michael
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/