man7/session-keyring.7

   1 .\" Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
   2 .\" Written by David Howells (dhowells@redhat.com)
   3 .\"
   4 .\" SPDX-License-Identifier: GPL-2.0-or-later
   5 .\"
   6 .TH SESSION-KEYRING 7 2021-03-22 "Linux man-pages (unreleased)" "Linux Programmer's Manual"
   7 .SH NAME
   8 session-keyring \- session shared process keyring
   9 .SH DESCRIPTION
  10 The session keyring is a keyring used to anchor keys on behalf of a process.
  11 It is typically created by
  12 .BR pam_keyinit (8)
  13 when a user logs in and a link will be added that refers to the
  14 .BR user\-keyring (7).
  15 Optionally, PAM may revoke the session keyring on logout.
  16 (In typical configurations, PAM does do this revocation.)
  17 The session keyring has the name (description)
  18 .IR _ses .
  19 .PP
  20 A special serial number value,
  21 .BR KEY_SPEC_SESSION_KEYRING ,
  22 is defined that can be used in lieu of the actual serial number of
  23 the calling process's session keyring.
  24 .PP
  25 From the
  26 .BR keyctl (1)
  27 utility, '\fB@s\fP' can be used instead of a numeric key ID in
  28 much the same way.
  29 .PP
  30 A process's session keyring is inherited across
  31 .BR clone (2),
  32 .BR fork (2),
  33 and
  34 .BR vfork (2).
  35 The session keyring
  36 is preserved across
  37 .BR execve (2),
  38 even when the executable is set-user-ID or set-group-ID or has capabilities.
  39 The session keyring is destroyed when the last process that
  40 refers to it exits.
  41 .PP
  42 If a process doesn't have a session keyring when it is accessed, then,
  43 under certain circumstances, the
  44 .BR user\-session\-keyring (7)
  45 will be attached as the session keyring
  46 and under others a new session keyring will be created.
  47 (See
  48 .BR user\-session\-keyring (7)
  49 for further details.)
  50 .SS Special operations
  51 The
  52 .I keyutils
  53 library provides the following special operations for manipulating
  54 session keyrings:
  55 .TP
  56 .BR keyctl_join_session_keyring (3)
  57 This operation allows the caller to change the session keyring
  58 that it subscribes to.
  59 The caller can join an existing keyring with a specified name (description),
  60 create a new keyring with a given name,
  61 or ask the kernel to create a new "anonymous"
  62 session keyring with the name "_ses".
  63 (This function is an interface to the
  64 .BR keyctl (2)
  65 .B KEYCTL_JOIN_SESSION_KEYRING
  66 operation.)
  67 .TP
  68 .BR keyctl_session_to_parent (3)
  69 This operation allows the caller to make the parent process's
  70 session keyring to the same as its own.
  71 For this to succeed, the parent process must have
  72 identical security attributes and must be single threaded.
  73 (This function is an interface to the
  74 .BR keyctl (2)
  75 .B KEYCTL_SESSION_TO_PARENT
  76 operation.)
  77 .PP
  78 These operations are also exposed through the
  79 .BR keyctl (1)
  80 utility as:
  81 .PP
  82 .in +4n
  83 .EX
  84 keyctl session
  85 keyctl session \- [<prog> <arg1> <arg2> ...]
  86 keyctl session <name> [<prog> <arg1> <arg2> ...]
  87 .EE
  88 .in
  89 .PP
  90 and:
  91 .PP
  92 .in +4n
  93 .EX
  94 keyctl new_session
  95 .EE
  96 .in
  97 .SH SEE ALSO
  98 .ad l
  99 .nh
 100 .BR keyctl (1),
 101 .BR keyctl (3),
 102 .BR keyctl_join_session_keyring (3),
 103 .BR keyctl_session_to_parent (3),
 104 .BR keyrings (7),
 105 .BR persistent\-keyring (7),
 106 .BR process\-keyring (7),
 107 .BR thread\-keyring (7),
 108 .BR user\-keyring (7),
 109 .BR user\-session\-keyring (7),
 110 .BR pam_keyinit (8)