summaryrefslogtreecommitdiffstats
path: root/Documentation/networking/dns_resolver.txt
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2012-01-18 16:31:45 +0100
committerJames Morris <jmorris@namei.org>2012-01-19 04:38:51 +0100
commit700920eb5ba4de5417b446c9a8bb008df2b973e0 (patch)
tree8e2caa32a5cdcd47347ff84bc3e95915d000f537 /Documentation/networking/dns_resolver.txt
parenterror: implicit declaration of function 'module_flags_taint' (diff)
downloadlinux-700920eb5ba4de5417b446c9a8bb008df2b973e0.tar.xz
linux-700920eb5ba4de5417b446c9a8bb008df2b973e0.zip
KEYS: Allow special keyrings to be cleared
The kernel contains some special internal keyrings, for instance the DNS resolver keyring : 2a93faf1 I----- 1 perm 1f030000 0 0 keyring .dns_resolver: empty It would occasionally be useful to allow the contents of such keyrings to be flushed by root (cache invalidation). Allow a flag to be set on a keyring to mark that someone possessing the sysadmin capability can clear the keyring, even without normal write access to the keyring. Set this flag on the special keyrings created by the DNS resolver, the NFS identity mapper and the CIFS identity mapper. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Jeff Layton <jlayton@redhat.com> Acked-by: Steve Dickson <steved@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'Documentation/networking/dns_resolver.txt')
-rw-r--r--Documentation/networking/dns_resolver.txt4
1 files changed, 4 insertions, 0 deletions
diff --git a/Documentation/networking/dns_resolver.txt b/Documentation/networking/dns_resolver.txt
index 7f531ad83285..d86adcdae420 100644
--- a/Documentation/networking/dns_resolver.txt
+++ b/Documentation/networking/dns_resolver.txt
@@ -102,6 +102,10 @@ implemented in the module can be called after doing:
If _expiry is non-NULL, the expiry time (TTL) of the result will be
returned also.
+The kernel maintains an internal keyring in which it caches looked up keys.
+This can be cleared by any process that has the CAP_SYS_ADMIN capability by
+the use of KEYCTL_KEYRING_CLEAR on the keyring ID.
+
===============================
READING DNS KEYS FROM USERSPACE