Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / kernel / common / 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 / . / security / keys / keyring.c
blob: e2ab4f8e7481d21d18efc26d0af1be273b39da8d [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame^]1/* keyring.c: keyring handling
2 *
3 * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com)
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version.
10 */
11
12#include <linux/module.h>
13#include <linux/init.h>
14#include <linux/sched.h>
15#include <linux/slab.h>
16#include <linux/seq_file.h>
17#include <linux/err.h>
18#include <asm/uaccess.h>
19#include "internal.h"
20
21/*
22 * when plumbing the depths of the key tree, this sets a hard limit set on how
23 * deep we're willing to go
24 */
25#define KEYRING_SEARCH_MAX_DEPTH 6
26
27/*
28 * we keep all named keyrings in a hash to speed looking them up
29 */
30#define KEYRING_NAME_HASH_SIZE (1 << 5)
31
32static struct list_head keyring_name_hash[KEYRING_NAME_HASH_SIZE];
33static DEFINE_RWLOCK(keyring_name_lock);
34
35static inline unsigned keyring_hash(const char *desc)
36{
37 unsigned bucket = 0;
38
39 for (; *desc; desc++)
40 bucket += (unsigned char) *desc;
41
42 return bucket & (KEYRING_NAME_HASH_SIZE - 1);
43}
44
45/*
46 * the keyring type definition
47 */
48static int keyring_instantiate(struct key *keyring,
49 const void *data, size_t datalen);
50static int keyring_duplicate(struct key *keyring, const struct key *source);
51static int keyring_match(const struct key *keyring, const void *criterion);
52static void keyring_destroy(struct key *keyring);
53static void keyring_describe(const struct key *keyring, struct seq_file *m);
54static long keyring_read(const struct key *keyring,
55 char __user *buffer, size_t buflen);
56
57struct key_type key_type_keyring = {
58 .name = "keyring",
59 .def_datalen = sizeof(struct keyring_list),
60 .instantiate = keyring_instantiate,
61 .duplicate = keyring_duplicate,
62 .match = keyring_match,
63 .destroy = keyring_destroy,
64 .describe = keyring_describe,
65 .read = keyring_read,
66};
67
68/*
69 * semaphore to serialise link/link calls to prevent two link calls in parallel
70 * introducing a cycle
71 */
72DECLARE_RWSEM(keyring_serialise_link_sem);
73
74/*****************************************************************************/
75/*
76 * publish the name of a keyring so that it can be found by name (if it has
77 * one)
78 */
79void keyring_publish_name(struct key *keyring)
80{
81 int bucket;
82
83 if (keyring->description) {
84 bucket = keyring_hash(keyring->description);
85
86 write_lock(&keyring_name_lock);
87
88 if (!keyring_name_hash[bucket].next)
89 INIT_LIST_HEAD(&keyring_name_hash[bucket]);
90
91 list_add_tail(&keyring->type_data.link,
92 &keyring_name_hash[bucket]);
93
94 write_unlock(&keyring_name_lock);
95 }
96
97} /* end keyring_publish_name() */
98
99/*****************************************************************************/
100/*
101 * initialise a keyring
102 * - we object if we were given any data
103 */
104static int keyring_instantiate(struct key *keyring,
105 const void *data, size_t datalen)
106{
107 int ret;
108
109 ret = -EINVAL;
110 if (datalen == 0) {
111 /* make the keyring available by name if it has one */
112 keyring_publish_name(keyring);
113 ret = 0;
114 }
115
116 return ret;
117
118} /* end keyring_instantiate() */
119
120/*****************************************************************************/
121/*
122 * duplicate the list of subscribed keys from a source keyring into this one
123 */
124static int keyring_duplicate(struct key *keyring, const struct key *source)
125{
126 struct keyring_list *sklist, *klist;
127 unsigned max;
128 size_t size;
129 int loop, ret;
130
131 const unsigned limit =
132 (PAGE_SIZE - sizeof(*klist)) / sizeof(struct key);
133
134 ret = 0;
135 sklist = source->payload.subscriptions;
136
137 if (sklist && sklist->nkeys > 0) {
138 max = sklist->nkeys;
139 BUG_ON(max > limit);
140
141 max = (max + 3) & ~3;
142 if (max > limit)
143 max = limit;
144
145 ret = -ENOMEM;
146 size = sizeof(*klist) + sizeof(struct key) * max;
147 klist = kmalloc(size, GFP_KERNEL);
148 if (!klist)
149 goto error;
150
151 klist->maxkeys = max;
152 klist->nkeys = sklist->nkeys;
153 memcpy(klist->keys,
154 sklist->keys,
155 sklist->nkeys * sizeof(struct key));
156
157 for (loop = klist->nkeys - 1; loop >= 0; loop--)
158 atomic_inc(&klist->keys[loop]->usage);
159
160 keyring->payload.subscriptions = klist;
161 ret = 0;
162 }
163
164 error:
165 return ret;
166
167} /* end keyring_duplicate() */
168
169/*****************************************************************************/
170/*
171 * match keyrings on their name
172 */
173static int keyring_match(const struct key *keyring, const void *description)
174{
175 return keyring->description &&
176 strcmp(keyring->description, description) == 0;
177
178} /* end keyring_match() */
179
180/*****************************************************************************/
181/*
182 * dispose of the data dangling from the corpse of a keyring
183 */
184static void keyring_destroy(struct key *keyring)
185{
186 struct keyring_list *klist;
187 int loop;
188
189 if (keyring->description) {
190 write_lock(&keyring_name_lock);
191 list_del(&keyring->type_data.link);
192 write_unlock(&keyring_name_lock);
193 }
194
195 klist = keyring->payload.subscriptions;
196 if (klist) {
197 for (loop = klist->nkeys - 1; loop >= 0; loop--)
198 key_put(klist->keys[loop]);
199 kfree(klist);
200 }
201
202} /* end keyring_destroy() */
203
204/*****************************************************************************/
205/*
206 * describe the keyring
207 */
208static void keyring_describe(const struct key *keyring, struct seq_file *m)
209{
210 struct keyring_list *klist;
211
212 if (keyring->description) {
213 seq_puts(m, keyring->description);
214 }
215 else {
216 seq_puts(m, "[anon]");
217 }
218
219 klist = keyring->payload.subscriptions;
220 if (klist)
221 seq_printf(m, ": %u/%u", klist->nkeys, klist->maxkeys);
222 else
223 seq_puts(m, ": empty");
224
225} /* end keyring_describe() */
226
227/*****************************************************************************/
228/*
229 * read a list of key IDs from the keyring's contents
230 */
231static long keyring_read(const struct key *keyring,
232 char __user *buffer, size_t buflen)
233{
234 struct keyring_list *klist;
235 struct key *key;
236 size_t qty, tmp;
237 int loop, ret;
238
239 ret = 0;
240 klist = keyring->payload.subscriptions;
241
242 if (klist) {
243 /* calculate how much data we could return */
244 qty = klist->nkeys * sizeof(key_serial_t);
245
246 if (buffer && buflen > 0) {
247 if (buflen > qty)
248 buflen = qty;
249
250 /* copy the IDs of the subscribed keys into the
251 * buffer */
252 ret = -EFAULT;
253
254 for (loop = 0; loop < klist->nkeys; loop++) {
255 key = klist->keys[loop];
256
257 tmp = sizeof(key_serial_t);
258 if (tmp > buflen)
259 tmp = buflen;
260
261 if (copy_to_user(buffer,
262 &key->serial,
263 tmp) != 0)
264 goto error;
265
266 buflen -= tmp;
267 if (buflen == 0)
268 break;
269 buffer += tmp;
270 }
271 }
272
273 ret = qty;
274 }
275
276 error:
277 return ret;
278
279} /* end keyring_read() */
280
281/*****************************************************************************/
282/*
283 * allocate a keyring and link into the destination keyring
284 */
285struct key *keyring_alloc(const char *description, uid_t uid, gid_t gid,
286 int not_in_quota, struct key *dest)
287{
288 struct key *keyring;
289 int ret;
290
291 keyring = key_alloc(&key_type_keyring, description,
292 uid, gid, KEY_USR_ALL, not_in_quota);
293
294 if (!IS_ERR(keyring)) {
295 ret = key_instantiate_and_link(keyring, NULL, 0, dest);
296 if (ret < 0) {
297 key_put(keyring);
298 keyring = ERR_PTR(ret);
299 }
300 }
301
302 return keyring;
303
304} /* end keyring_alloc() */
305
306/*****************************************************************************/
307/*
308 * search the supplied keyring tree for a key that matches the criterion
309 * - perform a breadth-then-depth search up to the prescribed limit
310 * - we only find keys on which we have search permission
311 * - we use the supplied match function to see if the description (or other
312 * feature of interest) matches
313 * - we readlock the keyrings as we search down the tree
314 * - we return -EAGAIN if we didn't find any matching key
315 * - we return -ENOKEY if we only found negative matching keys
316 */
317struct key *keyring_search_aux(struct key *keyring,
318 struct key_type *type,
319 const void *description,
320 key_match_func_t match)
321{
322 struct {
323 struct key *keyring;
324 int kix;
325 } stack[KEYRING_SEARCH_MAX_DEPTH];
326
327 struct keyring_list *keylist;
328 struct timespec now;
329 struct key *key;
330 long err;
331 int sp, psp, kix;
332
333 key_check(keyring);
334
335 /* top keyring must have search permission to begin the search */
336 key = ERR_PTR(-EACCES);
337 if (!key_permission(keyring, KEY_SEARCH))
338 goto error;
339
340 key = ERR_PTR(-ENOTDIR);
341 if (keyring->type != &key_type_keyring)
342 goto error;
343
344 now = current_kernel_time();
345 err = -EAGAIN;
346 sp = 0;
347
348 /* start processing a new keyring */
349 descend:
350 read_lock(&keyring->lock);
351 if (keyring->flags & KEY_FLAG_REVOKED)
352 goto not_this_keyring;
353
354 keylist = keyring->payload.subscriptions;
355 if (!keylist)
356 goto not_this_keyring;
357
358 /* iterate through the keys in this keyring first */
359 for (kix = 0; kix < keylist->nkeys; kix++) {
360 key = keylist->keys[kix];
361
362 /* ignore keys not of this type */
363 if (key->type != type)
364 continue;
365
366 /* skip revoked keys and expired keys */
367 if (key->flags & KEY_FLAG_REVOKED)
368 continue;
369
370 if (key->expiry && now.tv_sec >= key->expiry)
371 continue;
372
373 /* keys that don't match */
374 if (!match(key, description))
375 continue;
376
377 /* key must have search permissions */
378 if (!key_permission(key, KEY_SEARCH))
379 continue;
380
381 /* we set a different error code if we find a negative key */
382 if (key->flags & KEY_FLAG_NEGATIVE) {
383 err = -ENOKEY;
384 continue;
385 }
386
387 goto found;
388 }
389
390 /* search through the keyrings nested in this one */
391 kix = 0;
392 ascend:
393 while (kix < keylist->nkeys) {
394 key = keylist->keys[kix];
395 if (key->type != &key_type_keyring)
396 goto next;
397
398 /* recursively search nested keyrings
399 * - only search keyrings for which we have search permission
400 */
401 if (sp >= KEYRING_SEARCH_MAX_DEPTH)
402 goto next;
403
404 if (!key_permission(key, KEY_SEARCH))
405 goto next;
406
407 /* evade loops in the keyring tree */
408 for (psp = 0; psp < sp; psp++)
409 if (stack[psp].keyring == keyring)
410 goto next;
411
412 /* stack the current position */
413 stack[sp].keyring = keyring;
414 stack[sp].kix = kix;
415 sp++;
416
417 /* begin again with the new keyring */
418 keyring = key;
419 goto descend;
420
421 next:
422 kix++;
423 }
424
425 /* the keyring we're looking at was disqualified or didn't contain a
426 * matching key */
427 not_this_keyring:
428 read_unlock(&keyring->lock);
429
430 if (sp > 0) {
431 /* resume the processing of a keyring higher up in the tree */
432 sp--;
433 keyring = stack[sp].keyring;
434 keylist = keyring->payload.subscriptions;
435 kix = stack[sp].kix + 1;
436 goto ascend;
437 }
438
439 key = ERR_PTR(err);
440 goto error;
441
442 /* we found a viable match */
443 found:
444 atomic_inc(&key->usage);
445 read_unlock(&keyring->lock);
446
447 /* unwind the keyring stack */
448 while (sp > 0) {
449 sp--;
450 read_unlock(&stack[sp].keyring->lock);
451 }
452
453 key_check(key);
454 error:
455 return key;
456
457} /* end keyring_search_aux() */
458
459/*****************************************************************************/
460/*
461 * search the supplied keyring tree for a key that matches the criterion
462 * - perform a breadth-then-depth search up to the prescribed limit
463 * - we only find keys on which we have search permission
464 * - we readlock the keyrings as we search down the tree
465 * - we return -EAGAIN if we didn't find any matching key
466 * - we return -ENOKEY if we only found negative matching keys
467 */
468struct key *keyring_search(struct key *keyring,
469 struct key_type *type,
470 const char *description)
471{
472 return keyring_search_aux(keyring, type, description, type->match);
473
474} /* end keyring_search() */
475
476EXPORT_SYMBOL(keyring_search);
477
478/*****************************************************************************/
479/*
480 * search the given keyring only (no recursion)
481 * - keyring must be locked by caller
482 */
483struct key *__keyring_search_one(struct key *keyring,
484 const struct key_type *ktype,
485 const char *description,
486 key_perm_t perm)
487{
488 struct keyring_list *klist;
489 struct key *key;
490 int loop;
491
492 klist = keyring->payload.subscriptions;
493 if (klist) {
494 for (loop = 0; loop < klist->nkeys; loop++) {
495 key = klist->keys[loop];
496
497 if (key->type == ktype &&
498 key->type->match(key, description) &&
499 key_permission(key, perm) &&
500 !(key->flags & KEY_FLAG_REVOKED)
501 )
502 goto found;
503 }
504 }
505
506 key = ERR_PTR(-ENOKEY);
507 goto error;
508
509 found:
510 atomic_inc(&key->usage);
511 error:
512 return key;
513
514} /* end __keyring_search_one() */
515
516/*****************************************************************************/
517/*
518 * find a keyring with the specified name
519 * - all named keyrings are searched
520 * - only find keyrings with search permission for the process
521 * - only find keyrings with a serial number greater than the one specified
522 */
523struct key *find_keyring_by_name(const char *name, key_serial_t bound)
524{
525 struct key *keyring;
526 int bucket;
527
528 keyring = ERR_PTR(-EINVAL);
529 if (!name)
530 goto error;
531
532 bucket = keyring_hash(name);
533
534 read_lock(&keyring_name_lock);
535
536 if (keyring_name_hash[bucket].next) {
537 /* search this hash bucket for a keyring with a matching name
538 * that's readable and that hasn't been revoked */
539 list_for_each_entry(keyring,
540 &keyring_name_hash[bucket],
541 type_data.link
542 ) {
543 if (keyring->flags & KEY_FLAG_REVOKED)
544 continue;
545
546 if (strcmp(keyring->description, name) != 0)
547 continue;
548
549 if (!key_permission(keyring, KEY_SEARCH))
550 continue;
551
552 /* found a potential candidate, but we still need to
553 * check the serial number */
554 if (keyring->serial <= bound)
555 continue;
556
557 /* we've got a match */
558 atomic_inc(&keyring->usage);
559 read_unlock(&keyring_name_lock);
560 goto error;
561 }
562 }
563
564 read_unlock(&keyring_name_lock);
565 keyring = ERR_PTR(-ENOKEY);
566
567 error:
568 return keyring;
569
570} /* end find_keyring_by_name() */
571
572/*****************************************************************************/
573/*
574 * see if a cycle will will be created by inserting acyclic tree B in acyclic
575 * tree A at the topmost level (ie: as a direct child of A)
576 * - since we are adding B to A at the top level, checking for cycles should
577 * just be a matter of seeing if node A is somewhere in tree B
578 */
579static int keyring_detect_cycle(struct key *A, struct key *B)
580{
581 struct {
582 struct key *subtree;
583 int kix;
584 } stack[KEYRING_SEARCH_MAX_DEPTH];
585
586 struct keyring_list *keylist;
587 struct key *subtree, *key;
588 int sp, kix, ret;
589
590 ret = -EDEADLK;
591 if (A == B)
592 goto error;
593
594 subtree = B;
595 sp = 0;
596
597 /* start processing a new keyring */
598 descend:
599 read_lock(&subtree->lock);
600 if (subtree->flags & KEY_FLAG_REVOKED)
601 goto not_this_keyring;
602
603 keylist = subtree->payload.subscriptions;
604 if (!keylist)
605 goto not_this_keyring;
606 kix = 0;
607
608 ascend:
609 /* iterate through the remaining keys in this keyring */
610 for (; kix < keylist->nkeys; kix++) {
611 key = keylist->keys[kix];
612
613 if (key == A)
614 goto cycle_detected;
615
616 /* recursively check nested keyrings */
617 if (key->type == &key_type_keyring) {
618 if (sp >= KEYRING_SEARCH_MAX_DEPTH)
619 goto too_deep;
620
621 /* stack the current position */
622 stack[sp].subtree = subtree;
623 stack[sp].kix = kix;
624 sp++;
625
626 /* begin again with the new keyring */
627 subtree = key;
628 goto descend;
629 }
630 }
631
632 /* the keyring we're looking at was disqualified or didn't contain a
633 * matching key */
634 not_this_keyring:
635 read_unlock(&subtree->lock);
636
637 if (sp > 0) {
638 /* resume the checking of a keyring higher up in the tree */
639 sp--;
640 subtree = stack[sp].subtree;
641 keylist = subtree->payload.subscriptions;
642 kix = stack[sp].kix + 1;
643 goto ascend;
644 }
645
646 ret = 0; /* no cycles detected */
647
648 error:
649 return ret;
650
651 too_deep:
652 ret = -ELOOP;
653 goto error_unwind;
654 cycle_detected:
655 ret = -EDEADLK;
656 error_unwind:
657 read_unlock(&subtree->lock);
658
659 /* unwind the keyring stack */
660 while (sp > 0) {
661 sp--;
662 read_unlock(&stack[sp].subtree->lock);
663 }
664
665 goto error;
666
667} /* end keyring_detect_cycle() */
668
669/*****************************************************************************/
670/*
671 * link a key into to a keyring
672 * - must be called with the keyring's semaphore held
673 */
674int __key_link(struct key *keyring, struct key *key)
675{
676 struct keyring_list *klist, *nklist;
677 unsigned max;
678 size_t size;
679 int ret;
680
681 ret = -EKEYREVOKED;
682 if (keyring->flags & KEY_FLAG_REVOKED)
683 goto error;
684
685 ret = -ENOTDIR;
686 if (keyring->type != &key_type_keyring)
687 goto error;
688
689 /* serialise link/link calls to prevent parallel calls causing a
690 * cycle when applied to two keyring in opposite orders */
691 down_write(&keyring_serialise_link_sem);
692
693 /* check that we aren't going to create a cycle adding one keyring to
694 * another */
695 if (key->type == &key_type_keyring) {
696 ret = keyring_detect_cycle(keyring, key);
697 if (ret < 0)
698 goto error2;
699 }
700
701 /* check that we aren't going to overrun the user's quota */
702 ret = key_payload_reserve(keyring,
703 keyring->datalen + KEYQUOTA_LINK_BYTES);
704 if (ret < 0)
705 goto error2;
706
707 klist = keyring->payload.subscriptions;
708
709 if (klist && klist->nkeys < klist->maxkeys) {
710 /* there's sufficient slack space to add directly */
711 atomic_inc(&key->usage);
712
713 write_lock(&keyring->lock);
714 klist->keys[klist->nkeys++] = key;
715 write_unlock(&keyring->lock);
716
717 ret = 0;
718 }
719 else {
720 /* grow the key list */
721 max = 4;
722 if (klist)
723 max += klist->maxkeys;
724
725 ret = -ENFILE;
726 size = sizeof(*klist) + sizeof(*key) * max;
727 if (size > PAGE_SIZE)
728 goto error3;
729
730 ret = -ENOMEM;
731 nklist = kmalloc(size, GFP_KERNEL);
732 if (!nklist)
733 goto error3;
734 nklist->maxkeys = max;
735 nklist->nkeys = 0;
736
737 if (klist) {
738 nklist->nkeys = klist->nkeys;
739 memcpy(nklist->keys,
740 klist->keys,
741 sizeof(struct key *) * klist->nkeys);
742 }
743
744 /* add the key into the new space */
745 atomic_inc(&key->usage);
746
747 write_lock(&keyring->lock);
748 keyring->payload.subscriptions = nklist;
749 nklist->keys[nklist->nkeys++] = key;
750 write_unlock(&keyring->lock);
751
752 /* dispose of the old keyring list */
753 kfree(klist);
754
755 ret = 0;
756 }
757
758 error2:
759 up_write(&keyring_serialise_link_sem);
760 error:
761 return ret;
762
763 error3:
764 /* undo the quota changes */
765 key_payload_reserve(keyring,
766 keyring->datalen - KEYQUOTA_LINK_BYTES);
767 goto error2;
768
769} /* end __key_link() */
770
771/*****************************************************************************/
772/*
773 * link a key to a keyring
774 */
775int key_link(struct key *keyring, struct key *key)
776{
777 int ret;
778
779 key_check(keyring);
780 key_check(key);
781
782 down_write(&keyring->sem);
783 ret = __key_link(keyring, key);
784 up_write(&keyring->sem);
785
786 return ret;
787
788} /* end key_link() */
789
790EXPORT_SYMBOL(key_link);
791
792/*****************************************************************************/
793/*
794 * unlink the first link to a key from a keyring
795 */
796int key_unlink(struct key *keyring, struct key *key)
797{
798 struct keyring_list *klist;
799 int loop, ret;
800
801 key_check(keyring);
802 key_check(key);
803
804 ret = -ENOTDIR;
805 if (keyring->type != &key_type_keyring)
806 goto error;
807
808 down_write(&keyring->sem);
809
810 klist = keyring->payload.subscriptions;
811 if (klist) {
812 /* search the keyring for the key */
813 for (loop = 0; loop < klist->nkeys; loop++)
814 if (klist->keys[loop] == key)
815 goto key_is_present;
816 }
817
818 up_write(&keyring->sem);
819 ret = -ENOENT;
820 goto error;
821
822 key_is_present:
823 /* adjust the user's quota */
824 key_payload_reserve(keyring,
825 keyring->datalen - KEYQUOTA_LINK_BYTES);
826
827 /* shuffle down the key pointers
828 * - it might be worth shrinking the allocated memory, but that runs
829 * the risk of ENOMEM as we would have to copy
830 */
831 write_lock(&keyring->lock);
832
833 klist->nkeys--;
834 if (loop < klist->nkeys)
835 memcpy(&klist->keys[loop],
836 &klist->keys[loop + 1],
837 (klist->nkeys - loop) * sizeof(struct key *));
838
839 write_unlock(&keyring->lock);
840
841 up_write(&keyring->sem);
842 key_put(key);
843 ret = 0;
844
845 error:
846 return ret;
847
848} /* end key_unlink() */
849
850EXPORT_SYMBOL(key_unlink);
851
852/*****************************************************************************/
853/*
854 * clear the specified process keyring
855 * - implements keyctl(KEYCTL_CLEAR)
856 */
857int keyring_clear(struct key *keyring)
858{
859 struct keyring_list *klist;
860 int loop, ret;
861
862 ret = -ENOTDIR;
863 if (keyring->type == &key_type_keyring) {
864 /* detach the pointer block with the locks held */
865 down_write(&keyring->sem);
866
867 klist = keyring->payload.subscriptions;
868 if (klist) {
869 /* adjust the quota */
870 key_payload_reserve(keyring,
871 sizeof(struct keyring_list));
872
873 write_lock(&keyring->lock);
874 keyring->payload.subscriptions = NULL;
875 write_unlock(&keyring->lock);
876 }
877
878 up_write(&keyring->sem);
879
880 /* free the keys after the locks have been dropped */
881 if (klist) {
882 for (loop = klist->nkeys - 1; loop >= 0; loop--)
883 key_put(klist->keys[loop]);
884
885 kfree(klist);
886 }
887
888 ret = 0;
889 }
890
891 return ret;
892
893} /* end keyring_clear() */
894
895EXPORT_SYMBOL(keyring_clear);