1KEYCTL_INSTANTIATE(3)     Linux Key Management Calls     KEYCTL_INSTANTIATE(3)
2
3
4

NAME

6       keyctl_assume_authority - Assume the authority to instantiate a key
7       keyctl_instantiate - Instantiate a key from flat data
8       keyctl_instantiate_iov - Instantiate a key from segmented data
9       keyctl_reject - Negatively instantiate a key specifying search error
10       keyctl_negate - Negatively instantiate a key
11

SYNOPSIS

13       #include <keyutils.h>
14
15       long keyctl_assume_authority(key_serial_t key);
16
17       long keyctl_instantiate(key_serial_t key, const void *payload,
18       size_t plen, key_serial_t keyring);
19
20       long keyctl_instantiate_iov(key_serial_t key,
21       const struct iovec *payload_iov, unsigned ioc,
22       key_serial_t keyring);
23
24       long keyctl_negate(key_serial_t key, unsigned timeout,
25       key_serial_t keyring);
26
27       long keyctl_reject(key_serial_t key, unsigned timeout,
28       unsigned error, key_serial_t keyring);
29

DESCRIPTION

31       keyctl_assume_authority()  assumes the authority for the calling thread
32       to deal with and instantiate the specified uninstantiated key.
33
34       The calling thread must have the appopriate authorisation key  resident
35       in one of its keyrings for this to succeed, and that authority must not
36       have been revoked.
37
38       The authorising key is allocated by  request_key()  when  it  needs  to
39       invoke userspace to generate a key for the requesting process.  This is
40       then attached to one of the keyrings of the userspace process to  which
41       the task of instantiating the key is given:
42
43              requester -> request_key() -> instantiator
44
45       Calling  this function modifies the way request_key() works when called
46       thereafter by the calling (instantiator) thread; once the authority  is
47       assumed,  the  keyrings  of the initial process are added to the search
48       path, using the initial process's UID, GID, groups  and  security  con‐
49       text.
50
51       If  a thread has multiple instantiations to deal with, it may call this
52       function to change the authorisation key currently in effect.   Supply‐
53       ing a zero key de-assumes the currently assumed authority.
54
55       NOTE!   This  is  a per-thread setting and not a per-process setting so
56       that a multithreaded process can be used to instantiate several keys at
57       once.
58
59       keyctl_instantiate()  instantiates the payload of an uninstantiated key
60       from the data specified.  payload and plen specify the data for the new
61       payload.  payload may be NULL and plen may be zero if the key type per‐
62       mits that.  The key type may reject the data if it's in the wrong  for‐
63       mat or in some other way invalid.
64
65       keyctl_instantiate_iov() is similar, but the data is passed in an array
66       of iovec structs instead of in a flat buffer.   payload_iov  points  to
67       the  base  of  the array and ioc indicates how many elements there are.
68       payload_iov may be NULL or ioc may be zero to indicate that no data  is
69       being supplied.
70
71       keyctl_reject()  marks  a  key  as negatively instantiated and sets the
72       expiration timer on it.  timeout specifies the lifetime of the  key  in
73       seconds.   error  specifies the error to be returned when a search hits
74       the key (this is typically EKEYREJECTED, EKEYREVOKED  or  EKEYEXPIRED).
75       Note  that  keyctl_reject() falls back to keyctl_negate() if the kernel
76       does not support it.
77
78       keyctl_negate() as keyctl_reject() with an error code of ENOKEY.
79
80       Only a key for which authority has been assumed may be instantiated  or
81       negatively  instantiated,  and once instantiated, the authorisation key
82       will be revoked and the requesting process will be able to resume.
83
84       The destination keyring, if given, is assumed to belong to the  initial
85       requester,  and  not the instantiating process.  Therefore, the special
86       keyring IDs refer to the requesting process's keyrings, not  the  call‐
87       er's, and the requester's UID, etc. will be used to access them.
88
89       The destination keyring can be zero if no extra link is desired.
90
91       The requester, not the caller, must have write permission on the desti‐
92       nation for a link to be made there.
93

RETURN VALUE

95       On success keyctl_instantiate() returns 0.  On error, the value -1 will
96       be returned and errno will have been set to an appropriate error.
97

ERRORS

99       ENOKEY The key or keyring specified is invalid.
100
101       EKEYEXPIRED
102              The keyring specified has expired.
103
104       EKEYREVOKED
105              The key or keyring specified had been revoked, or the authorisa‐
106              tion has been revoked.
107
108       EINVAL The payload data was invalid.
109
110       ENOMEM Insufficient memory to store the new payload or  to  expand  the
111              destination keyring.
112
113       EDQUOT The key quota for the key's user would be exceeded by increasing
114              the size of the key to accommodate the new payload  or  the  key
115              quota  for the keyring's user would be exceeded by expanding the
116              destination keyring.
117
118       EACCES The key exists, but is not writable by the requester.
119

LINKING

121       This is a library function that can  be  found  in  libkeyutils.   When
122       linking, -lkeyutils should be specified to the linker.
123

SEE ALSO

125       keyctl(1),
126       add_key(2),
127       keyctl(2),
128       request_key(2),
129       keyctl(3),
130       request-key(8)
131
132
133
134Linux                             4 May 2006             KEYCTL_INSTANTIATE(3)
Impressum