1KEYCTL_INSTANTIATE(3) Linux Key Management Calls KEYCTL_INSTANTIATE(3)
2
3
4
6 keyctl_assume_authority - Assume the authority to instantiate a key
7 keyctl_instantiate - Instantiate a key from flat data
8 keyctl_instantiate_iov - Instantiate a key from segmented data
9 keyctl_reject - Negatively instantiate a key specifying search error
10 keyctl_negate - Negatively instantiate a key
11
13 #include <keyutils.h>
14
15 long keyctl_assume_authority(key_serial_t key);
16
17 long keyctl_instantiate(key_serial_t key, const void *payload,
18 size_t plen, key_serial_t keyring);
19
20 long keyctl_instantiate_iov(key_serial_t key,
21 const struct iovec *payload_iov, unsigned ioc,
22 key_serial_t keyring);
23
24 long keyctl_negate(key_serial_t key, unsigned timeout,
25 key_serial_t keyring);
26
27 long keyctl_reject(key_serial_t key, unsigned timeout,
28 unsigned error, key_serial_t keyring);
29
31 keyctl_assume_authority() assumes the authority for the calling thread
32 to deal with and instantiate the specified uninstantiated key.
33
34 The calling thread must have the appopriate authorisation key resident
35 in one of its keyrings for this to succeed, and that authority must not
36 have been revoked.
37
38 The authorising key is allocated by request_key() when it needs to
39 invoke userspace to generate a key for the requesting process. This is
40 then attached to one of the keyrings of the userspace process to which
41 the task of instantiating the key is given:
42
43 requester -> request_key() -> instantiator
44
45 Calling this function modifies the way request_key() works when called
46 thereafter by the calling (instantiator) thread; once the authority is
47 assumed, the keyrings of the initial process are added to the search
48 path, using the initial process's UID, GID, groups and security con‐
49 text.
50
51 If a thread has multiple instantiations to deal with, it may call this
52 function to change the authorisation key currently in effect. Supply‐
53 ing a zero key de-assumes the currently assumed authority.
54
55 NOTE! This is a per-thread setting and not a per-process setting so
56 that a multithreaded process can be used to instantiate several keys at
57 once.
58
59 keyctl_instantiate() instantiates the payload of an uninstantiated key
60 from the data specified. payload and plen specify the data for the new
61 payload. payload may be NULL and plen may be zero if the key type per‐
62 mits that. The key type may reject the data if it's in the wrong for‐
63 mat or in some other way invalid.
64
65 keyctl_instantiate_iov() is similar, but the data is passed in an array
66 of iovec structs instead of in a flat buffer. payload_iov points to
67 the base of the array and ioc indicates how many elements there are.
68 payload_iov may be NULL or ioc may be zero to indicate that no data is
69 being supplied.
70
71 keyctl_reject() marks a key as negatively instantiated and sets the
72 expiration timer on it. timeout specifies the lifetime of the key in
73 seconds. error specifies the error to be returned when a search hits
74 the key (this is typically EKEYREJECTED, EKEYREVOKED or EKEYEXPIRED).
75 Note that keyctl_reject() falls back to keyctl_negate() if the kernel
76 does not support it.
77
78 keyctl_negate() as keyctl_reject() with an error code of ENOKEY.
79
80 Only a key for which authority has been assumed may be instantiated or
81 negatively instantiated, and once instantiated, the authorisation key
82 will be revoked and the requesting process will be able to resume.
83
84 The destination keyring, if given, is assumed to belong to the initial
85 requester, and not the instantiating process. Therefore, the special
86 keyring IDs refer to the requesting process's keyrings, not the call‐
87 er's, and the requester's UID, etc. will be used to access them.
88
89 The destination keyring can be zero if no extra link is desired.
90
91 The requester, not the caller, must have write permission on the desti‐
92 nation for a link to be made there.
93
95 On success keyctl_instantiate() returns 0. On error, the value -1 will
96 be returned and errno will have been set to an appropriate error.
97
99 ENOKEY The key or keyring specified is invalid.
100
101 EKEYEXPIRED
102 The keyring specified has expired.
103
104 EKEYREVOKED
105 The key or keyring specified had been revoked, or the authorisa‐
106 tion has been revoked.
107
108 EINVAL The payload data was invalid.
109
110 ENOMEM Insufficient memory to store the new payload or to expand the
111 destination keyring.
112
113 EDQUOT The key quota for the key's user would be exceeded by increasing
114 the size of the key to accommodate the new payload or the key
115 quota for the keyring's user would be exceeded by expanding the
116 destination keyring.
117
118 EACCES The key exists, but is not writable by the requester.
119
121 This is a library function that can be found in libkeyutils. When
122 linking, -lkeyutils should be specified to the linker.
123
125 keyctl(1),
126 add_key(2),
127 keyctl(2),
128 request_key(2),
129 keyctl(3),
130 request-key(8)
131
132
133
134Linux 4 May 2006 KEYCTL_INSTANTIATE(3)