1KEYCTL_INSTANTIATE(3)     Linux Key Management Calls     KEYCTL_INSTANTIATE(3)
2
3
4

NAME

6       keyctl_assume_authority,   keyctl_instantiate,  keyctl_instantiate_iov,
7       keyctl_reject, keyctl_negate - key instantiation functions
8

SYNOPSIS

10       #include <keyutils.h>
11
12       long keyctl_assume_authority(key_serial_t key);
13
14       long keyctl_instantiate(key_serial_t key, const void *payload,
15       size_t plen, key_serial_t keyring);
16
17       long keyctl_instantiate_iov(key_serial_t key,
18       const struct iovec *payload_iov, unsigned ioc,
19       key_serial_t keyring);
20
21       long keyctl_negate(key_serial_t key, unsigned timeout,
22       key_serial_t keyring);
23
24       long keyctl_reject(key_serial_t key, unsigned timeout,
25       unsigned error, key_serial_t keyring);
26

DESCRIPTION

28       keyctl_assume_authority() assumes the authority for the calling  thread
29       to deal with and instantiate the specified uninstantiated key.
30
31       The  calling thread must have the appopriate authorisation key resident
32       in one of its keyrings for this to succeed, and that authority must not
33       have been revoked.
34
35       The  authorising  key  is  allocated  by request_key() when it needs to
36       invoke userspace to generate a key for the requesting process.  This is
37       then  attached to one of the keyrings of the userspace process to which
38       the task of instantiating the key is given:
39
40              requester -> request_key() -> instantiator
41
42       Calling this function modifies the way request_key() works when  called
43       thereafter  by the calling (instantiator) thread; once the authority is
44       assumed, the keyrings of the initial process are added  to  the  search
45       path,  using  the  initial process's UID, GID, groups and security con‐
46       text.
47
48       If a thread has multiple instantiations to deal with, it may call  this
49       function  to change the authorisation key currently in effect.  Supply‐
50       ing a zero key de-assumes the currently assumed authority.
51
52       NOTE!  This is a per-thread setting and not a  per-process  setting  so
53       that a multithreaded process can be used to instantiate several keys at
54       once.
55
56       keyctl_instantiate() instantiates the payload of an uninstantiated  key
57       from the data specified.  payload and plen specify the data for the new
58       payload.  payload may be NULL and plen may be zero if the key type per‐
59       mits  that.  The key type may reject the data if it's in the wrong for‐
60       mat or in some other way invalid.
61
62       keyctl_instantiate_iov() is similar, but the data is passed in an array
63       of  iovec  structs  instead of in a flat buffer.  payload_iov points to
64       the base of the array and ioc indicates how many  elements  there  are.
65       payload_iov  may be NULL or ioc may be zero to indicate that no data is
66       being supplied.
67
68       keyctl_reject() marks a key as negatively  instantiated  and  sets  the
69       expiration  timer  on it.  timeout specifies the lifetime of the key in
70       seconds.  error specifies the error to be returned when a  search  hits
71       the  key  (this is typically EKEYREJECTED, EKEYREVOKED or EKEYEXPIRED).
72       Note that keyctl_reject() falls back to keyctl_negate() if  the  kernel
73       does not support it.
74
75       keyctl_negate() as keyctl_reject() with an error code of ENOKEY.
76
77       Only  a key for which authority has been assumed may be instantiated or
78       negatively instantiated, and once instantiated, the  authorisation  key
79       will be revoked and the requesting process will be able to resume.
80
81       The  destination keyring, if given, is assumed to belong to the initial
82       requester, and not the instantiating process.  Therefore,  the  special
83       keyring  IDs  refer to the requesting process's keyrings, not the call‐
84       er's, and the requester's UID, etc. will be used to access them.
85
86       The destination keyring can be zero if no extra link is desired.
87
88       The requester, not the caller, must have write permission on the desti‐
89       nation for a link to be made there.
90

RETURN VALUE

92       On success keyctl_instantiate() returns 0.  On error, the value -1 will
93       be returned and errno will have been set to an appropriate error.
94

ERRORS

96       ENOKEY The key or keyring specified is invalid.
97
98       EKEYEXPIRED
99              The keyring specified has expired.
100
101       EKEYREVOKED
102              The key or keyring specified had been revoked, or the authorisa‐
103              tion has been revoked.
104
105       EINVAL The payload data was invalid.
106
107       ENOMEM Insufficient  memory  to  store the new payload or to expand the
108              destination keyring.
109
110       EDQUOT The key quota for the key's user would be exceeded by increasing
111              the  size  of  the key to accommodate the new payload or the key
112              quota for the keyring's user would be exceeded by expanding  the
113              destination keyring.
114
115       EACCES The key exists, but is not writable by the requester.
116

LINKING

118       This  is  a  library  function  that can be found in libkeyutils.  When
119       linking, -lkeyutils should be specified to the linker.
120

SEE ALSO

122       keyctl(1), add_key(2), keyctl(2), request_key(2), keyctl(3),
123       keyrings(7), keyutils(7), request-key(8)
124
125
126
127Linux                             4 May 2006             KEYCTL_INSTANTIATE(3)
Impressum