1add_key(2) System Calls Manual add_key(2)
2
3
4
6 add_key - add a key to the kernel's key management facility
7
9 Standard C library (libc, -lc)
10
12 #include <keyutils.h>
13
14 key_serial_t add_key(const char *type, const char *description,
15 const void payload[.plen], size_t plen,
16 key_serial_t keyring);
17
18 Note: There is no glibc wrapper for this system call; see NOTES.
19
21 add_key() creates or updates a key of the given type and description,
22 instantiates it with the payload of length plen, attaches it to the
23 nominated keyring, and returns the key's serial number.
24
25 The key may be rejected if the provided data is in the wrong format or
26 it is invalid in some other way.
27
28 If the destination keyring already contains a key that matches the
29 specified type and description, then, if the key type supports it, that
30 key will be updated rather than a new key being created; if not, a new
31 key (with a different ID) will be created and it will displace the link
32 to the extant key from the keyring.
33
34 The destination keyring serial number may be that of a valid keyring
35 for which the caller has write permission. Alternatively, it may be
36 one of the following special keyring IDs:
37
38 KEY_SPEC_THREAD_KEYRING
39 This specifies the caller's thread-specific keyring
40 (thread-keyring(7)).
41
42 KEY_SPEC_PROCESS_KEYRING
43 This specifies the caller's process-specific keyring
44 (process-keyring(7)).
45
46 KEY_SPEC_SESSION_KEYRING
47 This specifies the caller's session-specific keyring (ses‐
48 sion-keyring(7)).
49
50 KEY_SPEC_USER_KEYRING
51 This specifies the caller's UID-specific keyring
52 (user-keyring(7)).
53
54 KEY_SPEC_USER_SESSION_KEYRING
55 This specifies the caller's UID-session keyring (user-ses‐
56 sion-keyring(7)).
57
58 Key types
59 The key type is a string that specifies the key's type. Internally,
60 the kernel defines a number of key types that are available in the core
61 key management code. Among the types that are available for user-space
62 use and can be specified as the type argument to add_key() are the fol‐
63 lowing:
64
65 "keyring"
66 Keyrings are special key types that may contain links to se‐
67 quences of other keys of any type. If this interface is used to
68 create a keyring, then payload should be NULL and plen should be
69 zero.
70
71 "user" This is a general purpose key type whose payload may be read and
72 updated by user-space applications. The key is kept entirely
73 within kernel memory. The payload for keys of this type is a
74 blob of arbitrary data of up to 32,767 bytes.
75
76 "logon" (since Linux 3.3)
77 This key type is essentially the same as "user", but it does not
78 permit the key to read. This is suitable for storing payloads
79 that you do not want to be readable from user space.
80
81 This key type vets the description to ensure that it is qualified by a
82 "service" prefix, by checking to ensure that the description contains a
83 ':' that is preceded by other characters.
84
85 "big_key" (since Linux 3.13)
86 This key type is similar to "user", but may hold a payload of up
87 to 1 MiB. If the key payload is large enough, then it may be
88 stored encrypted in tmpfs (which can be swapped out) rather than
89 kernel memory.
90
91 For further details on these key types, see keyrings(7).
92
94 On success, add_key() returns the serial number of the key it created
95 or updated. On error, -1 is returned and errno is set to indicate the
96 error.
97
99 EACCES The keyring wasn't available for modification by the user.
100
101 EDQUOT The key quota for this user would be exceeded by creating this
102 key or linking it to the keyring.
103
104 EFAULT One or more of type, description, and payload points outside
105 process's accessible address space.
106
107 EINVAL The size of the string (including the terminating null byte)
108 specified in type or description exceeded the limit (32 bytes
109 and 4096 bytes respectively).
110
111 EINVAL The payload data was invalid.
112
113 EINVAL type was "logon" and the description was not qualified with a
114 prefix string of the form "service:".
115
116 EKEYEXPIRED
117 The keyring has expired.
118
119 EKEYREVOKED
120 The keyring has been revoked.
121
122 ENOKEY The keyring doesn't exist.
123
124 ENOMEM Insufficient memory to create a key.
125
126 EPERM The type started with a period ('.'). Key types that begin with
127 a period are reserved to the implementation.
128
129 EPERM type was "keyring" and the description started with a period
130 ('.'). Keyrings with descriptions (names) that begin with a pe‐
131 riod are reserved to the implementation.
132
134 Linux.
135
137 Linux 2.6.10.
138
140 glibc does not provide a wrapper for this system call. A wrapper is
141 provided in the libkeyutils library. (The accompanying package pro‐
142 vides the <keyutils.h> header file.) When employing the wrapper in
143 that library, link with -lkeyutils.
144
146 The program below creates a key with the type, description, and payload
147 specified in its command-line arguments, and links that key into the
148 session keyring. The following shell session demonstrates the use of
149 the program:
150
151 $ ./a.out user mykey "Some payload"
152 Key ID is 64a4dca
153 $ grep '64a4dca' /proc/keys
154 064a4dca I--Q--- 1 perm 3f010000 1000 1000 user mykey: 12
155
156 Program source
157
158 #include <keyutils.h>
159 #include <stdint.h>
160 #include <stdio.h>
161 #include <stdlib.h>
162 #include <string.h>
163
164 int
165 main(int argc, char *argv[])
166 {
167 key_serial_t key;
168
169 if (argc != 4) {
170 fprintf(stderr, "Usage: %s type description payload\n",
171 argv[0]);
172 exit(EXIT_FAILURE);
173 }
174
175 key = add_key(argv[1], argv[2], argv[3], strlen(argv[3]),
176 KEY_SPEC_SESSION_KEYRING);
177 if (key == -1) {
178 perror("add_key");
179 exit(EXIT_FAILURE);
180 }
181
182 printf("Key ID is %jx\n", (uintmax_t) key);
183
184 exit(EXIT_SUCCESS);
185 }
186
188 keyctl(1), keyctl(2), request_key(2), keyctl(3), keyrings(7),
189 keyutils(7), persistent-keyring(7), process-keyring(7),
190 session-keyring(7), thread-keyring(7), user-keyring(7),
191 user-session-keyring(7)
192
193 The kernel source files Documentation/security/keys/core.rst and
194 Documentation/keys/request-key.rst (or, before Linux 4.13, in the files
195 Documentation/security/keys.txt and
196 Documentation/security/keys-request-key.txt).
197
198
199
200Linux man-pages 6.05 2023-05-03 add_key(2)