kinetic (3) keyctl_assume_authority.3.gz

Provided by: libkeyutils-dev_1.6.3-1_amd64 bug

NAME

       keyctl_assume_authority,    keyctl_instantiate,   keyctl_instantiate_iov,   keyctl_reject,
       keyctl_negate - key instantiation functions

SYNOPSIS

       #include <keyutils.h>

       long keyctl_assume_authority(key_serial_t key);

       long keyctl_instantiate(key_serial_t key, const void *payload,
       size_t plen, key_serial_t keyring);

       long keyctl_instantiate_iov(key_serial_t key,
       const struct iovec *payload_iov, unsigned ioc,
       key_serial_t keyring);

       long keyctl_negate(key_serial_t key, unsigned timeout,
       key_serial_t keyring);

       long keyctl_reject(key_serial_t key, unsigned timeout,
       unsigned error, key_serial_t keyring);

DESCRIPTION

       keyctl_assume_authority() assumes the authority for the calling thread to  deal  with  and
       instantiate the specified uninstantiated key.

       The  calling  thread  must  have  the appropriate authorisation key resident in one of its
       keyrings for this to succeed, and that authority must not have been revoked.

       The authorising key is allocated by request_key() when it needs  to  invoke  userspace  to
       generate  a  key for the requesting process.  This is then attached to one of the keyrings
       of the userspace process to which the task of instantiating the key is given:

              requester -> request_key() -> instantiator

       Calling this function modifies the way request_key() works when called thereafter  by  the
       calling  (instantiator) thread; once the authority is assumed, the keyrings of the initial
       process are added to the search path, using the initial process's  UID,  GID,  groups  and
       security context.

       If  a thread has multiple instantiations to deal with, it may call this function to change
       the authorisation key currently in effect.  Supplying a zero key de-assumes the  currently
       assumed authority.

       NOTE!   This is a per-thread setting and not a per-process setting so that a multithreaded
       process can be used to instantiate several keys at once.

       keyctl_instantiate() instantiates the payload of  an  uninstantiated  key  from  the  data
       specified.   payload  and  plen specify the data for the new payload.  payload may be NULL
       and plen may be zero if the key type permits that.  The key type may reject  the  data  if
       it's in the wrong format or in some other way invalid.

       keyctl_instantiate_iov()  is  similar, but the data is passed in an array of iovec structs
       instead of in a flat buffer.  payload_iov  points  to  the  base  of  the  array  and  ioc
       indicates  how  many  elements  there  are.  payload_iov may be NULL or ioc may be zero to
       indicate that no data is being supplied.

       keyctl_reject() marks a key as negatively instantiated and sets the  expiration  timer  on
       it.   timeout  specifies the lifetime of the key in seconds.  error specifies the error to
       be returned when a search hits the key (this is  typically  EKEYREJECTED,  EKEYREVOKED  or
       EKEYEXPIRED).   Note that keyctl_reject() falls back to keyctl_negate() if the kernel does
       not support it.

       keyctl_negate() as keyctl_reject() with an error code of ENOKEY.

       Only a key for which  authority  has  been  assumed  may  be  instantiated  or  negatively
       instantiated,  and  once  instantiated,  the  authorisation  key  will  be revoked and the
       requesting process will be able to resume.

       The destination keyring, if given, is assumed to belong to the initial requester, and  not
       the  instantiating  process.   Therefore,  the special keyring IDs refer to the requesting
       process's keyrings, not the caller's, and the requester's UID, etc. will be used to access
       them.

       The destination keyring can be zero if no extra link is desired.

       The requester, not the caller, must have write permission on the destination for a link to
       be made there.

RETURN VALUE

       On success keyctl_instantiate() returns 0.  On error, the value -1 will  be  returned  and
       errno will have been set to an appropriate error.

ERRORS

       ENOKEY The key or keyring specified is invalid.

       EKEYEXPIRED
              The keyring specified has expired.

       EKEYREVOKED
              The  key  or  keyring  specified  had  been  revoked, or the authorisation has been
              revoked.

       EINVAL The payload data was invalid.

       ENOMEM Insufficient memory to store the new payload or to expand the destination keyring.

       EDQUOT The key quota for the key's user would be exceeded by increasing the  size  of  the
              key to accommodate the new payload or the key quota for the keyring's user would be
              exceeded by expanding the destination keyring.

       EACCES The key exists, but is not writable by the requester.

LINKING

       This is a library function that can be found in  libkeyutils.   When  linking,  -lkeyutils
       should be specified to the linker.

SEE ALSO

       keyctl(1), add_key(2), keyctl(2), request_key(2), keyctl(3), keyrings(7), keyutils(7),
       request-key(8)