Provided by: libkeyutils-dev_1.5.9-8ubuntu1_amd64 bug

NAME
       keyctl_assume_authority - Assume the authority to instantiate a key
       keyctl_instantiate - Instantiate a key from flat data
       keyctl_instantiate_iov - Instantiate a key from segmented data
       keyctl_reject - Negatively instantiate a key specifying search error
       keyctl_negate - Negatively instantiate a key


SYNOPSIS
       #include <keyutils.h>

       long keyctl_assume_authority(key_serial_t key);

       long keyctl_instantiate(key_serial_t key, const void *payload,
       size_t plen, key_serial_t keyring);

       long keyctl_instantiate_iov(key_serial_t key,
       const struct iovec *payload_iov, unsigned ioc,
       key_serial_t keyring);

       long keyctl_negate(key_serial_t key, unsigned timeout,
       key_serial_t keyring);

       long keyctl_reject(key_serial_t key, unsigned timeout,
       unsigned error, key_serial_t keyring);


DESCRIPTION
       keyctl_assume_authority()  assumes  the authority for the calling thread to deal with and instantiate the
       specified uninstantiated key.

       The calling thread must have the appopriate authorisation key resident in one of its keyrings for this to
       succeed, and that authority must not have been revoked.

       The authorising key is allocated by request_key() when it needs to invoke userspace to generate a key for
       the requesting process.  This is then attached to one of the keyrings of the userspace process  to  which
       the task of instantiating the key is given:

              requester -> request_key() -> instantiator

       Calling  this  function  modifies  the  way  request_key()  works  when  called thereafter by the calling
       (instantiator) thread; once the authority is assumed, the keyrings of the initial process  are  added  to
       the search path, using the initial process's UID, GID, groups and security context.

       If  a  thread  has  multiple  instantiations  to  deal  with,  it  may  call  this function to change the
       authorisation key currently in effect.  Supplying a zero key de-assumes the currently assumed authority.

       NOTE!  This is a per-thread setting and not a per-process setting so that a multithreaded process can  be
       used to instantiate several keys at once.

       keyctl_instantiate()  instantiates the payload of an uninstantiated key from the data specified.  payload
       and plen specify the data for the new payload.  payload may be NULL and plen may be zero if the key  type
       permits that.  The key type may reject the data if it's in the wrong format or in some other way invalid.

       keyctl_instantiate_iov()  is similar, but the data is passed in an array of iovec structs instead of in a
       flat buffer.  payload_iov points to the base of the array and ioc indicates how many elements there  are.
       payload_iov may be NULL or ioc may be zero to indicate that no data is being supplied.

       keyctl_reject()  marks  a  key  as  negatively instantiated and sets the expiration timer on it.  timeout
       specifies the lifetime of the key in seconds.  error specifies the error to be  returned  when  a  search
       hits  the  key  (this  is typically EKEYREJECTED, EKEYREVOKED or EKEYEXPIRED).  Note that keyctl_reject()
       falls back to keyctl_negate() if the kernel does not support it.

       keyctl_negate() as keyctl_reject() with an error code of ENOKEY.

       Only a key for which authority has been assumed may be instantiated or negatively instantiated, and  once
       instantiated, the authorisation key will be revoked and the requesting process will be able to resume.

       The  destination  keyring,  if  given,  is  assumed  to  belong  to  the  initial  requester, and not the
       instantiating process.  Therefore, the special keyring IDs refer to the  requesting  process's  keyrings,
       not the caller's, and the requester's UID, etc. will be used to access them.

       The destination keyring can be zero if no extra link is desired.

       The requester, not the caller, must have write permission on the destination for a link to be made there.


RETURN VALUE
       On  success  keyctl_instantiate() returns 0.  On error, the value -1 will be returned and errno will have
       been set to an appropriate error.


ERRORS
       ENOKEY The key or keyring specified is invalid.

       EKEYEXPIRED
              The keyring specified has expired.

       EKEYREVOKED
              The key or keyring specified had been revoked, or the authorisation has been revoked.

       EINVAL The payload data was invalid.

       ENOMEM Insufficient memory to store the new payload or to expand the destination keyring.

       EDQUOT The key quota for the key's user  would  be  exceeded  by  increasing  the  size  of  the  key  to
              accommodate the new payload or the key quota for the keyring's user would be exceeded by expanding
              the destination keyring.

       EACCES The key exists, but is not writable by the requester.


LINKING
       This is a library function that can  be  found  in  libkeyutils.   When  linking,  -lkeyutils  should  be
       specified to the linker.


SEE ALSO
       keyctl(1),
       add_key(2),
       keyctl(2),
       request_key(2),
       keyctl(3),
       request-key(8),
       keyutils(7),
       keyrings(7)