keyctl_assume_authority - Assume the authority to instantiate a key
keyctl_instantiate - Instantiate a key from flat data
keyctl_instantiate_iov - Instantiate a key from segmented data
keyctl_reject - Negatively instantiate a key specifying search error
keyctl_negate - Negatively instantiate a key
keyctl_assume_authority() assumes the authority for the calling
thread to deal with and instantiate the specified uninstantiated key.
The calling thread must have the appopriate authorisation key
resident in one of its keyrings for this to succeed, and that
authority must not have been revoked.
The authorising key is allocated by request_key() when it needs to
invoke userspace to generate a key for the requesting process. This
is then attached to one of the keyrings of the userspace process to
which the task of instantiating the key is given:
requester -> request_key() -> instantiator
Calling this function modifies the way request_key() works when
called thereafter by the calling (instantiator) thread; once the
authority is assumed, the keyrings of the initial process are added
to the search path, using the initial process's UID, GID, groups and
If a thread has multiple instantiations to deal with, it may call
this function to change the authorisation key currently in effect.
Supplying a zero key de-assumes the currently assumed authority.
NOTE! This is a per-thread setting and not a per-process setting so
that a multithreaded process can be used to instantiate several keys
keyctl_instantiate() instantiates the payload of an uninstantiated
key from the data specified. payload and plen specify the data for
the new payload. payload may be NULL and plen may be zero if the key
type permits that. The key type may reject the data if it's in the
wrong format or in some other way invalid.
keyctl_instantiate_iov() is similar, but the data is passed in an
array of iovec structs instead of in a flat buffer. payload_iov
points to the base of the array and ioc indicates how many elements
there are. payload_iov may be NULL or ioc may be zero to indicate
that no data is being supplied.
keyctl_reject() marks a key as negatively instantiated and sets the
expiration timer on it. timeout specifies the lifetime of the key in
seconds. error specifies the error to be returned when a search hits
the key (this is typically EKEYREJECTED, EKEYREVOKED or EKEYEXPIRED).
Note that keyctl_reject() falls back to keyctl_negate() if the kernel
does not support it.
keyctl_negate() as keyctl_reject() with an error code of ENOKEY.
Only a key for which authority has been assumed may be instantiated
or negatively instantiated, and once instantiated, the authorisation
key will be revoked and the requesting process will be able to
The destination keyring, if given, is assumed to belong to the
initial requester, and not the instantiating process. Therefore, the
special keyring IDs refer to the requesting process's keyrings, not
the caller's, and the requester's UID, etc. will be used to access
The destination keyring can be zero if no extra link is desired.
The requester, not the caller, must have write permission on the
destination for a link to be made there.
ENOKEY The key or keyring specified is invalid.
The keyring specified has expired.
The key or keyring specified had been revoked, or the
authorisation has been revoked.
EINVAL The payload data was invalid.
ENOMEM Insufficient memory to store the new payload or to expand the
EDQUOT The key quota for the key's user would be exceeded by
increasing the size of the key to accommodate the new payload
or the key quota for the keyring's user would be exceeded by
expanding the destination keyring.
EACCES The key exists, but is not writable by the requester.
This page is part of the keyutils (key management utilities) project.
Information about the project can be found at [unknown -- if you
know, please contact firstname.lastname@example.org] If you have a bug report for
this manual page, send it to email@example.com. This page was
obtained from the project's upstream Git repository
on 2016-10-04. If you discover any rendering problems in this HTML
version of the page, or you believe there is a better or more up-to-
date source for the page, or you have corrections or improvements to
the information in this COLOPHON (which is not part of the original
manual page), send a mail to firstname.lastname@example.org
Linux 4 May 2006 KEYCTL_INSTANTIATE(3)