NAME | SYNOPSIS | DESCRIPTION | RETURN VALUE | ERRORS | LINKING | SEE ALSO | COLOPHON

KEYCTL_INSTANTIATE(3)    Linux Key Management Calls    KEYCTL_INSTANTIATE(3)

NAME         top

       keyctl_assume_authority - Assume the authority to instantiate a key
       keyctl_instantiate - Instantiate a key from flat data
       keyctl_instantiate_iov - Instantiate a key from segmented data
       keyctl_reject - Negatively instantiate a key specifying search error
       keyctl_negate - Negatively instantiate a key

SYNOPSIS         top

       #include <keyutils.h>

       long keyctl_assume_authority(key_serial_t key);

       long keyctl_instantiate(key_serial_t key, const void *payload,
       size_t plen, key_serial_t keyring);

       long keyctl_instantiate_iov(key_serial_t key,
       const struct iovec *payload_iov, unsigned ioc,
       key_serial_t keyring);

       long keyctl_negate(key_serial_t key, unsigned timeout,
       key_serial_t keyring);

       long keyctl_reject(key_serial_t key, unsigned timeout,
       unsigned error, key_serial_t keyring);

DESCRIPTION         top

       keyctl_assume_authority() assumes the authority for the calling
       thread to deal with and instantiate the specified uninstantiated key.

       The calling thread must have the appopriate authorisation key
       resident in one of its keyrings for this to succeed, and that
       authority must not have been revoked.

       The authorising key is allocated by request_key() when it needs to
       invoke userspace to generate a key for the requesting process.  This
       is then attached to one of the keyrings of the userspace process to
       which the task of instantiating the key is given:

              requester -> request_key() -> instantiator

       Calling this function modifies the way request_key() works when
       called thereafter by the calling (instantiator) thread; once the
       authority is assumed, the keyrings of the initial process are added
       to the search path, using the initial process's UID, GID, groups and
       security context.

       If a thread has multiple instantiations to deal with, it may call
       this function to change the authorisation key currently in effect.
       Supplying a zero key de-assumes the currently assumed authority.

       NOTE!  This is a per-thread setting and not a per-process setting so
       that a multithreaded process can be used to instantiate several keys
       at once.

       keyctl_instantiate() instantiates the payload of an uninstantiated
       key from the data specified.  payload and plen specify the data for
       the new payload.  payload may be NULL and plen may be zero if the key
       type permits that.  The key type may reject the data if it's in the
       wrong format or in some other way invalid.

       keyctl_instantiate_iov() is similar, but the data is passed in an
       array of iovec structs instead of in a flat buffer.  payload_iov
       points to the base of the array and ioc indicates how many elements
       there are.  payload_iov may be NULL or ioc may be zero to indicate
       that no data is being supplied.

       keyctl_reject() marks a key as negatively instantiated and sets the
       expiration timer on it.  timeout specifies the lifetime of the key in
       seconds.  error specifies the error to be returned when a search hits
       the key (this is typically EKEYREJECTED, EKEYREVOKED or EKEYEXPIRED).
       Note that keyctl_reject() falls back to keyctl_negate() if the kernel
       does not support it.

       keyctl_negate() as keyctl_reject() with an error code of ENOKEY.

       Only a key for which authority has been assumed may be instantiated
       or negatively instantiated, and once instantiated, the authorisation
       key will be revoked and the requesting process will be able to
       resume.

       The destination keyring, if given, is assumed to belong to the
       initial requester, and not the instantiating process.  Therefore, the
       special keyring IDs refer to the requesting process's keyrings, not
       the caller's, and the requester's UID, etc. will be used to access
       them.

       The destination keyring can be zero if no extra link is desired.

       The requester, not the caller, must have write permission on the
       destination for a link to be made there.

RETURN VALUE         top

       On success keyctl_instantiate() returns 0.  On error, the value -1
       will be returned and errno will have been set to an appropriate
       error.

ERRORS         top

       ENOKEY The key or keyring specified is invalid.

       EKEYEXPIRED
              The keyring specified has expired.

       EKEYREVOKED
              The key or keyring specified had been revoked, or the
              authorisation has been revoked.

       EINVAL The payload data was invalid.

       ENOMEM Insufficient memory to store the new payload or to expand the
              destination keyring.

       EDQUOT The key quota for the key's user would be exceeded by
              increasing the size of the key to accommodate the new payload
              or the key quota for the keyring's user would be exceeded by
              expanding the destination keyring.

       EACCES The key exists, but is not writable by the requester.

LINKING         top

       This is a library function that can be found in libkeyutils.  When
       linking, -lkeyutils should be specified to the linker.

SEE ALSO         top

       keyctl(1),
       add_key(2),
       keyctl(2),
       request_key(2),
       keyctl(3),
       request-key(8),
       keyutils(7),
       keyrings(7)

COLOPHON         top

       This page is part of the keyutils (key management utilities) project.
       Information about the project can be found at [unknown -- if you
       know, please contact man-pages@man7.org] If you have a bug report for
       this manual page, send it to keyrings@linux-nfs.org.  This page was
       obtained from the project's upstream Git repository 
       ⟨http://git.kernel.org/pub/scm/linux/kernel/git/dhowells/keyutils.git⟩
       on 2016-10-04.  If you discover any rendering problems in this HTML
       version of the page, or you believe there is a better or more up-to-
       date source for the page, or you have corrections or improvements to
       the information in this COLOPHON (which is not part of the original
       manual page), send a mail to man-pages@man7.org

Linux                            4 May 2006            KEYCTL_INSTANTIATE(3)