Mercurial > repos > rliterman > csp2

comparison CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/share/man/man3/keyctl_negate.3 @ 68:5028fdace37b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
planemo upload commit 2e9511a184a1ca667c7be0c6321a36dc4e3d116d
author jpayne
date Tue, 18 Mar 2025 16:23:26 -0400
parents
children
comparison
equal deleted inserted replaced
67:0e9998148a16 68:5028fdace37b
1 .\"
2 .\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
3 .\" Written by David Howells (dhowells@redhat.com)
4 .\"
5 .\" This program is free software; you can redistribute it and/or
6 .\" modify it under the terms of the GNU General Public License
7 .\" as published by the Free Software Foundation; either version
8 .\" 2 of the License, or (at your option) any later version.
9 .\"
10 .TH KEYCTL_INSTANTIATE 3 "4 May 2006" Linux "Linux Key Management Calls"
11 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
12 .SH NAME
13 keyctl_assume_authority, keyctl_instantiate, keyctl_instantiate_iov, keyctl_reject, keyctl_negate \- key instantiation functions
14 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
15 .SH SYNOPSIS
16 .nf
17 .B #include <keyutils.h>
18 .sp
19 .BI "long keyctl_assume_authority(key_serial_t " key ");"
20 .sp
21 .BI "long keyctl_instantiate(key_serial_t " key ", const void *" payload ,
22 .BI "size_t " plen ", key_serial_t " keyring ");"
23 .sp
24 .BI "long keyctl_instantiate_iov(key_serial_t " key ,
25 .BI "const struct iovec *" payload_iov ", unsigned " ioc ,
26 .BI "key_serial_t " keyring ");"
27 .sp
28 .BI "long keyctl_negate(key_serial_t " key ", unsigned " timeout ,
29 .BI "key_serial_t " keyring ");"
30 .sp
31 .BI "long keyctl_reject(key_serial_t " key ", unsigned " timeout ,
32 .BI "unsigned " error ", key_serial_t " keyring ");"
33 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
34 .SH DESCRIPTION
35 .BR keyctl_assume_authority ()
36 assumes the authority for the calling thread to deal with and instantiate the
37 specified uninstantiated
38 .IR key .
39 .P
40 The calling thread must have the appropriate authorisation key resident in one
41 of its keyrings for this to succeed, and that authority must not have been
42 revoked.
43 .P
44 The authorising key is allocated by
45 .BR request_key()
46 when it needs to invoke
47 userspace to generate a key for the requesting process. This is then attached
48 to one of the keyrings of the userspace process to which the task of
49 instantiating the key is given:
50 .IP
51 requester -> request_key() -> instantiator
52 .P
53 Calling this function modifies the way
54 .BR request_key ()
55 works when called thereafter by the calling (instantiator) thread; once the
56 authority is assumed, the keyrings of the initial process are added to the
57 search path, using the initial process's UID, GID, groups and security
58 context.
59 .P
60 If a thread has multiple instantiations to deal with, it may call this
61 function to change the authorisation key currently in effect. Supplying a
62 .B zero
63 .I key
64 de-assumes the currently assumed authority.
65 .P
66 .B NOTE!
67 This is a per-thread setting and not a per-process setting so that a
68 multithreaded process can be used to instantiate several keys at once.
69 .P
70 .BR keyctl_instantiate ()
71 instantiates the payload of an uninstantiated key from the data specified.
72 .I payload
73 and
74 .I plen
75 specify the data for the new payload.
76 .I payload
77 may be NULL and
78 .I plen
79 may be zero if the key type permits that. The key type may reject the data if
80 it's in the wrong format or in some other way invalid.
81 .P
82 .BR keyctl_instantiate_iov ()
83 is similar, but the data is passed in an array of iovec structs instead of in
84 a flat buffer.
85 .I payload_iov
86 points to the base of the array and
87 .I ioc
88 indicates how many elements there are.
89 .I payload_iov
90 may be NULL or
91 .I ioc
92 may be zero to indicate that no data is being supplied.
93 .P
94 .BR keyctl_reject ()
95 marks a key as negatively instantiated and sets the expiration timer on it.
96 .I timeout
97 specifies the lifetime of the key in seconds.
98 .I error
99 specifies the error to be returned when a search hits the key (this is
100 typically
101 .BR EKEYREJECTED ", " EKEYREVOKED " or " EKEYEXPIRED ")."
102 Note that
103 .BR keyctl_reject ()
104 falls back to
105 .BR keyctl_negate ()
106 if the kernel does not
107 support it.
108 .P
109 .BR keyctl_negate ()
110 as
111 .BR keyctl_reject ()
112 with an error code of
113 .IB ENOKEY .
114 .P
115 Only a key for which authority has been assumed may be instantiated or
116 negatively instantiated, and once instantiated, the authorisation key will be
117 revoked and the requesting process will be able to resume.
118 .P
119 The destination
120 .IR keyring ,
121 if given, is assumed to belong to the initial requester, and not the
122 instantiating process. Therefore, the special keyring IDs refer to the
123 requesting process's keyrings, not the caller's, and the requester's UID,
124 etc. will be used to access them.
125 .P
126 The destination keyring can be
127 .B zero
128 if no extra link is desired.
129 .P
130 The requester, not the caller, must have
131 .B write
132 permission on the destination for a link to be made there.
133 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
134 .SH RETURN VALUE
135 On success
136 .BR keyctl_instantiate ()
137 returns
138 .BR 0 .
139 On error, the value
140 .B -1
141 will be returned and
142 .I errno
143 will have been set to an appropriate error.
144 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
145 .SH ERRORS
146 .TP
147 .B ENOKEY
148 The key or keyring specified is invalid.
149 .TP
150 .B EKEYEXPIRED
151 The keyring specified has expired.
152 .TP
153 .B EKEYREVOKED
154 The key or keyring specified had been revoked, or the authorisation has been
155 revoked.
156 .TP
157 .B EINVAL
158 The payload data was invalid.
159 .TP
160 .B ENOMEM
161 Insufficient memory to store the new payload or to expand the destination
162 keyring.
163 .TP
164 .B EDQUOT
165 The key quota for the key's user would be exceeded by increasing the size of
166 the key to accommodate the new payload or the key quota for the keyring's user
167 would be exceeded by expanding the destination keyring.
168 .TP
169 .B EACCES
170 The key exists, but is not
171 .B writable
172 by the requester.
173 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
174 .SH LINKING
175 This is a library function that can be found in
176 .IR libkeyutils .
177 When linking,
178 .B \-lkeyutils
179 should be specified to the linker.
180 .\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
181 .SH SEE ALSO
182 .ad l
183 .nh
184 .BR keyctl (1),
185 .BR add_key (2),
186 .BR keyctl (2),
187 .BR request_key (2),
188 .BR keyctl (3),
189 .BR keyrings (7),
190 .BR keyutils (7),
191 .BR request\-key (8)