Unix/Linux Go Back    


CentOS 7.0 - man page for keyctl_negate (centos section 3)

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:   man
Select Man Page Set:       apropos Keyword Search (sections above)


KEYCTL_INSTANTIATE(3)		    Linux Key Management Calls		    KEYCTL_INSTANTIATE(3)

NAME
       keyctl_assume_authority - Assume the authority to instantiate a key
       keyctl_instantiate - Instantiate a key from flat data
       keyctl_instantiate_iov - Instantiate a key from segmented data
       keyctl_reject - Negatively instantiate a key specifying search error
       keyctl_negate - Negatively instantiate a key

SYNOPSIS
       #include <keyutils.h>

       long keyctl_assume_authority(key_serial_t key);

       long keyctl_instantiate(key_serial_t key, const void *payload,
       size_t plen, key_serial_t keyring);

       long keyctl_instantiate_iov(key_serial_t key,
       const struct iovec *payload_iov, unsigned ioc,
       key_serial_t keyring);

       long keyctl_negate(key_serial_t key, unsigned timeout,
       key_serial_t keyring);

       long keyctl_reject(key_serial_t key, unsigned timeout,
       unsigned error, key_serial_t keyring);

DESCRIPTION
       keyctl_assume_authority()  assumes  the	authority for the calling thread to deal with and
       instantiate the specified uninstantiated key.

       The calling thread must have the appopriate authorisation  key  resident  in  one  of  its
       keyrings for this to succeed, and that authority must not have been revoked.

       The  authorising  key  is  allocated by request_key() when it needs to invoke userspace to
       generate a key for the requesting process.  This is then attached to one of  the  keyrings
       of the userspace process to which the task of instantiating the key is given:

	      requester -> request_key() -> instantiator

       Calling	this  function modifies the way request_key() works when called thereafter by the
       calling (instantiator) thread; once the authority is assumed, the keyrings of the  initial
       process	are  added  to	the search path, using the initial process's UID, GID, groups and
       security context.

       If a thread has multiple instantiations to deal with, it may call this function to  change
       the  authorisation key currently in effect.  Supplying a zero key de-assumes the currently
       assumed authority.

       NOTE!  This is a per-thread setting and not a per-process setting so that a  multithreaded
       process can be used to instantiate several keys at once.

       keyctl_instantiate() instantiates the payload of an uninstantiated key from the data spec-
       ified.  payload and plen specify the data for the new payload.  payload may  be	NULL  and
       plen  may  be zero if the key type permits that.  The key type may reject the data if it's
       in the wrong format or in some other way invalid.

       keyctl_instantiate_iov() is similar, but the data is passed in an array of  iovec  structs
       instead	of  in	a flat buffer.	payload_iov points to the base of the array and ioc indi-
       cates how many elements there are.  payload_iov may be NULL or ioc may be zero to indicate
       that no data is being supplied.

       keyctl_reject()	marks  a  key as negatively instantiated and sets the expiration timer on
       it.  timeout specifies the lifetime of the key in seconds.  error specifies the	error  to
       be  returned  when  a  search hits the key (this is typically EKEYREJECTED, EKEYREVOKED or
       EKEYEXPIRED).  Note that keyctl_reject() falls back to keyctl_negate() if the kernel  does
       not support it.

       keyctl_negate() as keyctl_reject() with an error code of ENOKEY.

       Only  a key for which authority has been assumed may be instantiated or negatively instan-
       tiated, and once instantiated, the authorisation key will be revoked  and  the  requesting
       process will be able to resume.

       The  destination keyring, if given, is assumed to belong to the initial requester, and not
       the instantiating process.  Therefore, the special keyring IDs  refer  to  the  requesting
       process's keyrings, not the caller's, and the requester's UID, etc. will be used to access
       them.

       The destination keyring can be zero if no extra link is desired.

       The requester, not the caller, must have write permission on the destination for a link to
       be made there.

RETURN VALUE
       On  success  keyctl_instantiate()  returns 0.  On error, the value -1 will be returned and
       errno will have been set to an appropriate error.

ERRORS
       ENOKEY The key or keyring specified is invalid.

       EKEYEXPIRED
	      The keyring specified has expired.

       EKEYREVOKED
	      The key or keyring specified had	been  revoked,	or  the  authorisation	has  been
	      revoked.

       EINVAL The payload data was invalid.

       ENOMEM Insufficient memory to store the new payload or to expand the destination keyring.

       EDQUOT The  key	quota  for the key's user would be exceeded by increasing the size of the
	      key to accommodate the new payload or the key quota for the keyring's user would be
	      exceeded by expanding the destination keyring.

       EACCES The key exists, but is not writable by the requester.

LINKING
       This  is  a  library  function that can be found in libkeyutils.  When linking, -lkeyutils
       should be specified to the linker.

SEE ALSO
       keyctl(1),
       add_key(2),
       keyctl(2),
       request_key(2),
       keyctl(3),
       request-key(8)

Linux					    4 May 2006			    KEYCTL_INSTANTIATE(3)
Unix & Linux Commands & Man Pages : ©2000 - 2018 Unix and Linux Forums


All times are GMT -4. The time now is 03:21 PM.