KEYCTL_INSTANTIATE(3) Linux Key Management Calls KEYCTL_INSTANTIATE(3)
keyctl_assume_authority - Assume the authority to instantiate a key
keyctl_instantiate - Instantiate a key from flat data
keyctl_instantiate_iov - Instantiate a key from segmented data
keyctl_reject - Negatively instantiate a key specifying search error
keyctl_negate - Negatively instantiate a key
long keyctl_assume_authority(key_serial_t key);
long keyctl_instantiate(key_serial_t key, const void *payload,
size_t plen, key_serial_t keyring);
long keyctl_instantiate_iov(key_serial_t key,
const struct iovec *payload_iov, unsigned ioc,
long keyctl_negate(key_serial_t key, unsigned timeout,
long keyctl_reject(key_serial_t key, unsigned timeout,
unsigned error, key_serial_t keyring);
keyctl_assume_authority() assumes the authority for the calling thread to deal with and
instantiate the specified uninstantiated key.
The calling thread must have the appopriate authorisation key resident in one of its
keyrings for this to succeed, and that authority must not have been revoked.
The authorising key is allocated by request_key() when it needs to invoke userspace to
generate a key for the requesting process. This is then attached to one of the keyrings
of the userspace process to which the task of instantiating the key is given:
requester -> request_key() -> instantiator
Calling this function modifies the way request_key() works when called thereafter by the
calling (instantiator) thread; once the authority is assumed, the keyrings of the initial
process are added to the search path, using the initial process's UID, GID, groups and
If a thread has multiple instantiations to deal with, it may call this function to change
the authorisation key currently in effect. Supplying a zero key de-assumes the currently
NOTE! This is a per-thread setting and not a per-process setting so that a multithreaded
process can be used to instantiate several keys at once.
keyctl_instantiate() instantiates the payload of an uninstantiated key from the data spec-
ified. payload and plen specify the data for the new payload. payload may be NULL and
plen may be zero if the key type permits that. The key type may reject the data if it's
in the wrong format or in some other way invalid.
keyctl_instantiate_iov() is similar, but the data is passed in an array of iovec structs
instead of in a flat buffer. payload_iov points to the base of the array and ioc indi-
cates how many elements there are. payload_iov may be NULL or ioc may be zero to indicate
that no data is being supplied.
keyctl_reject() marks a key as negatively instantiated and sets the expiration timer on
it. timeout specifies the lifetime of the key in seconds. error specifies the error to
be returned when a search hits the key (this is typically EKEYREJECTED, EKEYREVOKED or
EKEYEXPIRED). Note that keyctl_reject() falls back to keyctl_negate() if the kernel does
not support it.
keyctl_negate() as keyctl_reject() with an error code of ENOKEY.
Only a key for which authority has been assumed may be instantiated or negatively instan-
tiated, and once instantiated, the authorisation key will be revoked and the requesting
process will be able to resume.
The destination keyring, if given, is assumed to belong to the initial requester, and not
the instantiating process. Therefore, the special keyring IDs refer to the requesting
process's keyrings, not the caller's, and the requester's UID, etc. will be used to access
The destination keyring can be zero if no extra link is desired.
The requester, not the caller, must have write permission on the destination for a link to
be made there.
On success keyctl_instantiate() returns 0. On error, the value -1 will be returned and
errno will have been set to an appropriate error.
ENOKEY The key or keyring specified is invalid.
The keyring specified has expired.
The key or keyring specified had been revoked, or the authorisation has been
EINVAL The payload data was invalid.
ENOMEM Insufficient memory to store the new payload or to expand the destination keyring.
EDQUOT The key quota for the key's user would be exceeded by increasing the size of the
key to accommodate the new payload or the key quota for the keyring's user would be
exceeded by expanding the destination keyring.
EACCES The key exists, but is not writable by the requester.
This is a library function that can be found in libkeyutils. When linking, -lkeyutils
should be specified to the linker.
Linux 4 May 2006 KEYCTL_INSTANTIATE(3)