Man Linux: Main Page and Category List


       keyctl_assume_authority  -  Assume  the  authority to instantiate a key
       keyctl_instantiate -  Instantiate  a  key  keyctl_negate  -  Negatively
       instantiate a key


       #include <keyutils.h>

       long keyctl_assume_authority(key_serial_t key);

       long keyctl_instantiate(key_serial_t key, const char *payload,
       size_t plen, key_serial_t keyring);

       long keyctl_negate(key_serial_t key, unsigned timeout,
       key_serial_t keyring);


       keyctl_assume_authority()  assumes the authority for the calling thread
       to deal with and instantiate the specified uninstantiated key.

       The calling thread must have the appopriate authorisation key  resident
       in one of its keyrings for this to succeed, and that authority must not
       have been revoked.

       The authorising key is allocated by  request_key()  when  it  needs  to
       invoke userspace to generate a key for the requesting process.  This is
       then attached to one of the keyrings of the userspace process to  which
       the task of instantiating the key is given:

              requester -> request_key() -> instantiator

       Calling  this function modifies the way request_key() works when called
       thereafter by the calling (instantiator) thread; once the authority  is
       assumed,  the  keyrings  of the initial process are added to the search
       path, using  the  initial  process’s  UID,  GID,  groups  and  security

       If  a thread has multiple instantiations to deal with, it may call this
       function  to  change  the  authorisation  key  currently   in   effect.
       Supplying a zero key de-assumes the currently assumed authority.

       NOTE!   This  is  a per-thread setting and not a per-process setting so
       that a multithreaded process can be used to instantiate several keys at

       keyctl_instantiate()  instantiates the payload of an uninstantiated key
       from the data specified.  payload and plen specify the data for the new
       payload.   payload  may  be  NULL  and plen may be zero if the key type
       permits that.  The key type may reject the data if it’s  in  the  wrong
       format or in some other way invalid.

       keyctl_negate()  marks  a  key  as negatively instantiated and sets the
       expiration timer on it.  timeout specifies the lifetime of the  key  in

       Only  a key for which authority has been assumed may be instantiated or
       negatively instantiated, and once instantiated, the  authorisation  key
       will be revoked and the requesting process will be able to resume.

       The  destination keyring, if given, is assumed to belong to the initial
       requester, and not the instantiating process.  Therefore,  the  special
       keyring  IDs  refer  to  the  requesting  process’s  keyrings,  not the
       caller’s, and the requester’s UID, etc. will be used to access them.

       The destination keyring can be zero if no extra link is desired.

       The requester, not the  caller,  must  have  write  permission  on  the
       destination for a link to be made there.


       On success keyctl_instantiate() returns 0.  On error, the value -1 will
       be returned and errno will have been set to an appropriate error.


       ENOKEY The key or keyring specified is invalid.

              The keyring specified has expired.

              The  key  or  keyring  specified  had  been  revoked,   or   the
              authorisation has been revoked.

       EINVAL The payload data was invalid.

       ENOMEM Insufficient  memory  to  store the new payload or to expand the
              destination keyring.

       EDQUOT The key quota for the key’s user would be exceeded by increasing
              the  size  of  the key to accommodate the new payload or the key
              quota for the keyring’s user would be exceeded by expanding  the
              destination keyring.

       EACCES The key exists, but is not writable by the requester.


       This  is  a  library  function  that can be found in libkeyutils.  When
       linking, -lkeyutils should be specified to the linker.