diff options
author | David Howells <dhowells@redhat.com> | 2010-02-22 15:47:17 +0000 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2010-02-22 16:12:53 +0000 |
commit | c5da8369a833b818df5ed0a8600442fda26465d9 (patch) | |
tree | 4f7c9ae18b11c2debf5c8a356f167231a132d5c2 | |
parent | 557f01ce1fdd3cc78be3aa74f281160a581c2777 (diff) | |
download | keyutils-c5da8369a833b818df5ed0a8600442fda26465d9.tar.gz |
keyutils historical version 1.1
- Don't include the release number in the shared library filename
- Don't build static library
- More bug fixes from Fedora reviewer.
- Fix rpmlint errors
-rw-r--r-- | Makefile | 75 | ||||
-rw-r--r-- | add_key.2 | 137 | ||||
-rw-r--r-- | keyctl.2 | 166 | ||||
-rw-r--r-- | keyctl_chown.3 | 122 | ||||
-rw-r--r-- | keyctl_clear.3 | 107 | ||||
-rw-r--r-- | keyctl_describe.3 | 142 | ||||
-rw-r--r-- | keyctl_get_keyring_ID.3 | 130 | ||||
-rw-r--r-- | keyctl_instantiate.3 | 185 | ||||
-rw-r--r-- | keyctl_join_session_keyring.3 | 116 | ||||
-rw-r--r-- | keyctl_link.3 | 140 | ||||
-rw-r--r-- | keyctl_read.3 | 141 | ||||
-rw-r--r-- | keyctl_revoke.3 | 107 | ||||
-rw-r--r-- | keyctl_search.3 | 172 | ||||
-rw-r--r-- | keyctl_set_reqkey_keyring.3 | 132 | ||||
-rw-r--r-- | keyctl_set_timeout.3 | 115 | ||||
-rw-r--r-- | keyctl_setperm.3 | 164 | ||||
-rw-r--r-- | keyctl_update.3 | 130 | ||||
-rw-r--r-- | keyutils.spec | 49 | ||||
-rw-r--r-- | request_key.2 | 141 |
19 files changed, 2438 insertions, 33 deletions
@@ -2,14 +2,19 @@ CFLAGS := -g -O2 -Wall INSTALL := install DESTDIR := MAJOR := 1 -MINOR := 0 -RELEASE := -VERSION := $(MAJOR).$(MINOR)$(RELEASE) +MINOR := 1 +VERSION := $(MAJOR).$(MINOR) NO_GLIBC_KEYERR := 0 NO_GLIBC_KEYSYS := 0 +NO_ARLIB := 0 BUILDFOR := +ETCDIR := /etc +BINDIR := /bin +SBINDIR := /sbin LIBDIR := /lib USRLIBDIR := /usr/lib +SHAREDIR := /usr/share/keyutils +INCLUDEDIR := /usr/include ARLIB := libkeyutils.a DEVELLIB := libkeyutils.so SONAME := libkeyutils.so.$(MAJOR) @@ -40,11 +45,13 @@ USRLIBDIR := /usr/lib64 endif endif -all: $(ARLIB) $(DEVELLIB) keyctl request-key - - +ifeq ($(NO_ARLIB),0) +all: $(ARLIB) $(ARLIB): keyutils.o $(AR) rcs $@ $< +endif + +all: $(DEVELLIB) keyctl request-key keyutils.o: keyutils.c keyutils.h Makefile $(CC) $(CFLAGS) -UNO_GLIBC_KEYERR -o $@ -c $< @@ -72,20 +79,50 @@ request-key: request-key.c keyutils.h Makefile $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -L. -lkeyutils -Wl,-rpath,$(LIB) +MAN1 := $(DESTDIR)/usr/share/man/man1 +MAN2 := $(DESTDIR)/usr/share/man/man2 +MAN3 := $(DESTDIR)/usr/share/man/man3 +MAN5 := $(DESTDIR)/usr/share/man/man5 +MAN8 := $(DESTDIR)/usr/share/man/man8 + install: all - $(INSTALL) -D $(ARLIB) $(DESTDIR)/$(USRLIBDIR)/$(ARLIB) - $(INSTALL) -D $(LIBNAME) $(DESTDIR)/$(LIBDIR)/$(LIBNAME) - $(LNS) $(LIBNAME) $(DESTDIR)/$(LIBDIR)/$(SONAME) - mkdir -p $(DESTDIR)/$(USRLIBDIR) - $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)/$(USRLIBDIR)/$(DEVELLIB) - $(INSTALL) -D keyctl $(DESTDIR)/bin/keyctl - $(INSTALL) -D request-key $(DESTDIR)/sbin/request-key - $(INSTALL) -D request-key.conf $(DESTDIR)/etc/request-key.conf - $(INSTALL) -D request-key-debug.sh $(DESTDIR)/usr/share/keyutils/request-key-debug.sh - $(INSTALL) -D keyctl.1 $(DESTDIR)/usr/share/man/man1/keyctl.1 - $(INSTALL) -D request-key.conf.5 $(DESTDIR)/usr/share/man/man5/request-key.conf.5 - $(INSTALL) -D request-key.8 $(DESTDIR)/usr/share/man/man8/request-key.8 - $(INSTALL) -D keyutils.h $(DESTDIR)/usr/include/keyutils.h +ifeq ($(NO_ARLIB),0) + $(INSTALL) -D -m 0644 $(ARLIB) $(DESTDIR)$(USRLIBDIR)/$(ARLIB) +endif + $(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME) + $(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME) + mkdir -p $(DESTDIR)$(USRLIBDIR) + $(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB) + $(INSTALL) -D keyctl $(DESTDIR)$(BINDIR)/keyctl + $(INSTALL) -D request-key $(DESTDIR)$(SBINDIR)/request-key + $(INSTALL) -D request-key-debug.sh $(DESTDIR)$(SHAREDIR)/request-key-debug.sh + $(INSTALL) -D -m 0644 request-key.conf $(DESTDIR)$(ETCDIR)/request-key.conf + $(INSTALL) -D -m 0644 keyctl.1 $(MAN1)/keyctl.1 + $(INSTALL) -D -m 0644 add_key.2 $(MAN2)/add_key.2 + $(INSTALL) -D -m 0644 keyctl.2 $(MAN2)/keyctl.2 + $(INSTALL) -D -m 0644 request_key.2 $(MAN2)/request_key.2 + $(INSTALL) -D -m 0644 keyctl_chown.3 $(MAN3)/keyctl_chown.3 + $(INSTALL) -D -m 0644 keyctl_clear.3 $(MAN3)/keyctl_clear.3 + $(INSTALL) -D -m 0644 keyctl_describe.3 $(MAN3)/keyctl_describe.3 + $(LNS) keyctl_describe.3 $(MAN3)/keyctl_describe_alloc.3 + $(INSTALL) -D -m 0644 keyctl_get_keyring_ID.3 $(MAN3)/keyctl_get_keyring_ID.3 + $(INSTALL) -D -m 0644 keyctl_instantiate.3 $(MAN3)/keyctl_instantiate.3 + $(LNS) keyctl_instantiate.3 $(MAN3)/keyctl_negate.3 + $(LNS) keyctl_instantiate.3 $(MAN3)/keyctl_assume_authority.3 + $(INSTALL) -D -m 0644 keyctl_join_session_keyring.3 $(MAN3)/keyctl_join_session_keyring.3 + $(INSTALL) -D -m 0644 keyctl_link.3 $(MAN3)/keyctl_link.3 + $(LNS) keyctl_link.3 $(MAN3)/keyctl_unlink.3 + $(INSTALL) -D -m 0644 keyctl_read.3 $(MAN3)/keyctl_read.3 + $(LNS) keyctl_read.3 $(MAN3)/keyctl_read_alloc.3 + $(INSTALL) -D -m 0644 keyctl_revoke.3 $(MAN3)/keyctl_revoke.3 + $(INSTALL) -D -m 0644 keyctl_search.3 $(MAN3)/keyctl_search.3 + $(INSTALL) -D -m 0644 keyctl_setperm.3 $(MAN3)/keyctl_setperm.3 + $(INSTALL) -D -m 0644 keyctl_set_reqkey_keyring.3 $(MAN3)/keyctl_set_reqkey_keyring.3 + $(INSTALL) -D -m 0644 keyctl_set_timeout.3 $(MAN3)/keyctl_set_timeout.3 + $(INSTALL) -D -m 0644 keyctl_update.3 $(MAN3)/keyctl_update.3 + $(INSTALL) -D -m 0644 request-key.conf.5 $(MAN5)/request-key.conf.5 + $(INSTALL) -D -m 0644 request-key.8 $(MAN8)/request-key.8 + $(INSTALL) -D -m 0644 keyutils.h $(DESTDIR)$(INCLUDEDIR)/keyutils.h clean: $(RM) libkeyutils* diff --git a/add_key.2 b/add_key.2 new file mode 100644 index 0000000..e713f00 --- /dev/null +++ b/add_key.2 @@ -0,0 +1,137 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH ADD_KEY 2 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +add_key \- Add a key to the kernel's key management facility +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "key_serial_t add_key(const char *" type ", const char *" description , +.BI "const void *" payload ", size_t " plen ", key_serial_t " keyring ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR add_key () +asks the kernel to create or update a key of the given +.I type +and +.IR description , +instantiate it with the +.I payload +of length +.IR plen , +and to attach it to the nominated +.I keyring +and to return its serial number. +.P +The key type may reject the data if it's in the wrong format or in some other +way invalid. +.P +If the destination +.I keyring +already contains a key that matches the specified +.IR type " and " description +then, if the key type supports it, that key will be updated rather than a new +key being created; if not, a new key will be created and it will displace the +link to the extant key from the keyring. +.P +The destination +.I keyring +serial number may be that of a valid keyring to which the caller has write +permission, or it may be a special keyring ID: +.TP +.B KEY_SPEC_THREAD_KEYRING +This specifies the caller's thread-specific keyring. +.TP +.B KEY_SPEC_PROCESS_KEYRING +This specifies the caller's process-specific keyring. +.TP +.B KEY_SPEC_SESSION_KEYRING +This specifies the caller's session-specific keyring. +.TP +.B KEY_SPEC_USER_KEYRING +This specifies the caller's UID-specific keyring. +.TP +.B KEY_SPEC_USER_SESSION_KEYRING +This specifies the caller's UID-session keyring. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH KEY TYPES +There are a number of key types available in the core key management code, and +these can be specified to this function: +.TP +.B \*(lquser\*(rq +Keys of the user-defined key type may contain a blob of arbitrary data, and the +.I description +may be any valid string, though it is preferred that the description be +prefixed with a string representing the service to which the key is of interest +and a colon (for instance +.RB \*(lq afs:mykey \*(rq). +The +.I payload +may be empty or +.B NULL +for keys of this type. +.TP +.B \*(lqkeyring\*(rq +Keyrings are special key types that may contain links to sequences of other +keys of any type. If this interface is used to create a keyring, then a +.B NULL +.I payload +should be specified, and +.I plen +should be zero. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR add_key () +returns the serial number of the key it created or updated. +On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +The keyring doesn't exist. +.TP +.B EKEYEXPIRED +The keyring has expired. +.TP +.B EKEYREVOKED +The keyring has been revoked. +.TP +.B EINVAL +The payload data was invalid. +.TP +.B ENOMEM +Insufficient memory to create a key. +.TP +.B EDQUOT +The key quota for this user would be exceeded by creating this key or linking +it to the keyring. +.TP +.B EACCES +The keyring wasn't available for modification by the user. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +Although this is a Linux system call, it is not present in +.I libc +but can be found rather in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.BR keyctl (2), +.BR request_key (2) diff --git a/keyctl.2 b/keyctl.2 new file mode 100644 index 0000000..9769b16 --- /dev/null +++ b/keyctl.2 @@ -0,0 +1,166 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL 2 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl \- Manipulate the kernel's key management facility +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl(int " cmd ", ...);" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl () +has a number of functions available: +.TP +.B KEYCTL_GET_KEYRING_ID +Ask for a keyring's ID. +.TP +.B KEYCTL_JOIN_SESSION_KEYRING +Join or start named session keyring. +.TP +.B KEYCTL_UPDATE +Update a key. +.TP +.B KEYCTL_REVOKE +Revoke a key. +.TP +.B KEYCTL_CHOWN +Set ownership of a key. +.TP +.B KEYCTL_SETPERM +Set perms on a key. +.TP +.B KEYCTL_DESCRIBE +Describe a key. +.TP +.B KEYCTL_CLEAR +Clear contents of a keyring. +.TP +.B KEYCTL_LINK +Link a key into a keyring. +.TP +.B KEYCTL_UNLINK +Unlink a key from a keyring. +.TP +.B KEYCTL_SEARCH +Search for a key in a keyring. +.TP +.B KEYCTL_READ +Read a key or keyring's contents. +.TP +.B KEYCTL_INSTANTIATE +Instantiate a partially constructed key. +.TP +.B KEYCTL_NEGATE +Negate a partially constructed key. +.TP +.B KEYCTL_SET_REQKEY_KEYRING +Set default request-key keyring. +.TP +.B KEYCTL_SET_TIMEOUT +Set timeout on a key. +.TP +.B KEYCTL_ASSUME_AUTHORITY +Assume authority to instantiate key. +.P +These are wrapped by +.B libkeyutils +into individual functions to permit compiler the compiler to check types. +See the +.B See Also +section at the bottom. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl () +returns the serial number of the key it found. +On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +No matching key was found or an invalid key was specified. +.TP +.B EKEYEXPIRED +An expired key was found or specified. +.TP +.B EKEYREVOKED +A revoked key was found or specified. +.TP +.B EKEYREJECTED +A rejected key was found or specified. +.TP +.B EDQUOT +The key quota for the caller's user would be exceeded by creating a key or +linking it to the keyring. +.TP +.B EACCES +A key operation wasn't permitted. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +Although this is a Linux system call, it is not present in +.I libc +but can be found rather in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_chown.3 b/keyctl_chown.3 new file mode 100644 index 0000000..3589ffe --- /dev/null +++ b/keyctl_chown.3 @@ -0,0 +1,122 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_CHOWN 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_chown \- Change the ownership of a key +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_chown(key_serial_t " key ", uid_t " uid ", gid_t " gid ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_chown () +changes the user and group ownership details of a key. +.P +A setting of +.B -1 +on either +.I uid +or +.I gid +will cause that setting to be ignored. +.P +A process that does not have the +.B SysAdmin +capability may not change a key's UID or set the key's GID to a value that +does not match the process's GID or one of its group list. +.P +The caller must have +.B setattr +permission on a key to be able change its ownership. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_chown () +returns +.B 0 . +On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +The specied key does not exist. +.TP +.B EKEYEXPIRED +The specified key has expired. +.TP +.B EKEYREVOKED +The specified key has been revoked. +.TP +.B EDQUOT +Changing the UID to the one specified would run that UID out of quota. +.TP +.B EACCES +The key exists, but does not grant +.B setattr +permission to the calling process. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_clear.3 b/keyctl_clear.3 new file mode 100644 index 0000000..3ec29b6 --- /dev/null +++ b/keyctl_clear.3 @@ -0,0 +1,107 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_CLEAR 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_clear \- Clear a keyring +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_clear(key_serial_t " keyring ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_clear () +clears the contents of a +.IR keyring . +.P +The caller must have +.B write +permission on a keyring to be able clear it. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_clear () +returns +.BR 0 . +On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +The keyring specified is invalid. +.TP +.B EKEYEXPIRED +The keyring specified has expired. +.TP +.B EKEYREVOKED +The keyring specified had been revoked. +.TP +.B EACCES +The keyring exists, but is not +.B writable +by the calling process. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_describe.3 b/keyctl_describe.3 new file mode 100644 index 0000000..473bca5 --- /dev/null +++ b/keyctl_describe.3 @@ -0,0 +1,142 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_DESCRIBE 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_describe \- Describe a key +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_describe(key_serial_t " key ", char *" buffer , +.BI "size_t" buflen ");" +.sp +.BI "long keyctl_describe_alloc(key_serial_t " key ", char **" _buffer ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_describe () +describes the attributes of a key as a NUL-terminated string. +.P +The caller must have +.B view +permission on a key to be able to get a description of it. +.P +.I buffer +and +.I buflen +specify the buffer into which the key description will be placed. If the +buffer is too small, the full size of the description will be returned, and no +copy will take place. +.P +.BR keyctl_describe_alloc () +is similar to +.BR keyctl_describe () +except that it allocates a buffer big enough to hold the description and +places the description in it. If successful, A pointer to the buffer is +placed in +.IR *_buffer . +The caller must free the buffer. +.P +The description will be a string of format: +.IP +.B "\*(lq%s;%d;%d;%08x;%s\*(rq" +.P +where the arguments are: key type name, key UID, key GID, key permissions mask +and key description. +.P +.B NOTE! +The key description will not contain any semicolons, so that should be +separated out by working backwards from the end of the string. This permits +extra information to be inserted before it by later versions of the kernel +simply by inserting more semicolon-terminated substrings. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_describe () +returns the amount of data placed into the buffer. If the buffer was too +small, then the size of buffer required will be returned, but no data will be +transferred. On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.P +On success +.BR keyctl_describe_alloc () +returns the amount of data in the buffer, less the NUL terminator. On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +The key specified is invalid. +.TP +.B EKEYEXPIRED +The key specified has expired. +.TP +.B EKEYREVOKED +The key specified had been revoked. +.TP +.B EACCES +The key exists, but is not +.B viewable +by the calling process. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_get_keyring_ID.3 b/keyctl_get_keyring_ID.3 new file mode 100644 index 0000000..b0e2fd0 --- /dev/null +++ b/keyctl_get_keyring_ID.3 @@ -0,0 +1,130 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_GET_KEYRING_ID 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_get_keyring_ID \- Get the ID of a special keyring +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "key_serial_t keyctl_get_keyring_ID(key_serial_t " key "," +.BI " int " create ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_get_keyring_ID () +maps a special +.I key +or keyring ID to the serial number of the key actually representing that +feature. The serial number will be returned if that key exists. +.P +If the key or keyring does not yet exist, then if +.I create +is non-zero, the key or keyring will be created if it is appropriate to do so. +.P +The following special key IDs may be specified as +.IR key : +.TP +.B KEY_SPEC_THREAD_KEYRING +This specifies the caller's thread-specific keyring. +.TP +.B KEY_SPEC_PROCESS_KEYRING +This specifies the caller's process-specific keyring. +.TP +.B KEY_SPEC_SESSION_KEYRING +This specifies the caller's session-specific keyring. +.TP +.B KEY_SPEC_USER_KEYRING +This specifies the caller's UID-specific keyring. +.TP +.B KEY_SPEC_USER_SESSION_KEYRING +This specifies the caller's UID-session keyring. +.TP +.B KEY_SPEC_REQKEY_AUTH_KEY +This specifies the authorisation key created by +.BR request_key () +and passed to the process it spawns to generate a key. +.P +If a valid keyring ID is passed in, then this will simply be returned if the +key exists; an error will be issued if it doesn't exist. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_get_keyring_ID () +returns the serial number of the key it found. On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +No matching key was found. +.TP +.B ENOMEM +Insufficient memory to create a key. +.TP +.B EDQUOT +The key quota for this user would be exceeded by creating this key or linking +it to the keyring. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_instantiate.3 b/keyctl_instantiate.3 new file mode 100644 index 0000000..2240597 --- /dev/null +++ b/keyctl_instantiate.3 @@ -0,0 +1,185 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_INSTANTIATE 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_assume_authority \- Assume the authority to instantiate a key +keyctl_instantiate \- Instantiate a key +keyctl_negate \- Negatively instantiate a key +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_assume_authority(key_serial_t " key ");" +.sp +.BI "long keyctl_instantiate(key_serial_t " key ", const char *" payload , +.BI "size_t " plen ", key_serial_t " keyring ");" +.sp +.BI "long keyctl_negate(key_serial_t " key ", unsigned " timeout , +.BI "key_serial_t " keyring ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_assume_authority () +assumes the authority for the calling thread to deal with and instantiate the +specified uninstantiated +.IR key . +.P +The calling thread must have the appopriate authorisation key resident in one +of its keyrings for this to succeed, and that authority must not have been +revoked. +.P +The authorising key is allocated by request_key() when it needs to invoke +userspace to generate a key for the requesting process. This is then attached +to one of the keyrings of the userspace process to which the task of +instantiating the key is given: +.IP +requester -> request_key() -> instantiator +.P +Calling this function modifies the way +.BR request_key () +works when called thereafter by the calling (instantiator) thread; once the +authority is assumed, the keyrings of the initial process are added to the +search path, using the initial process's UID, GID, groups and security +context. +.P +If a thread has multiple instantiations to deal with, it may call this +function to change the authorisation key currently in effect. Supplying a +.B zero +.I key +de-assumes the currently assumed authority. +.P +.B NOTE! +This is a per-thread setting and not a per-process setting so that a +multithreaded process can be used to instantiate several keys at once. +.P +.BR keyctl_instantiate () +instantiates the payload of an uninstantiated key from the data specified. +.I payload +and +.I plen +specify the data for the new payload. +.I payload +may be NULL and +.I plen +may be zero if the key type permits that. The key type may reject the data if +it's in the wrong format or in some other way invalid. +.P +.BR keyctl_negate () +marks a key as negatively instantiated and sets the expiration timer on it. +.I timeout +specifies the lifetime of the key in seconds. +.P +Only a key for which authority has been assumed may be instantiated or +negatively instantiated, and once instantiated, the authorisation key will be +revoked and the requesting process will be able to resume. +.P +The destination +.IR keyring , +if given, is assumed to belong to the initial requester, and not the +instantiating process. Therefore, the special keyring IDs refer to the +requesting process's keyrings, not the caller's, and the requester's UID, +etc. will be used to access them. +.P +The destination keyring can be +.B zero +if no extra link is desired. +.P +The requester, not the caller, must have +.B write +permission on the destination for a link to be made there. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_instantiate () +returns +.BR 0 . +On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +The key or keyring specified is invalid. +.TP +.B EKEYEXPIRED +The keyring specified has expired. +.TP +.B EKEYREVOKED +The key or keyring specified had been revoked, or the authorisation has been +revoked. +.TP +.B EINVAL +The payload data was invalid. +.TP +.B ENOMEM +Insufficient memory to store the new payload or to expand the destination +keyring. +.TP +.B EDQUOT +The key quota for the key's user would be exceeded by increasing the size of +the key to accommodate the new payload or the key quota for the keyring's user +would be exceeded by expanding the destination keyring. +.TP +.B EACCES +The key exists, but is not +.B writable +by the requester. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_join_session_keyring.3 b/keyctl_join_session_keyring.3 new file mode 100644 index 0000000..b1a3cba --- /dev/null +++ b/keyctl_join_session_keyring.3 @@ -0,0 +1,116 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_JOIN_SESSION_KEYRING 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_join_session_keyring \- Join a different session keyring +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "key_serial_t keyctl_join_session_keyring(const char *" name ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_join_session_keyring () +changes the session keyring to which a process is subscribed. +.P +If +.I name +is +.B NULL +then a new anonymous keyring will be created, and the process will be +subscribed to that. +.P +If +.I name +points to a string, then if a keyring of that name is available, the process +will attempt to subscribe to that keyring, giving an error if that is not +permitted; otherwise a new keyring of that name is created and attached as the +session keyring. +.P +To attach to an extant named keyring, the keyring must have +.B search +permission available to the calling process. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_join_session_keyring () +returns the serial number of the key it found or created. On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOMEM +Insufficient memory to create a key. +.TP +.B EDQUOT +The key quota for this user would be exceeded by creating this key or linking +it to the keyring. +.TP +.B EACCES +The named keyring exists, but is not +.B searchable +by the calling process. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_link.3 b/keyctl_link.3 new file mode 100644 index 0000000..b1f599d --- /dev/null +++ b/keyctl_link.3 @@ -0,0 +1,140 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_LINK 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_link \- Link a key to a keyring +keyctl_unlink \- Unlink a key from a keyring +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_link(key_serial_t " key ", key_serial_t " keyring ");" +.sp +.BI "long keyctl_unlink(key_serial_t " key ", key_serial_t " keyring ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_link () +creates a link from +.I keyring +to +.IR key , +displacing any link to another key of the same type and description in that +keyring if one exists. +.P +.BR keyctl_unlink () +removes the link from +.I keyring +to +.I key +if it exists. +.P +The caller must have +.B write +permission on a keyring to be able create or remove links in it. +.P +The caller must have +.B link +permission on a key to be able to create a link to it. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_link () +and +.BR keyctl_unlink () +return +.BR 0 . +On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +The key or the keyring specified are invalid. +.TP +.B EKEYEXPIRED +The key or the keyring specified have expired. +.TP +.B EKEYREVOKED +The key or the keyring specified have been revoked. +.TP +.B EACCES +The keyring exists, but is not +.B writable +by the calling process. +.P +For +.BR keyctl_link () +only: +.TP +.B ENOMEM +Insufficient memory to expand the keyring +.TP +.B EDQUOT +Expanding the keyring would exceed the keyring owner's quota. +.TP +.B EACCES +The key exists, but is not +.B linkable +by the calling process. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_read.3 b/keyctl_read.3 new file mode 100644 index 0000000..f0257b5 --- /dev/null +++ b/keyctl_read.3 @@ -0,0 +1,141 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_READ 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_read \- Read a key +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_read(key_serial_t " key ", char *" buffer , +.BI "size_t" buflen ");" +.sp +.BI "long keyctl_read_alloc(key_serial_t " key ", char **" _buffer ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_read () +reads the payload of a key if the key type supports it. +.P +The caller must have +.B read +permission on a key to be able to read it. +.P +.I buffer +and +.I buflen +specify the buffer into which the payload data will be placed. If the buffer +is too small, the full size of the payload will be returned, and no copy will +take place. +.P +.BR keyctl_read_alloc () +is similar to +.BR keyctl_read () +except that it allocates a buffer big enough to hold the payload data and +places the data in it. If successful, A pointer to the buffer is placed in +.IR *_buffer . +The caller must free the buffer. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH READING KEYRINGS +This call can be used to list the contents of a keyring. The data is +presented to the user as an array of +.B key_serial_t +values, each of which corresponds to a key to which the keyring holds a link. +.P +The size of the keyring will be sizeof(key_serial_t) multiplied by the number +of keys. The size of key_serial_t is invariant across different word sizes, +though the byte-ordering is as appropriate for the kernel. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_read () +returns the amount of data placed into the buffer. If the buffer was too +small, then the size of buffer required will be returned, but no data will be +transferred. On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.P +On success +.BR keyctl_read_alloc () +returns the amount of data in the buffer. On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +The key specified is invalid. +.TP +.B EKEYEXPIRED +The key specified has expired. +.TP +.B EKEYREVOKED +The key specified had been revoked. +.TP +.B EACCES +The key exists, but is not +.B readable +by the calling process. +.TP +.B EOPNOTSUPP +The key type does not support reading of the payload data. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_revoke.3 b/keyctl_revoke.3 new file mode 100644 index 0000000..47eb227 --- /dev/null +++ b/keyctl_revoke.3 @@ -0,0 +1,107 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_REVOKE 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_revoke \- Revoke a key +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_revoke(key_serial_t " key ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_revoke () +marks a key as being revoked. +.P +After this operation has been performed on a key, attempts to access it will +meet with error +.BR EKEYREVOKED . +.P +The caller must have +.B write +permission on a key to be able revoke it. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_revoke () +returns +.BR 0 . +On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +The specified key does not exist. +.TP +.B EKEYREVOKED +The key has already been revoked. +.TP +.B EACCES +The named key exists, but is not +.B writable +by the calling process. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_search.3 b/keyctl_search.3 new file mode 100644 index 0000000..162a5e1 --- /dev/null +++ b/keyctl_search.3 @@ -0,0 +1,172 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_SEARCH 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_search \- Search a keyring for a key +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_search(key_serial_t " keyring ", const char *" type , +.BI "const char *" description ", key_serial_t " destination ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_search () +recursively searches the +.I keyring +for a key of the specified +.I type +and +.IR description . +.P +If found, the key will be attached to the +.I destination +keyring (if given), and its serial number will be returned. +.P +The source keyring must grant +.B search +permission to the caller, and for a key to be found, it must also grant +.B search +permission to the caller. Child keyrings will be only be recursively searched +if they grant +.B search +permission to the caller as well. +.P +If the destination keyring is +.BR zero , +no attempt will be made to forge a link to the key, and just the serial number +will be returned. +.P +If the destination keyring is given, then the link may only be formed if the +found key grants the caller +.B link +permission and the destination keyring grants the caller +.B write +permission. +.P +If the search is successful, and if the destination keyring already contains a +link to a key that matches the specified +.IR type " and " description , +then that link will be replaced by a link to the found key. +.P +The source keyring and destination keyring serial numbers may be those of +valid keyrings to which the caller has appropriate permission, or they may be +special keyring IDs: +.TP +.B KEY_SPEC_THREAD_KEYRING +This specifies the caller's thread-specific keyring. +.TP +.B KEY_SPEC_PROCESS_KEYRING +This specifies the caller's process-specific keyring. +.TP +.B KEY_SPEC_SESSION_KEYRING +This specifies the caller's session-specific keyring. +.TP +.B KEY_SPEC_USER_KEYRING +This specifies the caller's UID-specific keyring. +.TP +.B KEY_SPEC_USER_SESSION_KEYRING +This specifies the caller's UID-session keyring. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_search () +returns the serial number of the key it found. On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +One of the keyrings doesn't exist, no key was found by the search, or the only +key found by the search was a negative key. +.TP +.B ENOTDIR +One of the keyrings is a valid key that isn't a keyring. +.TP +.B EKEYEXPIRED +One of the keyrings has expired, or the only key found was expired. +.TP +.B EKEYREVOKED +One of the keyrings has been revoked, or the only key found was revoked. +.TP +.B ENOMEM +Insufficient memory to expand the destination keyring. +.TP +.B EDQUOT +The key quota for this user would be exceeded by creating a link to the found +key in the destination keyring. +.TP +.B EACCES +The source keyring didn't grant +.B search +permission, the destination keyring didn't grant +.B write +permission or the found key didn't grant +.B link +permission to the caller. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +Although this is a Linux system call, it is not present in +.I libc +but can be found rather in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_set_reqkey_keyring.3 b/keyctl_set_reqkey_keyring.3 new file mode 100644 index 0000000..02d9733 --- /dev/null +++ b/keyctl_set_reqkey_keyring.3 @@ -0,0 +1,132 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_SET_REQKEY_KEYRING 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_set_reqkey_keyring \- Set the implicit destination keyring +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_set_reqkey_keyring(int " reqkey_defl ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_set_reqkey_keyring () +sets the default destination for implicit key requests for the current thread +and returns the old setting. +.P +After this operation has been issued, keys acquired by implicit key requests, +such as might be performed by open() on an AFS or NFS filesystem, will be +linked by default to the specified keyring by this function. +.P +The valid values of +.I reqkey_defl +are: +.TP +.B KEY_REQKEY_DEFL_NO_CHANGE +This makes no change to the current setting. +.TP +.B KEY_REQKEY_DEFL_THREAD_KEYRING +This makes the thread-specific keyring the default destination. +.TP +.B KEY_REQKEY_DEFL_PROCESS_KEYRING +This makes the process-specific keyring the default destination. +.TP +.B KEY_REQKEY_DEFL_SESSION_KEYRING +This makes the session keyring the default destination. +.TP +.B KEY_REQKEY_DEFL_USER_KEYRING +This makes the UID-specific keyring the default destination. +.TP +.B KEY_REQKEY_DEFL_USER_SESSION_KEYRING +This makes the UID-specific session keyring the default destination. +.TP +.B KEY_REQKEY_DEFL_DEFAULT +This selects the default behaviour which is to use the thread-specific keyring +if there is one, otherwise the process-specific keyring if there is one, +otherwise the session keyring if there is one, otherwise the UID-specific +session keyring. +.P +This setting is inherited across +.BR fork () +and +.BR exec (). + +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_set_reqkey_keyring () +returns +.BR 0 . +On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B EINVAL +The value of +.I reqkey_defl +is invalid. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_set_timeout.3 b/keyctl_set_timeout.3 new file mode 100644 index 0000000..978cbe4 --- /dev/null +++ b/keyctl_set_timeout.3 @@ -0,0 +1,115 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_SET_TIMEOUT 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_set_timeout \- Set the expiration timer on a key +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_set_timeout(key_serial_t " key ", unsigned " timeout ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_set_timeout () +sets the expiration timer on a key to +.I timeout +seconds into the future. Setting +.I timeout +to +.B zero +cancels the expiration, assuming the key hasn't already expired. +.P +When the key expires, further attempts to access it will be met with error +.BR EKEYEXPIRED . +.P +The caller must have +.B setattr +permission on a key to be able change its permissions mask. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_set_timeout () +returns +.B 0 . +On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +The specied key does not exist. +.TP +.B EKEYEXPIRED +The specified key has already expired. +.TP +.B EKEYREVOKED +The specified key has been revoked. +.TP +.B EACCES +The named key exists, but does not grant +.B setattr +permission to the calling process. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_setperm.3 b/keyctl_setperm.3 new file mode 100644 index 0000000..71c8f07 --- /dev/null +++ b/keyctl_setperm.3 @@ -0,0 +1,164 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_SETPERM 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_setperm \- Change the permissions mask on a key +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_setperm(key_serial_t " key ", key_perm_t " perm ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_setperm () +changes the permissions mask on a key. +.P +A process that does not have the +.B SysAdmin +capability may not change the permissions mask on a key that doesn't have the +same UID as the caller. +.P +The caller must have +.B setattr +permission on a key to be able change its permissions mask. +.P +The permissions mask is a bitwise-OR of the following flags: +.TP +.B KEY_xxx_VIEW +Grant permission to view the attributes of a key. +.TP +.B KEY_xxx_READ +Grant permission to read the payload of a key or to list a keyring. +.TP +.B KEY_xxx_WRITE +Grant permission to modify the payload of a key or to add or remove links +to/from a keyring. +.TP +.B KEY_xxx_SEARCH +Grant permission to find a key or to search a keyring. +.TP +.B KEY_xxx_LINK +Grant permission to make links to a key. +.TP +.B KEY_xxx_SETATTR +Grant permission to change the ownership and permissions attributes of a key. +.TP +.B KEY_xxx_ALL +Grant all the above. +.P +The +.RB ' xxx ' +in the above should be replaced by one of: +.TP +.B POS +Grant the permission to a process that possesses the key (has it attached +searchably to one of the process's keyrings). +.TP +.B USR +Grant the permission to a process with the same UID as the key. +.TP +.B GRP +Grant the permission to a process with the same GID as the key, or with a +match for the key's GID amongst that process's Groups list. +.TP +.B OTH +Grant the permission to any other process. +.P +Examples include: +.BR KEY_POS_VIEW ", " KEY_USR_READ ", " KEY_GRP_SEARCH " and " KEY_OTH_ALL . +.P +User, group and other grants are exclusive: if a process qualifies in +the 'user' category, it will not qualify in the 'groups' category; and if a +process qualifies in either 'user' or 'groups' then it will not qualify in +the 'other' category. +.P +Possessor grants are cumulative with the grants from the 'user', 'groups' +and 'other' categories. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_setperm () +returns +.B 0 . +On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +The specied key does not exist. +.TP +.B EKEYEXPIRED +The specified key has expired. +.TP +.B EKEYREVOKED +The specified key has been revoked. +.TP +.B EACCES +The named key exists, but does not grant +.B setattr +permission to the calling process. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_update (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyctl_update.3 b/keyctl_update.3 new file mode 100644 index 0000000..4ac19d4 --- /dev/null +++ b/keyctl_update.3 @@ -0,0 +1,130 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH KEYCTL_UPDATE 3 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +keyctl_update \- Update a key +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "long keyctl_update(key_serial_t " key ", const char *" payload , +.BI "size_t " plen ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR keyctl_update () +updates the payload of a key if the key type permits it. +.P +The caller must have +.B write +permission on a key to be able update it. +.P +.I payload +and +.I plen +specify the data for the new payload. +.I payload +may be NULL and +.I plen +may be zero if the key type permits that. The key type may reject the data if +it's in the wrong format or in some other way invalid. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR keyctl_update () +returns +.BR 0 . +On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +The key specified is invalid. +.TP +.B EKEYEXPIRED +The key specified has expired. +.TP +.B EKEYREVOKED +The key specified had been revoked. +.TP +.B EINVAL +The payload data was invalid. +.TP +.B ENOMEM +Insufficient memory to store the new payload. +.TP +.B EDQUOT +The key quota for this user would be exceeded by increasing the size of the +key to accommodate the new payload. +.TP +.B EACCES +The key exists, but is not +.B writable +by the calling process. +.TP +.B EOPNOTSUPP +The key type does not support the update operation on its keys. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +This is a library function that can be found in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.br +.BR add_key (2), +.br +.BR keyctl (2), +.br +.BR request_key (2), +.br +.BR keyctl_get_keyring_ID (3), +.br +.BR keyctl_join_session_keyring (3), +.br +.BR keyctl_revoke (3), +.br +.BR keyctl_chown (3), +.br +.BR keyctl_setperm (3), +.br +.BR keyctl_describe (3), +.br +.BR keyctl_clear (3), +.br +.BR keyctl_link (3), +.br +.BR keyctl_unlink (3), +.br +.BR keyctl_search (3), +.br +.BR keyctl_read (3), +.br +.BR keyctl_instantiate (3), +.br +.BR keyctl_negate (3), +.br +.BR keyctl_set_reqkey_keyring (3), +.br +.BR keyctl_set_timeout (3), +.br +.BR keyctl_assume_authority (3), +.br +.BR keyctl_describe_alloc (3), +.br +.BR keyctl_read_alloc (3), +.br +.BR request-key (8) diff --git a/keyutils.spec b/keyutils.spec index 4b5f4f2..a68a103 100644 --- a/keyutils.spec +++ b/keyutils.spec @@ -1,19 +1,20 @@ %define vermajor 1 -%define version %{vermajor}.0 -%define _exec_prefix / +%define version %{vermajor}.1 +%define libdir /%{_lib} %define usrlibdir %{_prefix}/%{_lib} Summary: Linux Key Management Utilities Name: keyutils Version: %{version} -Release: 2 +Release: 3%{?dist} License: GPL/LGPL Group: System Environment/Base ExclusiveOS: Linux +Url: http://people.redhat.com/~dhowells/keyutils/ Source0: http://people.redhat.com/~dhowells/keyutils/keyutils-%{version}.tar.bz2 -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: glibc-kernheaders >= 2.4-9.1.92 %description @@ -29,11 +30,12 @@ Group: System Environment/Base This package provides a wrapper library for the key management facility system calls. -%package devel +%package libs-devel Summary: Development package for building linux key management utilities Group: System Environment/Base +Requires: keyutils-libs == %{version}-%{release} -%description devel +%description libs-devel This package provides headers and libraries for building key utilities. %prep @@ -41,7 +43,8 @@ This package provides headers and libraries for building key utilities. %build make \ - LIBDIR=%{_libdir} \ + NO_ARLIB=1 \ + LIBDIR=%{libdir} \ USRLIBDIR=%{usrlibdir} \ RELEASE=.%{release} \ NO_GLIBC_KEYERR=1 \ @@ -49,7 +52,12 @@ make \ %install rm -rf $RPM_BUILD_ROOT -make DESTDIR=$RPM_BUILD_ROOT LIBDIR=%{_libdir} USRLIBDIR=%{usrlibdir} RELEASE=.%{release} install +make \ + NO_ARLIB=1 \ + DESTDIR=$RPM_BUILD_ROOT \ + LIBDIR=%{libdir} \ + USRLIBDIR=%{usrlibdir} \ + install %clean rm -rf $RPM_BUILD_ROOT @@ -59,23 +67,36 @@ rm -rf $RPM_BUILD_ROOT %doc README LICENCE.GPL /sbin/* /bin/* -/usr/share/keyutils/* -%{_mandir}/* +/usr/share/keyutils +%{_mandir}/man1/* +%{_mandir}/man5/* +%{_mandir}/man8/* %config(noreplace) /etc/* %files libs %defattr(-,root,root,-) %doc LICENCE.LGPL -%{_libdir}/libkeyutils-%{version}.%{release}.so -%{_libdir}/libkeyutils.so.%{vermajor} +%{libdir}/libkeyutils-%{version}.so +%{libdir}/libkeyutils.so.%{vermajor} -%files devel +%files libs-devel %defattr(-,root,root,-) -%{usrlibdir}/libkeyutils.a %{usrlibdir}/libkeyutils.so %{_includedir}/* +%{_mandir}/man2/* +%{_mandir}/man3/* %changelog +* Fri May 5 2006 David Howells <dhowells@redhat.com> - 1.1-3 +- Don't include the release number in the shared library filename +- Don't build static library + +* Fri May 5 2006 David Howells <dhowells@redhat.com> - 1.1-2 +- More bug fixes from Fedora reviewer. + +* Thu May 4 2006 David Howells <dhowells@redhat.com> - 1.1-1 +- Fix rpmlint errors + * Mon Dec 5 2005 David Howells <dhowells@redhat.com> - 1.0-2 - Add build dependency on glibc-kernheaders with key management syscall numbers diff --git a/request_key.2 b/request_key.2 new file mode 100644 index 0000000..aeb5110 --- /dev/null +++ b/request_key.2 @@ -0,0 +1,141 @@ +.\" +.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved. +.\" Written by David Howells (dhowells@redhat.com) +.\" +.\" This program is free software; you can redistribute it and/or +.\" modify it under the terms of the GNU General Public License +.\" as published by the Free Software Foundation; either version +.\" 2 of the License, or (at your option) any later version. +.\" +.TH REQUEST_KEY 2 "4 May 2006" Linux "Linux Key Management Calls" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH NAME +request_key \- Request a key from the kernel's key management facility +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SYNOPSIS +.nf +.B #include <keyutils.h> +.sp +.BI "key_serial_t request_key(const char *" type ", const char *" description , +.BI "const char *" callout_info ", key_serial_t " keyring ");" +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH DESCRIPTION +.BR request_key () +asks the kernel to find a key of the given +.I type +that matches the specified +.I description +and, if successful, to attach it to the nominated +.I keyring +and to return its serial number. +.P +.BR request_key () +first recursively searches all the keyrings attached to the calling process in +the order thread-specific keyring, process-specific keyring and then session +keyring for a matching key. +.P +If +.BR request_key () +is called from a program invoked by +.BR request_key () +on behalf of some other process to generate a key, then the keyrings of that +other process will be searched next, using that other process's UID, GID, +groups and security context to control access. +.P +The keys in each keyring searched are checked for a match before any child +keyrings are recursed into. Only keys that are +.B searchable +for the caller may be found, and only +.B searchable +keyrings may be searched. +.P +If the key is not found then, if +.I callout_info +is set, this function will attempt to look further afield. In such a case, the +.I callout_info +is passed to a userspace service such as +.B /sbin/request\-key +to generate the key. +.P +If that is unsuccessful also, then an error will be returned, and a temporary +negative key will be installed in the nominated +.IR keyring . +This will expire after a few seconds, but will cause subsequent +calls to +.BR request_key () +to fail until it does. +.P +The +.I keyring +serial number may be that of a valid keyring to which the caller has write +permission, or it may be a special keyring ID: +.TP +.B KEY_SPEC_THREAD_KEYRING +This specifies the caller's thread-specific keyring. +.TP +.B KEY_SPEC_PROCESS_KEYRING +This specifies the caller's process-specific keyring. +.TP +.B KEY_SPEC_SESSION_KEYRING +This specifies the caller's session-specific keyring. +.TP +.B KEY_SPEC_USER_KEYRING +This specifies the caller's UID-specific keyring. +.TP +.B KEY_SPEC_USER_SESSION_KEYRING +This specifies the caller's UID-session keyring. +.P +If a key is created, no matter whether it's a valid key or a negative key, it +will displace any other key of the same type and description from the +destination +.IR keyring . +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH RETURN VALUE +On success +.BR request_key () +returns the serial number of the key it found. +On error, the value +.B -1 +will be returned and errno will have been set to an appropriate error. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH ERRORS +.TP +.B ENOKEY +No matching key was found. +.TP +.B EKEYEXPIRED +An expired key was found, but no replacement could be obtained. +.TP +.B EKEYREVOKED +A revoked key was found, but no replacement could be obtained. +.TP +.B EKEYREJECTED +The attempt to generate a new key was rejected. +.TP +.B ENOMEM +Insufficient memory to create a key. +.TP +.B EINTR +The request was interrupted by a signal. +.TP +.B EDQUOT +The key quota for this user would be exceeded by creating this key or linking +it to the keyring. +.TP +.B EACCES +The keyring wasn't available for modification by the user. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH LINKING +Although this is a Linux system call, it is not present in +.I libc +but can be found rather in +.IR libkeyutils . +When linking, +.B -lkeyutils +should be specified to the linker. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.SH SEE ALSO +.BR keyctl (1), +.BR add_key (2), +.BR keyctl (2), +.BR request-key (8) |