keyutils historical version 1.1

- Don't include the release number in the shared library filename
- Don't build static library
- More bug fixes from Fedora reviewer.
- Fix rpmlint errors

19 files changed, 2438 insertions, 33 deletions

diff --git a/Makefile b/Makefile
index 91a9252..51f94d7 100644
--- a/Makefile
+++ b/Makefile
@@ -2,14 +2,19 @@ CFLAGS		:= -g -O2 -Wall
 INSTALL		:= install
 DESTDIR		:=
 MAJOR		:= 1
-MINOR		:= 0
-RELEASE		:=
-VERSION		:= $(MAJOR).$(MINOR)$(RELEASE)
+MINOR		:= 1
+VERSION		:= $(MAJOR).$(MINOR)
 NO_GLIBC_KEYERR	:= 0
 NO_GLIBC_KEYSYS	:= 0
+NO_ARLIB	:= 0
 BUILDFOR	:= 
+ETCDIR		:= /etc
+BINDIR		:= /bin
+SBINDIR		:= /sbin
 LIBDIR		:= /lib
 USRLIBDIR	:= /usr/lib
+SHAREDIR	:= /usr/share/keyutils
+INCLUDEDIR	:= /usr/include
 ARLIB		:= libkeyutils.a
 DEVELLIB	:= libkeyutils.so
 SONAME		:= libkeyutils.so.$(MAJOR)
@@ -40,11 +45,13 @@ USRLIBDIR	:= /usr/lib64
 endif
 endif
 
-all: $(ARLIB) $(DEVELLIB) keyctl request-key
-
-
+ifeq ($(NO_ARLIB),0)
+all: $(ARLIB)
 $(ARLIB): keyutils.o
 	$(AR) rcs $@ $<
+endif
+
+all: $(DEVELLIB) keyctl request-key
 
 keyutils.o: keyutils.c keyutils.h Makefile
 	$(CC) $(CFLAGS) -UNO_GLIBC_KEYERR -o $@ -c $<
@@ -72,20 +79,50 @@ request-key: request-key.c keyutils.h Makefile
 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< -L. -lkeyutils -Wl,-rpath,$(LIB)
 
 
+MAN1	:= $(DESTDIR)/usr/share/man/man1
+MAN2	:= $(DESTDIR)/usr/share/man/man2
+MAN3	:= $(DESTDIR)/usr/share/man/man3
+MAN5	:= $(DESTDIR)/usr/share/man/man5
+MAN8	:= $(DESTDIR)/usr/share/man/man8
+
 install: all
-	$(INSTALL) -D $(ARLIB) $(DESTDIR)/$(USRLIBDIR)/$(ARLIB)
-	$(INSTALL) -D $(LIBNAME) $(DESTDIR)/$(LIBDIR)/$(LIBNAME)
-	$(LNS) $(LIBNAME) $(DESTDIR)/$(LIBDIR)/$(SONAME)
-	mkdir -p $(DESTDIR)/$(USRLIBDIR)
-	$(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)/$(USRLIBDIR)/$(DEVELLIB)
-	$(INSTALL) -D keyctl $(DESTDIR)/bin/keyctl
-	$(INSTALL) -D request-key $(DESTDIR)/sbin/request-key
-	$(INSTALL) -D request-key.conf $(DESTDIR)/etc/request-key.conf
-	$(INSTALL) -D request-key-debug.sh $(DESTDIR)/usr/share/keyutils/request-key-debug.sh
-	$(INSTALL) -D keyctl.1 $(DESTDIR)/usr/share/man/man1/keyctl.1
-	$(INSTALL) -D request-key.conf.5 $(DESTDIR)/usr/share/man/man5/request-key.conf.5
-	$(INSTALL) -D request-key.8 $(DESTDIR)/usr/share/man/man8/request-key.8
-	$(INSTALL) -D keyutils.h $(DESTDIR)/usr/include/keyutils.h
+ifeq ($(NO_ARLIB),0)
+	$(INSTALL) -D -m 0644 $(ARLIB) $(DESTDIR)$(USRLIBDIR)/$(ARLIB)
+endif
+	$(INSTALL) -D $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(LIBNAME)
+	$(LNS) $(LIBNAME) $(DESTDIR)$(LIBDIR)/$(SONAME)
+	mkdir -p $(DESTDIR)$(USRLIBDIR)
+	$(LNS) $(LIBDIR)/$(SONAME) $(DESTDIR)$(USRLIBDIR)/$(DEVELLIB)
+	$(INSTALL) -D keyctl $(DESTDIR)$(BINDIR)/keyctl
+	$(INSTALL) -D request-key $(DESTDIR)$(SBINDIR)/request-key
+	$(INSTALL) -D request-key-debug.sh $(DESTDIR)$(SHAREDIR)/request-key-debug.sh
+	$(INSTALL) -D -m 0644 request-key.conf $(DESTDIR)$(ETCDIR)/request-key.conf
+	$(INSTALL) -D -m 0644 keyctl.1 $(MAN1)/keyctl.1
+	$(INSTALL) -D -m 0644 add_key.2 $(MAN2)/add_key.2
+	$(INSTALL) -D -m 0644 keyctl.2 $(MAN2)/keyctl.2
+	$(INSTALL) -D -m 0644 request_key.2 $(MAN2)/request_key.2
+	$(INSTALL) -D -m 0644 keyctl_chown.3 $(MAN3)/keyctl_chown.3
+	$(INSTALL) -D -m 0644 keyctl_clear.3 $(MAN3)/keyctl_clear.3
+	$(INSTALL) -D -m 0644 keyctl_describe.3 $(MAN3)/keyctl_describe.3
+	$(LNS) keyctl_describe.3 $(MAN3)/keyctl_describe_alloc.3
+	$(INSTALL) -D -m 0644 keyctl_get_keyring_ID.3 $(MAN3)/keyctl_get_keyring_ID.3
+	$(INSTALL) -D -m 0644 keyctl_instantiate.3 $(MAN3)/keyctl_instantiate.3
+	$(LNS) keyctl_instantiate.3 $(MAN3)/keyctl_negate.3
+	$(LNS) keyctl_instantiate.3 $(MAN3)/keyctl_assume_authority.3
+	$(INSTALL) -D -m 0644 keyctl_join_session_keyring.3 $(MAN3)/keyctl_join_session_keyring.3
+	$(INSTALL) -D -m 0644 keyctl_link.3 $(MAN3)/keyctl_link.3
+	$(LNS) keyctl_link.3 $(MAN3)/keyctl_unlink.3
+	$(INSTALL) -D -m 0644 keyctl_read.3 $(MAN3)/keyctl_read.3
+	$(LNS) keyctl_read.3 $(MAN3)/keyctl_read_alloc.3
+	$(INSTALL) -D -m 0644 keyctl_revoke.3 $(MAN3)/keyctl_revoke.3
+	$(INSTALL) -D -m 0644 keyctl_search.3 $(MAN3)/keyctl_search.3
+	$(INSTALL) -D -m 0644 keyctl_setperm.3 $(MAN3)/keyctl_setperm.3
+	$(INSTALL) -D -m 0644 keyctl_set_reqkey_keyring.3 $(MAN3)/keyctl_set_reqkey_keyring.3
+	$(INSTALL) -D -m 0644 keyctl_set_timeout.3 $(MAN3)/keyctl_set_timeout.3
+	$(INSTALL) -D -m 0644 keyctl_update.3 $(MAN3)/keyctl_update.3
+	$(INSTALL) -D -m 0644 request-key.conf.5 $(MAN5)/request-key.conf.5
+	$(INSTALL) -D -m 0644 request-key.8 $(MAN8)/request-key.8
+	$(INSTALL) -D -m 0644 keyutils.h $(DESTDIR)$(INCLUDEDIR)/keyutils.h
 
 clean:
 	$(RM) libkeyutils*
diff --git a/add_key.2 b/add_key.2
new file mode 100644
index 0000000..e713f00
--- /dev/null
+++ b/add_key.2
@@ -0,0 +1,137 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH ADD_KEY 2 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+add_key \- Add a key to the kernel's key management facility
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "key_serial_t add_key(const char *" type ", const char *" description ,
+.BI "const void *" payload ", size_t " plen ", key_serial_t " keyring ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR add_key ()
+asks the kernel to create or update a key of the given
+.I type
+and
+.IR description ,
+instantiate it with the
+.I payload
+of length
+.IR plen ,
+and to attach it to the nominated
+.I keyring
+and to return its serial number.
+.P
+The key type may reject the data if it's in the wrong format or in some other
+way invalid.
+.P
+If the destination
+.I keyring
+already contains a key that matches the specified
+.IR type " and " description
+then, if the key type supports it, that key will be updated rather than a new
+key being created; if not, a new key will be created and it will displace the
+link to the extant key from the keyring.
+.P
+The destination
+.I keyring
+serial number may be that of a valid keyring to which the caller has write
+permission, or it may be a special keyring ID:
+.TP
+.B KEY_SPEC_THREAD_KEYRING
+This specifies the caller's thread-specific keyring.
+.TP
+.B KEY_SPEC_PROCESS_KEYRING
+This specifies the caller's process-specific keyring.
+.TP
+.B KEY_SPEC_SESSION_KEYRING
+This specifies the caller's session-specific keyring.
+.TP
+.B KEY_SPEC_USER_KEYRING
+This specifies the caller's UID-specific keyring.
+.TP
+.B KEY_SPEC_USER_SESSION_KEYRING
+This specifies the caller's UID-session keyring.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH KEY TYPES
+There are a number of key types available in the core key management code, and
+these can be specified to this function:
+.TP
+.B \*(lquser\*(rq
+Keys of the user-defined key type may contain a blob of arbitrary data, and the
+.I description
+may be any valid string, though it is preferred that the description be
+prefixed with a string representing the service to which the key is of interest
+and a colon (for instance
+.RB \*(lq afs:mykey \*(rq).
+The
+.I payload
+may be empty or
+.B NULL
+for keys of this type.
+.TP
+.B \*(lqkeyring\*(rq
+Keyrings are special key types that may contain links to sequences of other
+keys of any type.  If this interface is used to create a keyring, then a
+.B NULL
+.I payload
+should be specified, and
+.I plen
+should be zero.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR add_key ()
+returns the serial number of the key it created or updated.
+On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+The keyring doesn't exist.
+.TP
+.B EKEYEXPIRED
+The keyring has expired.
+.TP
+.B EKEYREVOKED
+The keyring has been revoked.
+.TP
+.B EINVAL
+The payload data was invalid.
+.TP
+.B ENOMEM
+Insufficient memory to create a key.
+.TP
+.B EDQUOT
+The key quota for this user would be exceeded by creating this key or linking
+it to the keyring.
+.TP
+.B EACCES
+The keyring wasn't available for modification by the user.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+Although this is a Linux system call, it is not present in
+.I libc
+but can be found rather in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.BR keyctl (2),
+.BR request_key (2)
diff --git a/keyctl.2 b/keyctl.2
new file mode 100644
index 0000000..9769b16
--- /dev/null
+++ b/keyctl.2
@@ -0,0 +1,166 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL 2 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl \- Manipulate the kernel's key management facility
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl(int " cmd ", ...);"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl ()
+has a number of functions available:
+.TP
+.B KEYCTL_GET_KEYRING_ID	
+Ask for a keyring's ID.
+.TP
+.B KEYCTL_JOIN_SESSION_KEYRING	
+Join or start named session keyring.
+.TP
+.B KEYCTL_UPDATE			
+Update a key.
+.TP
+.B KEYCTL_REVOKE			
+Revoke a key.
+.TP
+.B KEYCTL_CHOWN			
+Set ownership of a key.
+.TP
+.B KEYCTL_SETPERM			
+Set perms on a key.
+.TP
+.B KEYCTL_DESCRIBE			
+Describe a key.
+.TP
+.B KEYCTL_CLEAR			
+Clear contents of a keyring.
+.TP
+.B KEYCTL_LINK			
+Link a key into a keyring.
+.TP
+.B KEYCTL_UNLINK			
+Unlink a key from a keyring.
+.TP
+.B KEYCTL_SEARCH			
+Search for a key in a keyring.
+.TP
+.B KEYCTL_READ			
+Read a key or keyring's contents.
+.TP
+.B KEYCTL_INSTANTIATE		
+Instantiate a partially constructed key.
+.TP
+.B KEYCTL_NEGATE			
+Negate a partially constructed key.
+.TP
+.B KEYCTL_SET_REQKEY_KEYRING	
+Set default request-key keyring.
+.TP
+.B KEYCTL_SET_TIMEOUT		
+Set timeout on a key.
+.TP
+.B KEYCTL_ASSUME_AUTHORITY		
+Assume authority to instantiate key.
+.P
+These are wrapped by
+.B libkeyutils
+into individual functions to permit compiler the compiler to check types.
+See the
+.B See Also
+section at the bottom.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl ()
+returns the serial number of the key it found.
+On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+No matching key was found or an invalid key was specified.
+.TP
+.B EKEYEXPIRED
+An expired key was found or specified.
+.TP
+.B EKEYREVOKED
+A revoked key was found or specified.
+.TP
+.B EKEYREJECTED
+A rejected key was found or specified.
+.TP
+.B EDQUOT
+The key quota for the caller's user would be exceeded by creating a key or
+linking it to the keyring.
+.TP
+.B EACCES
+A key operation wasn't permitted.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+Although this is a Linux system call, it is not present in
+.I libc
+but can be found rather in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_chown.3 b/keyctl_chown.3
new file mode 100644
index 0000000..3589ffe
--- /dev/null
+++ b/keyctl_chown.3
@@ -0,0 +1,122 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_CHOWN 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_chown \- Change the ownership of a key
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl_chown(key_serial_t " key ", uid_t " uid ", gid_t " gid ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_chown ()
+changes the user and group ownership details of a key.
+.P
+A setting of
+.B -1
+on either
+.I uid
+or
+.I gid
+will cause that setting to be ignored.
+.P
+A process that does not have the
+.B SysAdmin
+capability may not change a key's UID or set the key's GID to a value that
+does not match the process's GID or one of its group list.
+.P
+The caller must have
+.B setattr
+permission on a key to be able change its ownership.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_chown ()
+returns
+.B 0 .
+On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+The specied key does not exist.
+.TP
+.B EKEYEXPIRED
+The specified key has expired.
+.TP
+.B EKEYREVOKED
+The specified key has been revoked.
+.TP
+.B EDQUOT
+Changing the UID to the one specified would run that UID out of quota.
+.TP
+.B EACCES
+The key exists, but does not grant
+.B setattr
+permission to the calling process.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_clear.3 b/keyctl_clear.3
new file mode 100644
index 0000000..3ec29b6
--- /dev/null
+++ b/keyctl_clear.3
@@ -0,0 +1,107 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_CLEAR 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_clear \- Clear a keyring
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl_clear(key_serial_t " keyring ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_clear ()
+clears the contents of a
+.IR keyring .
+.P
+The caller must have
+.B write
+permission on a keyring to be able clear it.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_clear ()
+returns
+.BR 0 .
+On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+The keyring specified is invalid.
+.TP
+.B EKEYEXPIRED
+The keyring specified has expired.
+.TP
+.B EKEYREVOKED
+The keyring specified had been revoked.
+.TP
+.B EACCES
+The keyring exists, but is not
+.B writable
+by the calling process.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_describe.3 b/keyctl_describe.3
new file mode 100644
index 0000000..473bca5
--- /dev/null
+++ b/keyctl_describe.3
@@ -0,0 +1,142 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_DESCRIBE 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_describe \- Describe a key
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl_describe(key_serial_t " key ", char *" buffer ,
+.BI "size_t" buflen ");"
+.sp
+.BI "long keyctl_describe_alloc(key_serial_t " key ", char **" _buffer ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_describe ()
+describes the attributes of a key as a NUL-terminated string.
+.P
+The caller must have
+.B view
+permission on a key to be able to get a description of it.
+.P
+.I buffer
+and
+.I buflen
+specify the buffer into which the key description will be placed.  If the
+buffer is too small, the full size of the description will be returned, and no
+copy will take place.
+.P
+.BR keyctl_describe_alloc ()
+is similar to
+.BR keyctl_describe ()
+except that it allocates a buffer big enough to hold the description and
+places the description in it.  If successful, A pointer to the buffer is
+placed in
+.IR *_buffer .
+The caller must free the buffer.
+.P
+The description will be a string of format:
+.IP
+.B "\*(lq%s;%d;%d;%08x;%s\*(rq"
+.P
+where the arguments are: key type name, key UID, key GID, key permissions mask
+and key description.
+.P
+.B NOTE!
+The key description will not contain any semicolons, so that should be
+separated out by working backwards from the end of the string.  This permits
+extra information to be inserted before it by later versions of the kernel
+simply by inserting more semicolon-terminated substrings.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_describe ()
+returns the amount of data placed into the buffer.  If the buffer was too
+small, then the size of buffer required will be returned, but no data will be
+transferred.  On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.P
+On success
+.BR keyctl_describe_alloc ()
+returns the amount of data in the buffer, less the NUL terminator.  On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+The key specified is invalid.
+.TP
+.B EKEYEXPIRED
+The key specified has expired.
+.TP
+.B EKEYREVOKED
+The key specified had been revoked.
+.TP
+.B EACCES
+The key exists, but is not
+.B viewable
+by the calling process.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_get_keyring_ID.3 b/keyctl_get_keyring_ID.3
new file mode 100644
index 0000000..b0e2fd0
--- /dev/null
+++ b/keyctl_get_keyring_ID.3
@@ -0,0 +1,130 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_GET_KEYRING_ID 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_get_keyring_ID \- Get the ID of a special keyring
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "key_serial_t keyctl_get_keyring_ID(key_serial_t " key ","
+.BI " int " create ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_get_keyring_ID ()
+maps a special
+.I key
+or keyring ID to the serial number of the key actually representing that
+feature.  The serial number will be returned if that key exists.
+.P
+If the key or keyring does not yet exist, then if
+.I create
+is non-zero, the key or keyring will be created if it is appropriate to do so.
+.P
+The following special key IDs may be specified as
+.IR key :
+.TP
+.B KEY_SPEC_THREAD_KEYRING
+This specifies the caller's thread-specific keyring.
+.TP
+.B KEY_SPEC_PROCESS_KEYRING
+This specifies the caller's process-specific keyring.
+.TP
+.B KEY_SPEC_SESSION_KEYRING
+This specifies the caller's session-specific keyring.
+.TP
+.B KEY_SPEC_USER_KEYRING
+This specifies the caller's UID-specific keyring.
+.TP
+.B KEY_SPEC_USER_SESSION_KEYRING
+This specifies the caller's UID-session keyring.
+.TP
+.B KEY_SPEC_REQKEY_AUTH_KEY
+This specifies the authorisation key created by
+.BR request_key ()
+and passed to the process it spawns to generate a key.
+.P
+If a valid keyring ID is passed in, then this will simply be returned if the
+key exists; an error will be issued if it doesn't exist.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_get_keyring_ID ()
+returns the serial number of the key it found.  On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+No matching key was found.
+.TP
+.B ENOMEM
+Insufficient memory to create a key.
+.TP
+.B EDQUOT
+The key quota for this user would be exceeded by creating this key or linking
+it to the keyring.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_instantiate.3 b/keyctl_instantiate.3
new file mode 100644
index 0000000..2240597
--- /dev/null
+++ b/keyctl_instantiate.3
@@ -0,0 +1,185 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_INSTANTIATE 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_assume_authority \- Assume the authority to instantiate a key
+keyctl_instantiate \- Instantiate a key
+keyctl_negate \- Negatively instantiate a key
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl_assume_authority(key_serial_t " key ");"
+.sp
+.BI "long keyctl_instantiate(key_serial_t " key ", const char *" payload ,
+.BI "size_t " plen ", key_serial_t " keyring ");"
+.sp
+.BI "long keyctl_negate(key_serial_t " key ", unsigned " timeout ,
+.BI "key_serial_t " keyring ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_assume_authority ()
+assumes the authority for the calling thread to deal with and instantiate the
+specified uninstantiated
+.IR key .
+.P
+The calling thread must have the appopriate authorisation key resident in one
+of its keyrings for this to succeed, and that authority must not have been
+revoked.
+.P
+The authorising key is allocated by request_key() when it needs to invoke
+userspace to generate a key for the requesting process.  This is then attached
+to one of the keyrings of the userspace process to which the task of
+instantiating the key is given:
+.IP
+requester -> request_key() -> instantiator
+.P
+Calling this function modifies the way
+.BR request_key ()
+works when called thereafter by the calling (instantiator) thread; once the
+authority is assumed, the keyrings of the initial process are added to the
+search path, using the initial process's UID, GID, groups and security
+context.
+.P
+If a thread has multiple instantiations to deal with, it may call this
+function to change the authorisation key currently in effect.  Supplying a
+.B zero
+.I key
+de-assumes the currently assumed authority.
+.P
+.B NOTE!
+This is a per-thread setting and not a per-process setting so that a
+multithreaded process can be used to instantiate several keys at once.
+.P
+.BR keyctl_instantiate ()
+instantiates the payload of an uninstantiated key from the data specified.
+.I payload
+and
+.I plen
+specify the data for the new payload.
+.I payload
+may be NULL and
+.I plen
+may be zero if the key type permits that.  The key type may reject the data if
+it's in the wrong format or in some other way invalid.
+.P
+.BR keyctl_negate ()
+marks a key as negatively instantiated and sets the expiration timer on it.
+.I timeout
+specifies the lifetime of the key in seconds.
+.P
+Only a key for which authority has been assumed may be instantiated or
+negatively instantiated, and once instantiated, the authorisation key will be
+revoked and the requesting process will be able to resume.
+.P
+The destination
+.IR keyring ,
+if given, is assumed to belong to the initial requester, and not the
+instantiating process.  Therefore, the special keyring IDs refer to the
+requesting process's keyrings, not the caller's, and the requester's UID,
+etc. will be used to access them.
+.P
+The destination keyring can be
+.B zero
+if no extra link is desired.
+.P
+The requester, not the caller, must have
+.B write
+permission on the destination for a link to be made there.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_instantiate ()
+returns
+.BR 0 .
+On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+The key or keyring specified is invalid.
+.TP
+.B EKEYEXPIRED
+The keyring specified has expired.
+.TP
+.B EKEYREVOKED
+The key or keyring specified had been revoked, or the authorisation has been
+revoked.
+.TP
+.B EINVAL
+The payload data was invalid.
+.TP
+.B ENOMEM
+Insufficient memory to store the new payload or to expand the destination
+keyring.
+.TP
+.B EDQUOT
+The key quota for the key's user would be exceeded by increasing the size of
+the key to accommodate the new payload or the key quota for the keyring's user
+would be exceeded by expanding the destination keyring.
+.TP
+.B EACCES
+The key exists, but is not
+.B writable
+by the requester.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_join_session_keyring.3 b/keyctl_join_session_keyring.3
new file mode 100644
index 0000000..b1a3cba
--- /dev/null
+++ b/keyctl_join_session_keyring.3
@@ -0,0 +1,116 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_JOIN_SESSION_KEYRING 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_join_session_keyring \- Join a different session keyring
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "key_serial_t keyctl_join_session_keyring(const char *" name ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_join_session_keyring ()
+changes the session keyring to which a process is subscribed.
+.P
+If
+.I name
+is
+.B NULL
+then a new anonymous keyring will be created, and the process will be
+subscribed to that.
+.P
+If
+.I name
+points to a string, then if a keyring of that name is available, the process
+will attempt to subscribe to that keyring, giving an error if that is not
+permitted; otherwise a new keyring of that name is created and attached as the
+session keyring.
+.P
+To attach to an extant named keyring, the keyring must have
+.B search
+permission available to the calling process.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_join_session_keyring ()
+returns the serial number of the key it found or created.  On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOMEM
+Insufficient memory to create a key.
+.TP
+.B EDQUOT
+The key quota for this user would be exceeded by creating this key or linking
+it to the keyring.
+.TP
+.B EACCES
+The named keyring exists, but is not
+.B searchable
+by the calling process.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_link.3 b/keyctl_link.3
new file mode 100644
index 0000000..b1f599d
--- /dev/null
+++ b/keyctl_link.3
@@ -0,0 +1,140 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_LINK 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_link \- Link a key to a keyring
+keyctl_unlink \- Unlink a key from a keyring
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl_link(key_serial_t " key ", key_serial_t " keyring ");"
+.sp
+.BI "long keyctl_unlink(key_serial_t " key ", key_serial_t " keyring ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_link ()
+creates a link from
+.I keyring
+to
+.IR key ,
+displacing any link to another key of the same type and description in that
+keyring if one exists.
+.P
+.BR keyctl_unlink ()
+removes the link from
+.I keyring
+to
+.I key
+if it exists.
+.P
+The caller must have
+.B write
+permission on a keyring to be able create or remove links in it.
+.P
+The caller must have
+.B link
+permission on a key to be able to create a link to it.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_link ()
+and
+.BR keyctl_unlink ()
+return
+.BR 0 .
+On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+The key or the keyring specified are invalid.
+.TP
+.B EKEYEXPIRED
+The key or the keyring specified have expired.
+.TP
+.B EKEYREVOKED
+The key or the keyring specified have been revoked.
+.TP
+.B EACCES
+The keyring exists, but is not
+.B writable
+by the calling process.
+.P
+For
+.BR keyctl_link ()
+only:
+.TP
+.B ENOMEM
+Insufficient memory to expand the keyring
+.TP
+.B EDQUOT
+Expanding the keyring would exceed the keyring owner's quota.
+.TP
+.B EACCES
+The key exists, but is not
+.B linkable
+by the calling process.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_read.3 b/keyctl_read.3
new file mode 100644
index 0000000..f0257b5
--- /dev/null
+++ b/keyctl_read.3
@@ -0,0 +1,141 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_READ 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_read \- Read a key
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl_read(key_serial_t " key ", char *" buffer ,
+.BI "size_t" buflen ");"
+.sp
+.BI "long keyctl_read_alloc(key_serial_t " key ", char **" _buffer ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_read ()
+reads the payload of a key if the key type supports it.
+.P
+The caller must have
+.B read
+permission on a key to be able to read it.
+.P
+.I buffer
+and
+.I buflen
+specify the buffer into which the payload data will be placed.  If the buffer
+is too small, the full size of the payload will be returned, and no copy will
+take place.
+.P
+.BR keyctl_read_alloc ()
+is similar to
+.BR keyctl_read ()
+except that it allocates a buffer big enough to hold the payload data and
+places the data in it.  If successful, A pointer to the buffer is placed in
+.IR *_buffer .
+The caller must free the buffer.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH READING KEYRINGS
+This call can be used to list the contents of a keyring.  The data is
+presented to the user as an array of
+.B key_serial_t
+values, each of which corresponds to a key to which the keyring holds a link.
+.P
+The size of the keyring will be sizeof(key_serial_t) multiplied by the number
+of keys.  The size of key_serial_t is invariant across different word sizes,
+though the byte-ordering is as appropriate for the kernel.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_read ()
+returns the amount of data placed into the buffer.  If the buffer was too
+small, then the size of buffer required will be returned, but no data will be
+transferred.  On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.P
+On success
+.BR keyctl_read_alloc ()
+returns the amount of data in the buffer.  On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+The key specified is invalid.
+.TP
+.B EKEYEXPIRED
+The key specified has expired.
+.TP
+.B EKEYREVOKED
+The key specified had been revoked.
+.TP
+.B EACCES
+The key exists, but is not
+.B readable
+by the calling process.
+.TP
+.B EOPNOTSUPP
+The key type does not support reading of the payload data.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_revoke.3 b/keyctl_revoke.3
new file mode 100644
index 0000000..47eb227
--- /dev/null
+++ b/keyctl_revoke.3
@@ -0,0 +1,107 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_REVOKE 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_revoke \- Revoke a key
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl_revoke(key_serial_t " key ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_revoke ()
+marks a key as being revoked.
+.P
+After this operation has been performed on a key, attempts to access it will
+meet with error
+.BR EKEYREVOKED .
+.P
+The caller must have
+.B write
+permission on a key to be able revoke it.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_revoke ()
+returns
+.BR 0 .
+On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+The specified key does not exist.
+.TP
+.B EKEYREVOKED
+The key has already been revoked.
+.TP
+.B EACCES
+The named key exists, but is not
+.B writable
+by the calling process.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_search.3 b/keyctl_search.3
new file mode 100644
index 0000000..162a5e1
--- /dev/null
+++ b/keyctl_search.3
@@ -0,0 +1,172 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_SEARCH 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_search \- Search a keyring for a key
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl_search(key_serial_t " keyring ", const char *" type ,
+.BI "const char *" description ", key_serial_t " destination ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_search ()
+recursively searches the
+.I keyring
+for a key of the specified
+.I type
+and
+.IR description .
+.P
+If found, the key will be attached to the
+.I destination
+keyring (if given), and its serial number will be returned.
+.P
+The source keyring must grant
+.B search
+permission to the caller, and for a key to be found, it must also grant
+.B search
+permission to the caller.  Child keyrings will be only be recursively searched
+if they grant
+.B search
+permission to the caller as well.
+.P
+If the destination keyring is
+.BR zero ,
+no attempt will be made to forge a link to the key, and just the serial number
+will be returned.
+.P
+If the destination keyring is given, then the link may only be formed if the
+found key grants the caller
+.B link
+permission and the destination keyring grants the caller
+.B write
+permission.
+.P
+If the search is successful, and if the destination keyring already contains a
+link to a key that matches the specified
+.IR type " and " description ,
+then that link will be replaced by a link to the found key.
+.P
+The source keyring and destination keyring serial numbers may be those of
+valid keyrings to which the caller has appropriate permission, or they may be
+special keyring IDs:
+.TP
+.B KEY_SPEC_THREAD_KEYRING
+This specifies the caller's thread-specific keyring.
+.TP
+.B KEY_SPEC_PROCESS_KEYRING
+This specifies the caller's process-specific keyring.
+.TP
+.B KEY_SPEC_SESSION_KEYRING
+This specifies the caller's session-specific keyring.
+.TP
+.B KEY_SPEC_USER_KEYRING
+This specifies the caller's UID-specific keyring.
+.TP
+.B KEY_SPEC_USER_SESSION_KEYRING
+This specifies the caller's UID-session keyring.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_search ()
+returns the serial number of the key it found.  On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+One of the keyrings doesn't exist, no key was found by the search, or the only
+key found by the search was a negative key.
+.TP
+.B ENOTDIR
+One of the keyrings is a valid key that isn't a keyring.
+.TP
+.B EKEYEXPIRED
+One of the keyrings has expired, or the only key found was expired.
+.TP
+.B EKEYREVOKED
+One of the keyrings has been revoked, or the only key found was revoked.
+.TP
+.B ENOMEM
+Insufficient memory to expand the destination keyring.
+.TP
+.B EDQUOT
+The key quota for this user would be exceeded by creating a link to the found
+key in the destination keyring.
+.TP
+.B EACCES
+The source keyring didn't grant
+.B search
+permission, the destination keyring didn't grant
+.B write
+permission or the found key didn't grant
+.B link
+permission to the caller.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+Although this is a Linux system call, it is not present in
+.I libc
+but can be found rather in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_set_reqkey_keyring.3 b/keyctl_set_reqkey_keyring.3
new file mode 100644
index 0000000..02d9733
--- /dev/null
+++ b/keyctl_set_reqkey_keyring.3
@@ -0,0 +1,132 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_SET_REQKEY_KEYRING 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_set_reqkey_keyring \- Set the implicit destination keyring
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl_set_reqkey_keyring(int " reqkey_defl ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_set_reqkey_keyring ()
+sets the default destination for implicit key requests for the current thread
+and returns the old setting.
+.P
+After this operation has been issued, keys acquired by implicit key requests,
+such as might be performed by open() on an AFS or NFS filesystem, will be
+linked by default to the specified keyring by this function.
+.P
+The valid values of
+.I reqkey_defl
+are:
+.TP
+.B KEY_REQKEY_DEFL_NO_CHANGE
+This makes no change to the current setting.
+.TP
+.B KEY_REQKEY_DEFL_THREAD_KEYRING
+This makes the thread-specific keyring the default destination.
+.TP
+.B KEY_REQKEY_DEFL_PROCESS_KEYRING
+This makes the process-specific keyring the default destination.
+.TP
+.B KEY_REQKEY_DEFL_SESSION_KEYRING
+This makes the session keyring the default destination.
+.TP
+.B KEY_REQKEY_DEFL_USER_KEYRING
+This makes the UID-specific keyring the default destination.
+.TP
+.B KEY_REQKEY_DEFL_USER_SESSION_KEYRING
+This makes the UID-specific session keyring the default destination.
+.TP
+.B KEY_REQKEY_DEFL_DEFAULT
+This selects the default behaviour which is to use the thread-specific keyring
+if there is one, otherwise the process-specific keyring if there is one,
+otherwise the session keyring if there is one, otherwise the UID-specific
+session keyring.
+.P
+This setting is inherited across
+.BR fork ()
+and
+.BR exec ().
+
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_set_reqkey_keyring ()
+returns
+.BR 0 .
+On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B EINVAL
+The value of
+.I reqkey_defl
+is invalid.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_set_timeout.3 b/keyctl_set_timeout.3
new file mode 100644
index 0000000..978cbe4
--- /dev/null
+++ b/keyctl_set_timeout.3
@@ -0,0 +1,115 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_SET_TIMEOUT 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_set_timeout \- Set the expiration timer on a key
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl_set_timeout(key_serial_t " key ", unsigned " timeout ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_set_timeout ()
+sets the expiration timer on a key to
+.I timeout
+seconds into the future.  Setting
+.I timeout
+to
+.B zero
+cancels the expiration, assuming the key hasn't already expired.
+.P
+When the key expires, further attempts to access it will be met with error
+.BR EKEYEXPIRED .
+.P
+The caller must have
+.B setattr
+permission on a key to be able change its permissions mask.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_set_timeout ()
+returns
+.B 0 .
+On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+The specied key does not exist.
+.TP
+.B EKEYEXPIRED
+The specified key has already expired.
+.TP
+.B EKEYREVOKED
+The specified key has been revoked.
+.TP
+.B EACCES
+The named key exists, but does not grant
+.B setattr
+permission to the calling process.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_setperm.3 b/keyctl_setperm.3
new file mode 100644
index 0000000..71c8f07
--- /dev/null
+++ b/keyctl_setperm.3
@@ -0,0 +1,164 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_SETPERM 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_setperm \- Change the permissions mask on a key
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl_setperm(key_serial_t " key ", key_perm_t " perm ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_setperm ()
+changes the permissions mask on a key.
+.P
+A process that does not have the
+.B SysAdmin
+capability may not change the permissions mask on a key that doesn't have the
+same UID as the caller.
+.P
+The caller must have
+.B setattr
+permission on a key to be able change its permissions mask.
+.P
+The permissions mask is a bitwise-OR of the following flags:
+.TP
+.B KEY_xxx_VIEW
+Grant permission to view the attributes of a key.
+.TP
+.B KEY_xxx_READ
+Grant permission to read the payload of a key or to list a keyring.
+.TP
+.B KEY_xxx_WRITE
+Grant permission to modify the payload of a key or to add or remove links
+to/from a keyring.
+.TP
+.B KEY_xxx_SEARCH
+Grant permission to find a key or to search a keyring.
+.TP
+.B KEY_xxx_LINK
+Grant permission to make links to a key.
+.TP
+.B KEY_xxx_SETATTR
+Grant permission to change the ownership and permissions attributes of a key.
+.TP
+.B KEY_xxx_ALL
+Grant all the above.
+.P
+The
+.RB ' xxx '
+in the above should be replaced by one of:
+.TP
+.B POS
+Grant the permission to a process that possesses the key (has it attached
+searchably to one of the process's keyrings).
+.TP
+.B USR
+Grant the permission to a process with the same UID as the key.
+.TP
+.B GRP
+Grant the permission to a process with the same GID as the key, or with a
+match for the key's GID amongst that process's Groups list.
+.TP
+.B OTH
+Grant the permission to any other process.
+.P
+Examples include:
+.BR KEY_POS_VIEW ", " KEY_USR_READ ", " KEY_GRP_SEARCH " and " KEY_OTH_ALL .
+.P
+User, group and other grants are exclusive: if a process qualifies in
+the 'user' category, it will not qualify in the 'groups' category; and if a
+process qualifies in either 'user' or 'groups' then it will not qualify in
+the 'other' category.
+.P
+Possessor grants are cumulative with the grants from the 'user', 'groups'
+and 'other' categories.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_setperm ()
+returns
+.B 0 .
+On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+The specied key does not exist.
+.TP
+.B EKEYEXPIRED
+The specified key has expired.
+.TP
+.B EKEYREVOKED
+The specified key has been revoked.
+.TP
+.B EACCES
+The named key exists, but does not grant
+.B setattr
+permission to the calling process.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_update (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyctl_update.3 b/keyctl_update.3
new file mode 100644
index 0000000..4ac19d4
--- /dev/null
+++ b/keyctl_update.3
@@ -0,0 +1,130 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH KEYCTL_UPDATE 3 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+keyctl_update \- Update a key
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "long keyctl_update(key_serial_t " key ", const char *" payload ,
+.BI "size_t " plen ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR keyctl_update ()
+updates the payload of a key if the key type permits it.
+.P
+The caller must have
+.B write
+permission on a key to be able update it.
+.P
+.I payload
+and
+.I plen
+specify the data for the new payload.
+.I payload
+may be NULL and
+.I plen
+may be zero if the key type permits that.  The key type may reject the data if
+it's in the wrong format or in some other way invalid.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR keyctl_update ()
+returns
+.BR 0 .
+On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+The key specified is invalid.
+.TP
+.B EKEYEXPIRED
+The key specified has expired.
+.TP
+.B EKEYREVOKED
+The key specified had been revoked.
+.TP
+.B EINVAL
+The payload data was invalid.
+.TP
+.B ENOMEM
+Insufficient memory to store the new payload.
+.TP
+.B EDQUOT
+The key quota for this user would be exceeded by increasing the size of the
+key to accommodate the new payload.
+.TP
+.B EACCES
+The key exists, but is not
+.B writable
+by the calling process.
+.TP
+.B EOPNOTSUPP
+The key type does not support the update operation on its keys.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+This is a library function that can be found in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.br
+.BR add_key (2),
+.br
+.BR keyctl (2),
+.br
+.BR request_key (2),
+.br
+.BR keyctl_get_keyring_ID (3),
+.br
+.BR keyctl_join_session_keyring (3),
+.br
+.BR keyctl_revoke (3),
+.br
+.BR keyctl_chown (3),
+.br
+.BR keyctl_setperm (3),
+.br
+.BR keyctl_describe (3),
+.br
+.BR keyctl_clear (3),
+.br
+.BR keyctl_link (3),
+.br
+.BR keyctl_unlink (3),
+.br
+.BR keyctl_search (3),
+.br
+.BR keyctl_read (3),
+.br
+.BR keyctl_instantiate (3),
+.br
+.BR keyctl_negate (3),
+.br
+.BR keyctl_set_reqkey_keyring (3),
+.br
+.BR keyctl_set_timeout (3),
+.br
+.BR keyctl_assume_authority (3),
+.br
+.BR keyctl_describe_alloc (3),
+.br
+.BR keyctl_read_alloc (3),
+.br
+.BR request-key (8)
diff --git a/keyutils.spec b/keyutils.spec
index 4b5f4f2..a68a103 100644
--- a/keyutils.spec
+++ b/keyutils.spec
@@ -1,19 +1,20 @@
 %define vermajor 1
-%define version %{vermajor}.0
-%define _exec_prefix /
+%define version %{vermajor}.1
+%define libdir /%{_lib}
 %define usrlibdir %{_prefix}/%{_lib}
 
 Summary: Linux Key Management Utilities
 Name: keyutils
 Version: %{version}
-Release: 2
+Release: 3%{?dist}
 License: GPL/LGPL
 Group: System Environment/Base
 ExclusiveOS: Linux
+Url: http://people.redhat.com/~dhowells/keyutils/
 
 Source0: http://people.redhat.com/~dhowells/keyutils/keyutils-%{version}.tar.bz2
 
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: glibc-kernheaders >= 2.4-9.1.92
 
 %description
@@ -29,11 +30,12 @@ Group: System Environment/Base
 This package provides a wrapper library for the key management facility system
 calls.
 
-%package devel
+%package libs-devel
 Summary: Development package for building linux key management utilities
 Group: System Environment/Base
+Requires: keyutils-libs == %{version}-%{release}
 
-%description devel
+%description libs-devel
 This package provides headers and libraries for building key utilities.
 
 %prep
@@ -41,7 +43,8 @@ This package provides headers and libraries for building key utilities.
 
 %build
 make \
-	LIBDIR=%{_libdir} \
+	NO_ARLIB=1 \
+	LIBDIR=%{libdir} \
 	USRLIBDIR=%{usrlibdir} \
 	RELEASE=.%{release} \
 	NO_GLIBC_KEYERR=1 \
@@ -49,7 +52,12 @@ make \
 
 %install
 rm -rf $RPM_BUILD_ROOT
-make DESTDIR=$RPM_BUILD_ROOT LIBDIR=%{_libdir} USRLIBDIR=%{usrlibdir} RELEASE=.%{release} install
+make \
+	NO_ARLIB=1 \
+	DESTDIR=$RPM_BUILD_ROOT \
+	LIBDIR=%{libdir} \
+	USRLIBDIR=%{usrlibdir} \
+	install
 
 %clean
 rm -rf $RPM_BUILD_ROOT
@@ -59,23 +67,36 @@ rm -rf $RPM_BUILD_ROOT
 %doc README LICENCE.GPL
 /sbin/*
 /bin/*
-/usr/share/keyutils/*
-%{_mandir}/*
+/usr/share/keyutils
+%{_mandir}/man1/*
+%{_mandir}/man5/*
+%{_mandir}/man8/*
 %config(noreplace) /etc/*
 
 %files libs
 %defattr(-,root,root,-)
 %doc LICENCE.LGPL
-%{_libdir}/libkeyutils-%{version}.%{release}.so
-%{_libdir}/libkeyutils.so.%{vermajor}
+%{libdir}/libkeyutils-%{version}.so
+%{libdir}/libkeyutils.so.%{vermajor}
 
-%files devel
+%files libs-devel
 %defattr(-,root,root,-)
-%{usrlibdir}/libkeyutils.a
 %{usrlibdir}/libkeyutils.so
 %{_includedir}/*
+%{_mandir}/man2/*
+%{_mandir}/man3/*
 
 %changelog
+* Fri May 5 2006 David Howells <dhowells@redhat.com> - 1.1-3
+- Don't include the release number in the shared library filename
+- Don't build static library
+
+* Fri May 5 2006 David Howells <dhowells@redhat.com> - 1.1-2
+- More bug fixes from Fedora reviewer.
+
+* Thu May 4 2006 David Howells <dhowells@redhat.com> - 1.1-1
+- Fix rpmlint errors
+
 * Mon Dec 5 2005 David Howells <dhowells@redhat.com> - 1.0-2
 - Add build dependency on glibc-kernheaders with key management syscall numbers
 
diff --git a/request_key.2 b/request_key.2
new file mode 100644
index 0000000..aeb5110
--- /dev/null
+++ b/request_key.2
@@ -0,0 +1,141 @@
+.\"
+.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
+.\" Written by David Howells (dhowells@redhat.com)
+.\"
+.\" This program is free software; you can redistribute it and/or
+.\" modify it under the terms of the GNU General Public License
+.\" as published by the Free Software Foundation; either version
+.\" 2 of the License, or (at your option) any later version.
+.\"
+.TH REQUEST_KEY 2 "4 May 2006" Linux "Linux Key Management Calls"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH NAME
+request_key \- Request a key from the kernel's key management facility
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SYNOPSIS
+.nf
+.B #include <keyutils.h>
+.sp
+.BI "key_serial_t request_key(const char *" type ", const char *" description ,
+.BI "const char *" callout_info ", key_serial_t " keyring ");"
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH DESCRIPTION
+.BR request_key ()
+asks the kernel to find a key of the given
+.I type
+that matches the specified
+.I description
+and, if successful, to attach it to the nominated
+.I keyring
+and to return its serial number.
+.P
+.BR request_key ()
+first recursively searches all the keyrings attached to the calling process in
+the order thread-specific keyring, process-specific keyring and then session
+keyring for a matching key.
+.P
+If
+.BR request_key ()
+is called from a program invoked by
+.BR request_key ()
+on behalf of some other process to generate a key, then the keyrings of that
+other process will be searched next, using that other process's UID, GID,
+groups and security context to control access.
+.P
+The keys in each keyring searched are checked for a match before any child
+keyrings are recursed into.  Only keys that are
+.B searchable
+for the caller may be found, and only
+.B searchable
+keyrings may be searched.
+.P
+If the key is not found then, if
+.I callout_info
+is set, this function will attempt to look further afield.  In such a case, the
+.I callout_info
+is passed to a userspace service such as
+.B /sbin/request\-key
+to generate the key.
+.P
+If that is unsuccessful also, then an error will be returned, and a temporary
+negative key will be installed in the nominated
+.IR keyring .
+This will expire after a few seconds, but will cause subsequent
+calls to
+.BR request_key ()
+to fail until it does.
+.P
+The
+.I keyring
+serial number may be that of a valid keyring to which the caller has write
+permission, or it may be a special keyring ID:
+.TP
+.B KEY_SPEC_THREAD_KEYRING
+This specifies the caller's thread-specific keyring.
+.TP
+.B KEY_SPEC_PROCESS_KEYRING
+This specifies the caller's process-specific keyring.
+.TP
+.B KEY_SPEC_SESSION_KEYRING
+This specifies the caller's session-specific keyring.
+.TP
+.B KEY_SPEC_USER_KEYRING
+This specifies the caller's UID-specific keyring.
+.TP
+.B KEY_SPEC_USER_SESSION_KEYRING
+This specifies the caller's UID-session keyring.
+.P
+If a key is created, no matter whether it's a valid key or a negative key, it
+will displace any other key of the same type and description from the
+destination
+.IR keyring .
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH RETURN VALUE
+On success
+.BR request_key ()
+returns the serial number of the key it found.
+On error, the value
+.B -1
+will be returned and errno will have been set to an appropriate error.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH ERRORS
+.TP
+.B ENOKEY
+No matching key was found.
+.TP
+.B EKEYEXPIRED
+An expired key was found, but no replacement could be obtained.
+.TP
+.B EKEYREVOKED
+A revoked key was found, but no replacement could be obtained.
+.TP
+.B EKEYREJECTED
+The attempt to generate a new key was rejected.
+.TP
+.B ENOMEM
+Insufficient memory to create a key.
+.TP
+.B EINTR
+The request was interrupted by a signal.
+.TP
+.B EDQUOT
+The key quota for this user would be exceeded by creating this key or linking
+it to the keyring.
+.TP
+.B EACCES
+The keyring wasn't available for modification by the user.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH LINKING
+Although this is a Linux system call, it is not present in
+.I libc
+but can be found rather in
+.IR libkeyutils .
+When linking,
+.B -lkeyutils
+should be specified to the linker.
+.\"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
+.SH SEE ALSO
+.BR keyctl (1),
+.BR add_key (2),
+.BR keyctl (2),
+.BR request-key (8)