man-pages/man2/request_key.2

.\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
.\" Written by David Howells (dhowells@redhat.com)
.\"
.\" %%%LICENSE_START(GPLv2+_SW_ONEPARA)
.\" This program is free software; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License
.\" as published by the Free Software Foundation; either version
.\" 2 of the License, or (at your option) any later version.
.\" %%%LICENSE_END
.\"
.TH REQUEST_KEY 2 2016-10-08 Linux "Linux Key Management Calls"
.SH NAME
request_key \- request a key from the kernel's key management facility
.SH SYNOPSIS
.nf
.B #include <sys/types.h>
.B #include <keyutils.h>
.sp
.BI "key_serial_t request_key(const char *" type ", const char *" description ,
.BI "                         const char *" callout_info ,
.BI "                         key_serial_t " keyring ");"
.fi

No glibc wrapper is provided for this system call; see NOTES.
.SH DESCRIPTION
.BR request_key ()
attempts to find a key of the given
.I type
with a description (name) that matches the specified
.IR description .
If the key is found,
.BR request_key ()
attaches it to the nominated
.I keyring
and returns the key's serial number.
.P
.BR request_key ()
first recursively searches for a matching key in all of the keyrings
attached to the calling process.
The keyrings are searched in the order: thread-specific keyring,
process-specific keyring, and then session keyring.
.P
If
.BR request_key ()
is called from a program invoked by
.BR request_key ()
on behalf of some other process to generate a key, then the keyrings of that
other process will be searched next,
using that other process's user ID, group ID,
supplementary group IDs, and security context to control access.
.P
The search of the keyring tree is breadth-first:
the keys in each keyring searched are checked for a match before any child
keyrings are recursed into.
Only keys for which the caller has
.I search
permission be found, and only keyrings for which the caller has
.I search
permission may be searched.
.P
If the key is not found, then, if
.I callout_info
is not NULL, the kernel will attempt to look further afield.
In this case, the following steps are performed:
.IP 1. 4
The kernel creates an uninstantiated key, U, with the requested
.I type
and
.IR description .
.IP 2.
The kernel creates an authorization key, V, that refers to the key U
and notes that the caller of
.BR request_key (2)
is (1) the context in which the key U should be instantiated and secured,
and (2) the context from which associated key requests may be satisfied.
The payload of the authorization key is the data supplied in
.IR callout_info .
.IP 3.
The kernel creates a process that executes a user-space service such as
.BR request-key (8)
with a new session keyring that contains a link to the authorization key, V.
.IP 4.
The program spawned in the previous step:
.RS
.IP * 3
Assumes the authority to instantiate the key U using the
.BR keyctl (2)
.BR KEYCTL_ASSUME_AUTHORITY
operation.
.IP *
Obtains the callout data from the authorization key V (using the
.BR keyctl (2)
.BR KEYCTL_READ
operation with a key ID value of
.BR KEY_SPEC_REQKEY_AUTH_KEY ).
.IP *
Instantiates the key
(or execs another program that performs that task).
.RE
.P
If these steps are also unsuccessful, then an error will be returned,
and a temporary negative key will be installed in the nominated
.IR keyring .
.\" FIXME Is 'keyring' allowed to be NULL? Reading the source, it appears so,
.\"       with the result that the key is linked into a default keyring
.\"       as specified by KEYCTL_SET_REQKEY_KEYRING.
This will expire after a few seconds, but will cause subsequent
calls to
.BR request_key ()
.\" FIXME Need an explanation here of why this is done.
to fail until it does.
.P
The
.I keyring
serial number may be that of a valid keyring to which the caller has write
permission, or it may be one of the following special keyring IDs:
.TP
.B KEY_SPEC_THREAD_KEYRING
This specifies the caller's thread-specific keyring
.RB ( thread-keyring (7)).
.TP
.B KEY_SPEC_PROCESS_KEYRING
This specifies the caller's process-specific keyring
.RB ( process-keyring (7)).
.TP
.B KEY_SPEC_SESSION_KEYRING
This specifies the caller's session-specific keyring
.RB ( session-keyring (7)).
.TP
.B KEY_SPEC_USER_KEYRING
This specifies the caller's UID-specific keyring
.RB ( user-keyring (7)).
.TP
.B KEY_SPEC_USER_SESSION_KEYRING
This specifies the caller's UID-session keyring
.RB ( user-session-keyring (7)).
.P
If a key is created, then\(emregardless of whether it is a valid key or
a negative key\(emit will displace any other key with
the same type and description from the destination
.IR keyring .
.SH RETURN VALUE
On success,
.BR request_key ()
returns the serial number of the key it found or caused to be created.
On error, \-1 is returned and
.I errno
is set to indicate the cause of the error.
.SH ERRORS
.TP
.B EACCES
The keyring wasn't available for modification by the user.
.TP
.B EDQUOT
The key quota for this user would be exceeded by creating this key or linking
it to the keyring.
.TP
.B EINTR
The request was interrupted by a signal; see
.BR signal (7).
.TP
.B EKEYEXPIRED
An expired key was found, but no replacement could be obtained.
.TP
.B EKEYREJECTED
The attempt to generate a new key was rejected.
.TP
.B EKEYREVOKED
A revoked key was found, but no replacement could be obtained.
.TP
.B ENOKEY
No matching key was found.
.TP
.B ENOMEM
Insufficient memory to create a key.
.SH VERSIONS
This system call first appeared in Linux 2.6.11.
.SH CONFORMING TO
This system call is a nonstandard Linux extension.
.SH NOTES
No wrapper for this system call is provided in glibc.
A wrapper is provided in the
.IR libkeyutils
package.
When employing the wrapper in that library, link with
.IR \-lkeyutils .
.SH SEE ALSO
.BR keyctl (1),
.BR add_key (2),
.BR keyctl (2),
.BR keyctl (3),
.BR keyrings (7),
.BR keyutils (7),
.BR persistent-keyring (7),
.BR process-keyring (7),
.BR session-keyring (7),
.BR thread-keyring (7),
.BR user-keyring (7),
.BR user-session-keyring (7),
.BR request-key (8)

The kernel source files
.IR Documentation/security/keys.txt
and
.IR Documentation/security/keys-request-key.txt .