diff --git a/man2/request_key.2 b/man2/request_key.2 index 1a9cba825..78c91bdce 100644 --- a/man2/request_key.2 +++ b/man2/request_key.2 @@ -21,26 +21,28 @@ request_key \- request a key from the kernel's key management facility .fi .SH DESCRIPTION .BR request_key () -asks the kernel to find a key of the given +attempts to find a key of the given .I type -that matches the specified +with a description (name) that matches the specified .I description -and, if successful, to attach it to the nominated +and, if successful, attaches it to the nominated .I keyring -and to return its serial number. +and returns its serial number. .P .BR request_key () -first recursively searches all the keyrings attached to the calling process in -the order thread-specific keyring, process-specific keyring and then session -keyring for a matching key. +first recursively searches for a matching key in all of the keyrings +attached to the calling process. +The keyrings are searched in the order: thread-specific keyring, +process-specific keyring, and then session keyring. .P If .BR request_key () is called from a program invoked by .BR request_key () on behalf of some other process to generate a key, then the keyrings of that -other process will be searched next, using that other process's UID, GID, -groups, and security context to control access. +other process will be searched next, +using that other process's user ID, group ID, +supplementary group IDs, and security context to control access. .P The keys in each keyring searched are checked for a match before any child keyrings are recursed into. @@ -52,11 +54,11 @@ keyrings may be searched. .P If the key is not found, then, if .I callout_info -is set, this function will attempt to look further afield. +is not NULL, this function will attempt to look further afield. In such a case, the .I callout_info is passed to a user-space service such as -.B /sbin/request\-key +.I /sbin/request\-key to generate the key. .P If that is unsuccessful also, then an error will be returned, and a temporary @@ -70,7 +72,7 @@ to fail until it does. The .I keyring serial number may be that of a valid keyring to which the caller has write -permission, or it may be a special keyring ID: +permission, or it may be one of the following special keyring IDs: .TP .B KEY_SPEC_THREAD_KEYRING This specifies the caller's thread-specific keyring. @@ -92,11 +94,12 @@ will displace any other key of the same type and description from the destination .IR keyring . .SH RETURN VALUE -On success +On success, .BR request_key () returns the serial number of the key it found. -On error, the value \-1 -will be returned and errno will have been set to an appropriate error. +On error, \-1 is returned and +.I errno +is set to indicate the cause of the error. .SH ERRORS .TP .B EACCES