linux::keyctl +linux +x86_64

linux::keyctl provides an interface to the Linux kernel's key management facilities. Documentation for this module is sparse; the reader is encouraged to consult the Linux man pages for complete details.

Index

Types

type command;
type dh_params;
type kdf_params;
type reqkey;
type serial;

// Undocumented types:
type caps;
type pkey_params;
type pkey_query;
type support;

Errors

type error;
type nokey;

Constants

const GROUP_KEYRING: serial;
const PROCESS_KEYRING: serial;
const REQKEY_AUTH_KEY: serial;
const REQUESTOR_KEYRING: serial;
const SESSION_KEYRING: serial;
const THREAD_KEYRING: serial;
const USER_KEYRING: serial;
const USER_SESSION_KEYRING: serial;

Functions

fn add_key(str, str, []u8, serial) (serial | error);
fn get_keyring_id(serial, bool) (serial | error);
fn join_session_keyring(str) (serial | error);
fn read(serial, []u8) (size | error);
fn revoke(serial) (void | error);
fn strerror(error) const str;
fn update(serial, []u8) (void | error);

Types

type command[link]

type command = enum {
	GET_KEYRING_ID = 0,
	JOIN_SESSION_KEYRING = 1,
	UPDATE = 2,
	REVOKE = 3,
	CHOWN = 4,
	SETPERM = 5,
	DESCRIBE = 6,
	CLEAR = 7,
	LINK = 8,
	UNLINK = 9,
	SEARCH = 10,
	READ = 11,
	INSTANTIATE = 12,
	NEGATE = 13,
	SET_REQKEY_KEYRING = 14,
	SET_TIMEOUT = 15,
	ASSUME_AUTHORITY = 16,
	GET_SECURITY = 17,
	SESSION_TO_PARENT = 18,
	REJECT = 19,
	INSTANTIATE_IOV = 20,
	INVALIDATE = 21,
	GET_PERSISTENT = 22,
	DH_COMPUTE = 23,
	PKEY_QUERY = 24,
	PKEY_ENCRYPT = 25,
	PKEY_DECRYPT = 26,
	PKEY_SIGN = 27,
	PKEY_VERIFY = 28,
	RESTRICT_KEYRING = 29,
	MOVE = 30,
	CAPABILITIES = 31,
	WATCH_KEY = 32,

};

keyctl commands

type dh_params[link]

type dh_params = struct {
	private: i32,
	prime: i32,
	base: i32,
};

Input for command::DH_COMPUTE

type kdf_params[link]

type kdf_params = struct {
	hashname: *char,
	otherinfo: *char,
	otherinfolen: u32,
	__spare: [8]u32,
};

Output for command::DH_COMPUTE

type reqkey[link]

type reqkey = enum {
	NO_CHANGE = -1,
	DEFAULT = 0,
	THREAD_KEYRING = 1,
	PROCESS_KEYRING = 2,
	SESSION_KEYRING = 3,
	USER_KEYRING = 4,
	USER_SESSION_KEYRING = 5,
	GROUP_KEYRING = 6,
	REQUESTOR_KEYRING = 7,

};

request-key default keyrings

type serial[link]

type serial = i32;

A key ID.

type caps[link]

Show undocumented member
type caps = enum u8 {
	CAPS0_CAPABILITIES = 1,
	CAPS0_PERSISTENT_KEYRINGS = 2,
	CAPS0_DIFFIE_HELLMAN = 4,
	CAPS0_PUBLIC_KEY = 8,
	CAPS0_BIG_KEY = 16,
	CAPS0_INVALIDATE = 32,
	CAPS0_RESTRICT_KEYRING = 64,
	CAPS0_MOVE = 128,
	CAPS1_NS_KEYRING_NAME = 1,
	CAPS1_NS_KEY_TAG = 2,
	CAPS1_NOTIFICATIONS = 4,

};

type pkey_params[link]

Show undocumented member
type pkey_params = struct {
	key_id: i32,
	in_len: u32,
	union {
		out_len: u32,
		in2_len: u32,
	},
	__spare: [7]u32,
};

type pkey_query[link]

Show undocumented member
type pkey_query = struct {
	supported_ops: u32,
	key_size: u32,
	max_data_size: u16,
	max_sig_size: u16,
	max_enc_size: u16,
	max_dec_size: u16,
	__spare: [10]u32,
};

type support[link]

Show undocumented member
type support = enum u32 {
	SUPPORTS_ENCRYPT = 1,
	SUPPORTS_DECRYPT = 2,
	SUPPORTS_SIGN = 4,
	SUPPORTS_VERIFY = 8,

};

Errors

type error[link]

type error = !(nokey | errors::error);

A tagged union of all possible error types.

type nokey[link]

type nokey = !void;

Returned when a desired key was not found.

Constants

def GROUP_KEYRING[link]

def GROUP_KEYRING: serial;

The caller's GID-specific keyring.

def PROCESS_KEYRING[link]

def PROCESS_KEYRING: serial;

The caller's process-specific keyring.

def REQKEY_AUTH_KEY[link]

def REQKEY_AUTH_KEY: serial;

The caller's GID-session keyring.

def REQUESTOR_KEYRING[link]

def REQUESTOR_KEYRING: serial;

The Key ID for the reqkey destination keyring.

def SESSION_KEYRING[link]

def SESSION_KEYRING: serial;

The caller's session-specific keyring.

def THREAD_KEYRING[link]

def THREAD_KEYRING: serial;

The caller's thread-specific keyring.

def USER_KEYRING[link]

def USER_KEYRING: serial;

The caller's UID-specific keyring.

def USER_SESSION_KEYRING[link]

def USER_SESSION_KEYRING: serial;

The caller's UID-session keyring.

Functions

fn add_key[link]

fn add_key(
	keytype: str,
	name: str,
	payload: []u8,
	keyring: serial,
) (serial | error);

Adds a key to the kernel's key management facility.

fn get_keyring_id[link]

fn get_keyring_id(key: serial, create: bool) (serial | error);

Maps a special key or keyring ID to the serial number of the key actually representing that feature. If it does not exist and 'create' is true, then the key or keyring will be created if it is appropriate to do so.

fn join_session_keyring[link]

fn join_session_keyring(name: str) (serial | error);

Replace the session keyring this process subscribes to with a new session keyring using the given name, or, given an empty string, "_ses".

fn read[link]

fn read(id: serial, buf: []u8) (size | error);

Reads the payload from a key, returning the size of the key data. The provided buffer may be empty to probe the key size without reading.

fn revoke[link]

fn revoke(id: serial) (void | error);

Revoke the key with the provided ID.

fn strerror[link]

fn strerror(err: error) const str;

Converts an error into a human-friendly string.

fn update[link]

fn update(id: serial, payload: []u8) (void | error);

Update a key's payload.