linux::keyctl
linux::keyctl provides an interface to the Linux kernel's key management
facilities. Documentation for this module is sparse; the reader is encouraged to
consult the Linux man pages for complete details.
Index
Types
type command;
type dh_params;
type kdf_params;
type reqkey;
type serial;
type caps;
type pkey_params;
type pkey_query;
type support;
Errors
type error;
type nokey;
Constants
const GROUP_KEYRING: serial;
const PROCESS_KEYRING: serial;
const REQKEY_AUTH_KEY: serial;
const REQUESTOR_KEYRING: serial;
const SESSION_KEYRING: serial;
const THREAD_KEYRING: serial;
const USER_KEYRING: serial;
const USER_SESSION_KEYRING: serial;
Functions
fn add_key(str, str, []u8, serial) (serial | error);
fn get_keyring_id(serial, bool) (serial | error);
fn join_session_keyring(str) (serial | error);
fn read(serial, []u8) (size | error);
fn revoke(serial) (void | error);
fn strerror(error) const str;
fn update(serial, []u8) (void | error);
Types
type command
type command = enum {
GET_KEYRING_ID = 0,
JOIN_SESSION_KEYRING = 1,
UPDATE = 2,
REVOKE = 3,
CHOWN = 4,
SETPERM = 5,
DESCRIBE = 6,
CLEAR = 7,
LINK = 8,
UNLINK = 9,
SEARCH = 10,
READ = 11,
INSTANTIATE = 12,
NEGATE = 13,
SET_REQKEY_KEYRING = 14,
SET_TIMEOUT = 15,
ASSUME_AUTHORITY = 16,
GET_SECURITY = 17,
SESSION_TO_PARENT = 18,
REJECT = 19,
INSTANTIATE_IOV = 20,
INVALIDATE = 21,
GET_PERSISTENT = 22,
DH_COMPUTE = 23,
PKEY_QUERY = 24,
PKEY_ENCRYPT = 25,
PKEY_DECRYPT = 26,
PKEY_SIGN = 27,
PKEY_VERIFY = 28,
RESTRICT_KEYRING = 29,
MOVE = 30,
CAPABILITIES = 31,
WATCH_KEY = 32,
};
keyctl commands
type dh_params
type dh_params = struct {
private: i32,
prime: i32,
base: i32,
};
Input for command::DH_COMPUTE
type kdf_params
type kdf_params = struct {
hashname: *char,
otherinfo: *char,
otherinfolen: u32,
__spare: [8]u32,
};
Output for command::DH_COMPUTE
type reqkey
type reqkey = enum {
NO_CHANGE = -1,
DEFAULT = 0,
THREAD_KEYRING = 1,
PROCESS_KEYRING = 2,
SESSION_KEYRING = 3,
USER_KEYRING = 4,
USER_SESSION_KEYRING = 5,
GROUP_KEYRING = 6,
REQUESTOR_KEYRING = 7,
};
request-key default keyrings
type serial
type serial = i32;
A key ID.
type caps
Show undocumented member
type caps = enum u8 {
CAPS0_CAPABILITIES = 1,
CAPS0_PERSISTENT_KEYRINGS = 2,
CAPS0_DIFFIE_HELLMAN = 4,
CAPS0_PUBLIC_KEY = 8,
CAPS0_BIG_KEY = 16,
CAPS0_INVALIDATE = 32,
CAPS0_RESTRICT_KEYRING = 64,
CAPS0_MOVE = 128,
CAPS1_NS_KEYRING_NAME = 1,
CAPS1_NS_KEY_TAG = 2,
CAPS1_NOTIFICATIONS = 4,
};
type pkey_params
Show undocumented member
type pkey_params = struct {
key_id: i32,
in_len: u32,
union {
out_len: u32,
in2_len: u32,
},
__spare: [7]u32,
};
type pkey_query
Show undocumented member
type pkey_query = struct {
supported_ops: u32,
key_size: u32,
max_data_size: u16,
max_sig_size: u16,
max_enc_size: u16,
max_dec_size: u16,
__spare: [10]u32,
};
type support
Show undocumented member
type support = enum u32 {
SUPPORTS_ENCRYPT = 1,
SUPPORTS_DECRYPT = 2,
SUPPORTS_SIGN = 4,
SUPPORTS_VERIFY = 8,
};
Errors
type error
type error = !(nokey | errors::error);
A tagged union of all possible error types.
type nokey
type nokey = !void;
Returned when a desired key was not found.
Constants
def GROUP_KEYRING
def GROUP_KEYRING: serial;
The caller's GID-specific keyring.
def PROCESS_KEYRING
def PROCESS_KEYRING: serial;
The caller's process-specific keyring.
def REQKEY_AUTH_KEY
def REQKEY_AUTH_KEY: serial;
The caller's GID-session keyring.
def REQUESTOR_KEYRING
def REQUESTOR_KEYRING: serial;
The Key ID for the reqkey destination keyring.
def SESSION_KEYRING
def SESSION_KEYRING: serial;
The caller's session-specific keyring.
def THREAD_KEYRING
def THREAD_KEYRING: serial;
The caller's thread-specific keyring.
def USER_KEYRING
def USER_KEYRING: serial;
The caller's UID-specific keyring.
def USER_SESSION_KEYRING
def USER_SESSION_KEYRING: serial;
The caller's UID-session keyring.
Functions
fn add_key
fn add_key(
keytype: str,
name: str,
payload: []u8,
keyring: serial,
) (serial | error);
Adds a key to the kernel's key management facility.
fn get_keyring_id
fn get_keyring_id(key: serial, create: bool) (serial | error);
Maps a special key or keyring ID to the serial number of the key actually
representing that feature. If it does not exist and 'create' is true, then
the key or keyring will be created if it is appropriate to do so.
fn join_session_keyring
fn join_session_keyring(name: str) (serial | error);
Replace the session keyring this process subscribes to with a new session
keyring using the given name, or, given an empty string, "_ses".
fn read
fn read(id: serial, buf: []u8) (size | error);
Reads the payload from a key, returning the size of the key data. The
provided buffer may be empty to probe the key size without reading.
fn revoke
fn revoke(id: serial) (void | error);
Revoke the key with the provided ID.
fn strerror
fn strerror(err: error) const str;
Converts an error into a human-friendly string.
fn update
fn update(id: serial, payload: []u8) (void | error);
Update a key's payload.