|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|
|
NAME | LIBRARY | SYNOPSIS | DESCRIPTION | RETURN VALUE | ERRORS | VERSIONS | STANDARDS | HISTORY | SEE ALSO | COLOPHON |
|
|
|
KEYCTL_RESTRICT_KEYRING(2const) KEYCTL_RESTRICT_KEYRING(2const)
KEYCTL_RESTRICT_KEYRING - restrict keys that may be linked to a
keyring
Standard C library (libc, -lc)
#include <linux/keyctl.h> /* Definition of KEY* constants */
#include <sys/syscall.h> /* Definition of SYS_* constants */
#include <unistd.h>
long syscall(SYS_keyctl, KEYCTL_RESTRICT_KEYRING, key_serial_t keyring,
const char *_Nullable type, const char *restriction);
Apply a key-linking restriction to the keyring with the ID
provided in keyring. The caller must have setattr permission on
the key. If type is NULL, any attempt to add a key to the keyring
is blocked; otherwise it contains a pointer to a string with a key
type name and restriction contains a pointer to string that
describes the type-specific restriction. As of Linux 4.12, only
the type "asymmetric" has restrictions defined:
builtin_trusted
Allows only keys that are signed by a key linked to the
built-in keyring (".builtin_trusted_keys").
builtin_and_secondary_trusted
Allows only keys that are signed by a key linked to the
secondary keyring (".secondary_trusted_keys") or, by
extension, a key in a built-in keyring, as the latter is
linked to the former.
key_or_keyring:key
key_or_keyring:key:chain
If key specifies the ID of a key of type "asymmetric", then
only keys that are signed by this key are allowed.
If key specifies the ID of a keyring, then only keys that
are signed by a key linked to this keyring are allowed.
If ":chain" is specified, keys that are signed by a keys
linked to the destination keyring (that is, the keyring
with the ID specified in the keyring argument) are also
allowed.
Note that a restriction can be configured only once for the
specified keyring; once a restriction is set, it can't be
overridden.
On success, 0 is returned.
On error, -1 is returned, and errno is set to indicate the error.
EDEADLK
The requested keyring restriction would result in a cycle.
EEXIST keyring already has a restriction set.
ENOENT The type provided in type argument doesn't support setting
key linking restrictions.
EOPNOTSUPP
type was "asymmetric", and the key specified in the
restriction specification provided in restriction has type
other than "asymmetric" or "keyring".
A wrapper is provided in the libkeyutils library:
keyctl_restrict_keyring(3).
Linux.
Linux 4.12.
keyctl(2), keyctl_restrict_keyring(3)
This page is part of the man-pages (Linux kernel and C library
user-space interface documentation) project. Information about
the project can be found at
⟨https://www.kernel.org/doc/man-pages/⟩. If you have a bug report
for this manual page, see
⟨https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/CONTRIBUTING⟩.
This page was obtained from the tarball man-pages-6.15.tar.gz
fetched from
⟨https://mirrors.edge.kernel.org/pub/linux/docs/man-pages/⟩ on
2025-08-11. If you discover any rendering problems in this HTML
version of the page, or you believe there is a better or more up-
to-date source for the page, or you have corrections or
improvements to the information in this COLOPHON (which is not
part of the original manual page), send a mail to
[email protected]
Linux man-pages 6.15 2025-05-17KEYCTL_RESTRICT_KEYRING(2const)
Pages that refer to this page: keyctl(2)
|
HTML rendering created 2025-09-06 by Michael Kerrisk, author of The Linux Programming Interface. For details of in-depth Linux/UNIX system programming training courses that I teach, look here. Hosting by jambit GmbH. |
|