#include <keyutils.h> long keyctl_assume_authority(key_serial_t key); long keyctl_instantiate(key_serial_t key, const char *payload, size_t plen, key_serial_t keyring); long keyctl_negate(key_serial_t key, unsigned timeout, key_serial_t keyring);
The calling thread must have the appopriate authorisation key resident in one of its keyrings for this to succeed, and that authority must not have been revoked.
The authorising key is allocated by request_key() when it needs to invoke userspace to generate a key for the requesting process. This is then attached to one of the keyrings of the userspace process to which the task of instantiating the key is given:
Calling this function modifies the way request_key() works when called thereafter by the calling (instantiator) thread; once the authority is assumed, the keyrings of the initial process are added to the search path, using the initial process's UID, GID, groups and security context.
If a thread has multiple instantiations to deal with, it may call this function to change the authorisation key currently in effect. Supplying a zero key de-assumes the currently assumed authority.
NOTE! This is a per-thread setting and not a per-process setting so that a multithreaded process can be used to instantiate several keys at once.
keyctl_instantiate() instantiates the payload of an uninstantiated key from the data specified. payload and plen specify the data for the new payload. payload may be NULL and plen may be zero if the key type permits that. The key type may reject the data if it's in the wrong format or in some other way invalid.
keyctl_negate() marks a key as negatively instantiated and sets the expiration timer on it. timeout specifies the lifetime of the key in seconds.
Only a key for which authority has been assumed may be instantiated or negatively instantiated, and once instantiated, the authorisation key will be revoked and the requesting process will be able to resume.
The destination keyring, if given, is assumed to belong to the initial requester, and not the instantiating process. Therefore, the special keyring IDs refer to the requesting process's keyrings, not the caller's, and the requester's UID, etc. will be used to access them.
The destination keyring can be zero if no extra link is desired.
The requester, not the caller, must have write permission on the destination for a link to be made there.