diff options
| author | David Howells <dhowells@redhat.com> | 2011-03-07 10:06:09 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2011-03-07 19:17:18 -0500 |
| commit | fdd1b94581782a2ddf9124414e5b7a5f48ce2f9c (patch) | |
| tree | ce83bfd1f0b1a7d4b9521bdb3d6afef1bff1d4f2 /Documentation/keys.txt | |
| parent | b9fffa3877a3ebbe0a5ad5a247358e2f7df15b24 (diff) | |
KEYS: Add a new keyctl op to reject a key with a specified error code
Add a new keyctl op to reject a key with a specified error code. This works
much the same as negating a key, and so keyctl_negate_key() is made a special
case of keyctl_reject_key(). The difference is that keyctl_negate_key()
selects ENOKEY as the error to be reported.
Typically the key would be rejected with EKEYEXPIRED, EKEYREVOKED or
EKEYREJECTED, but this is not mandatory.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'Documentation/keys.txt')
| -rw-r--r-- | Documentation/keys.txt | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/Documentation/keys.txt b/Documentation/keys.txt index cf68d1fed95..a6a97fdfadd 100644 --- a/Documentation/keys.txt +++ b/Documentation/keys.txt | |||
| @@ -657,6 +657,8 @@ The keyctl syscall functions are: | |||
| 657 | 657 | ||
| 658 | long keyctl(KEYCTL_NEGATE, key_serial_t key, | 658 | long keyctl(KEYCTL_NEGATE, key_serial_t key, |
| 659 | unsigned timeout, key_serial_t keyring); | 659 | unsigned timeout, key_serial_t keyring); |
| 660 | long keyctl(KEYCTL_REJECT, key_serial_t key, | ||
| 661 | unsigned timeout, unsigned error, key_serial_t keyring); | ||
| 660 | 662 | ||
| 661 | If the kernel calls back to userspace to complete the instantiation of a | 663 | If the kernel calls back to userspace to complete the instantiation of a |
| 662 | key, userspace should use this call mark the key as negative before the | 664 | key, userspace should use this call mark the key as negative before the |
| @@ -669,6 +671,10 @@ The keyctl syscall functions are: | |||
| 669 | that keyring, however all the constraints applying in KEYCTL_LINK apply in | 671 | that keyring, however all the constraints applying in KEYCTL_LINK apply in |
| 670 | this case too. | 672 | this case too. |
| 671 | 673 | ||
| 674 | If the key is rejected, future searches for it will return the specified | ||
| 675 | error code until the rejected key expires. Negating the key is the same | ||
| 676 | as rejecting the key with ENOKEY as the error code. | ||
| 677 | |||
| 672 | 678 | ||
| 673 | (*) Set the default request-key destination keyring. | 679 | (*) Set the default request-key destination keyring. |
| 674 | 680 | ||
| @@ -1240,8 +1246,8 @@ example, the KDE desktop manager). | |||
| 1240 | The program (or whatever it calls) should finish construction of the key by | 1246 | The program (or whatever it calls) should finish construction of the key by |
| 1241 | calling KEYCTL_INSTANTIATE, which also permits it to cache the key in one of | 1247 | calling KEYCTL_INSTANTIATE, which also permits it to cache the key in one of |
| 1242 | the keyrings (probably the session ring) before returning. Alternatively, the | 1248 | the keyrings (probably the session ring) before returning. Alternatively, the |
| 1243 | key can be marked as negative with KEYCTL_NEGATE; this also permits the key to | 1249 | key can be marked as negative with KEYCTL_NEGATE or KEYCTL_REJECT; this also |
| 1244 | be cached in one of the keyrings. | 1250 | permits the key to be cached in one of the keyrings. |
| 1245 | 1251 | ||
| 1246 | If it returns with the key remaining in the unconstructed state, the key will | 1252 | If it returns with the key remaining in the unconstructed state, the key will |
| 1247 | be marked as being negative, it will be added to the session keyring, and an | 1253 | be marked as being negative, it will be added to the session keyring, and an |