1 .\" Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
2 .\" Written by David Howells (dhowells@redhat.com)
3 .\" and Copyright (C) 2016 Michael Kerrisk <mtk.man-pages@gmail.com>
5 .\" SPDX-License-Identifier: GPL-2.0-or-later
7 .TH REQUEST_KEY 2 2021-08-27 "Linux man-pages (unreleased)" "Linux Key Management Calls"
9 request_key \- request a key from the kernel's key management facility
11 Linux Key Management Utilities
12 .RI ( libkeyutils ", " \-lkeyutils )
15 .B #include <keyutils.h>
17 .BI "key_serial_t request_key(const char *" type ", const char *" description ,
18 .BI " const char *" callout_info ,
19 .BI " key_serial_t " dest_keyring );
23 attempts to find a key of the given
25 with a description (name) that matches the specified
27 If such a key could not be found, then the key is optionally created.
28 If the key is found or created,
30 attaches it to the keyring whose ID is specified in
32 and returns the key's serial number.
35 first recursively searches for a matching key in all of the keyrings
36 attached to the calling process.
37 The keyrings are searched in the order: thread-specific keyring,
38 process-specific keyring, and then session keyring.
42 is called from a program invoked by
44 on behalf of some other process to generate a key, then the keyrings of that
45 other process will be searched next,
46 using that other process's user ID, group ID,
47 supplementary group IDs, and security context to determine access.
48 .\" David Howells: we can then have an arbitrarily long sequence
49 .\" of "recursive" request-key upcalls. There is no limit, other
50 .\" than number of PIDs, etc.
52 The search of the keyring tree is breadth-first:
53 the keys in each keyring searched are checked for a match before any child
54 keyrings are recursed into.
55 Only keys for which the caller has
57 permission be found, and only keyrings for which the caller has
59 permission may be searched.
61 If the key is not found and
63 is NULL, then the call fails with the error
66 If the key is not found and
68 is not NULL, then the kernel attempts to invoke a user-space
69 program to instantiate the key.
70 The details are given below.
74 serial number may be that of a valid keyring for which the caller has
76 permission, or it may be one of the following special keyring IDs:
78 .B KEY_SPEC_THREAD_KEYRING
79 This specifies the caller's thread-specific keyring (see
80 .BR thread\-keyring (7)).
82 .B KEY_SPEC_PROCESS_KEYRING
83 This specifies the caller's process-specific keyring (see
84 .BR process\-keyring (7)).
86 .B KEY_SPEC_SESSION_KEYRING
87 This specifies the caller's session-specific keyring (see
88 .BR session\-keyring (7)).
90 .B KEY_SPEC_USER_KEYRING
91 This specifies the caller's UID-specific keyring (see
92 .BR user\-keyring (7)).
94 .B KEY_SPEC_USER_SESSION_KEYRING
95 This specifies the caller's UID-session keyring (see
96 .BR user\-session\-keyring (7)).
101 and no key construction has been performed,
102 then no additional linking is done.
106 is 0 and a new key is constructed, the new key will be linked
107 to the "default" keyring.
108 More precisely, when the kernel tries to determine to which keyring the
109 newly constructed key should be linked,
110 it tries the following keyrings,
111 beginning with the keyring set via the
113 .B KEYCTL_SET_REQKEY_KEYRING
114 operation and continuing in the order shown below
115 until it finds the first keyring that exists:
117 .\" 8bbf4976b59fc9fc2861e79cab7beb3f6d647640
118 The requestor keyring
119 .RB ( KEY_REQKEY_DEFL_REQUESTOR_KEYRING ,
122 .\" Actually, is the preceding point correct?
123 .\" If I understand correctly, we'll only get here if
124 .\" 'dest_keyring' is zero, in which case KEY_REQKEY_DEFL_REQUESTOR_KEYRING
125 .\" won't refer to a keyring. Have I misunderstood?
127 The thread-specific keyring
128 .RB ( KEY_REQKEY_DEFL_THREAD_KEYRING ;
130 .BR thread\-keyring (7)).
132 The process-specific keyring
133 .RB ( KEY_REQKEY_DEFL_PROCESS_KEYRING ;
135 .BR process\-keyring (7)).
137 The session-specific keyring
138 .RB ( KEY_REQKEY_DEFL_SESSION_KEYRING ;
140 .BR session\-keyring (7)).
142 The session keyring for the process's user ID
143 .RB ( KEY_REQKEY_DEFL_USER_SESSION_KEYRING ;
145 .BR user\-session\-keyring (7)).
146 This keyring is expected to always exist.
148 The UID-specific keyring
149 .RB ( KEY_REQKEY_DEFL_USER_KEYRING ;
151 .BR user\-keyring (7)).
152 This keyring is also expected to always exist.
153 .\" mtk: Are there circumstances where the user sessions and UID-specific
154 .\" keyrings do not exist?
157 .\" The uid keyrings don't exist until someone tries to access them -
158 .\" at which point they're both created. When you log in, pam_keyinit
159 .\" creates a link to your user keyring in the session keyring it just
160 .\" created, thereby creating the user and user-session keyrings.
162 .\" and David elaborated that "access" means:
164 .\" It means lookup_user_key() was passed KEY_LOOKUP_CREATE. So:
166 .\" add_key() - destination keyring
167 .\" request_key() - destination keyring
168 .\" KEYCTL_GET_KEYRING_ID - if create arg is true
170 .\" KEYCTL_LINK - both args
171 .\" KEYCTL_SEARCH - destination keyring
174 .\" KEYCTL_SET_TIMEOUT
175 .\" KEYCTL_INSTANTIATE - destination keyring
176 .\" KEYCTL_INSTANTIATE_IOV - destination keyring
177 .\" KEYCTL_NEGATE - destination keyring
178 .\" KEYCTL_REJECT - destination keyring
179 .\" KEYCTL_GET_PERSISTENT - destination keyring
181 .\" will all create a keyring under some circumstances. Whereas the rest,
182 .\" such as KEYCTL_GET_SECURITY, KEYCTL_READ and KEYCTL_REVOKE, won't.
186 .B KEYCTL_SET_REQKEY_KEYRING
188 .B KEY_REQKEY_DEFL_DEFAULT
190 .B KEYCTL_SET_REQKEY_KEYRING
191 operation is performed),
192 then the kernel looks for a keyring
193 starting from the beginning of the list.
195 .SS Requesting user-space instantiation of a key
196 If the kernel cannot find a key matching
202 is not NULL, then the kernel attempts to invoke a user-space
203 program to instantiate a key with the given
207 In this case, the following steps are performed:
209 The kernel creates an uninstantiated key, U, with the requested
214 The kernel creates an authorization key, V,
215 .\" struct request_key_auth, defined in security/keys/internal.h
216 that refers to the key U and records the facts that the caller of
221 the context in which the key U should be instantiated and secured, and
223 the context from which associated key requests may be satisfied.
226 The authorization key is constructed as follows:
230 .IR """.request_key_auth""" .
232 The key's UID and GID are the same as the corresponding filesystem IDs
233 of the requesting process.
240 permissions to the key possessor as well as
242 permission for the key user.
244 The description (name) of the key is the hexadecimal
245 string representing the ID of the key that is to be instantiated
246 in the requesting program.
248 The payload of the key is taken from the data specified in
251 Internally, the kernel also records the PID of the process that called
255 The kernel creates a process that executes a user-space service such as
257 with a new session keyring that contains a link to the authorization key, V.
258 .\" The request\-key(8) program can be invoked in circumstances *other* than
259 .\" when triggered by request_key(2). For example, upcalls from places such
260 .\" as the DNS resolver.
262 This program is supplied with the following command-line arguments:
266 .IR """/sbin/request\-key""" .
270 (indicating that a key is to be created).
272 The ID of the key that is to be instantiated.
274 The filesystem UID of the caller of
277 The filesystem GID of the caller of
280 The ID of the thread keyring of the caller of
282 This may be zero if that keyring hasn't been created.
284 The ID of the process keyring of the caller of
286 This may be zero if that keyring hasn't been created.
288 The ID of the session keyring of the caller of
293 each of the command-line arguments that is a key ID is encoded in
295 (unlike the key IDs shown in
297 which are shown as hexadecimal values).
299 The program spawned in the previous step:
302 Assumes the authority to instantiate the key U using the
304 .B KEYCTL_ASSUME_AUTHORITY
305 operation (typically via the
306 .BR keyctl_assume_authority (3)
309 Obtains the callout data from the payload of the authorization key V
313 operation (or, more commonly, the
315 function) with a key ID value of
316 .BR KEY_SPEC_REQKEY_AUTH_KEY ).
319 (or execs another program that performs that task),
320 specifying the payload and destination keyring.
321 (The destination keyring that the requestor specified when calling
323 can be accessed using the special key ID
324 .BR KEY_SPEC_REQUESTOR_KEYRING .)
325 .\" Should an instantiating program be using KEY_SPEC_REQUESTOR_KEYRING?
326 .\" I couldn't find a use in the keyutils git repo.
327 .\" According to David Howells:
328 .\" * This feature is provided, but not used at the moment.
329 .\" * A key added to that ring is then owned by the requester
330 Instantiation is performed using the
332 .B KEYCTL_INSTANTIATE
333 operation (or, more commonly, the
334 .BR keyctl_instantiate (3)
338 call completes, and the requesting program can continue execution.
341 If these steps are unsuccessful, then an
343 error will be returned to the caller of
345 and a temporary, negatively instantiated key will be installed
346 in the keyring specified by
348 This will expire after a few seconds, but will cause subsequent calls to
350 to fail until it does.
351 The purpose of this negatively instantiated key is to prevent
352 (possibly different) processes making repeated requests
353 (that require expensive
355 upcalls) for a key that can't (at the moment) be positively instantiated.
357 Once the key has been instantiated, the authorization key
358 .RB ( KEY_SPEC_REQKEY_AUTH_KEY )
359 is revoked, and the destination keyring
360 .RB ( KEY_SPEC_REQUESTOR_KEYRING )
361 is no longer accessible from the
365 If a key is created, then\(emregardless of whether it is a valid key or
366 a negatively instantiated key\(emit will displace any other key with
367 the same type and description from the keyring specified in
372 returns the serial number of the key it found or caused to be created.
373 On error, \-1 is returned and
375 is set to indicate the error.
379 The keyring wasn't available for modification by the user.
382 The key quota for this user would be exceeded by creating this key or linking
391 points outside the process's accessible address space.
394 The request was interrupted by a signal; see
398 The size of the string (including the terminating null byte) specified in
402 exceeded the limit (32 bytes and 4096 bytes respectively).
405 The size of the string (including the terminating null byte) specified in
407 exceeded the system page size.
410 An expired key was found, but no replacement could be obtained.
413 The attempt to generate a new key was rejected.
416 A revoked key was found, but no replacement could be obtained.
419 No matching key was found.
422 Insufficient memory to create a key.
427 argument started with a period (\(aq.\(aq).
429 This system call first appeared in Linux 2.6.10.
430 The ability to instantiate keys upon request was added
431 .\" commit 3e30148c3d524a9c1c63ca28261bc24c457eb07a
434 This system call is a nonstandard Linux extension.
436 The program below demonstrates the use of
443 arguments for the system call are taken from the values
444 supplied in the command-line arguments.
445 The call specifies the session keyring as the target keyring.
447 In order to demonstrate this program,
448 we first create a suitable entry in the file
449 .IR /etc/request\-key.conf .
454 # \fBecho \(aqcreate user mtk:* * /bin/keyctl instantiate %k %c %S\(aq \e\fP
455 \fB> /etc/request\-key.conf\fP
460 This entry specifies that when a new "user" key with the prefix
461 "mtk:" must be instantiated, that task should be performed via the
466 The arguments supplied to the
469 the ID of the uninstantiated key
471 the callout data supplied to the
475 and the session keyring
477 of the requestor (i.e., the caller of
480 .BR request\-key.conf (5)
485 Then we run the program and check the contents of
487 to verify that the requested key has been instantiated:
491 $ \fB./t_request_key user mtk:key1 "Payload data"\fP
492 $ \fBgrep \(aq2dddaf50\(aq /proc/keys\fP
493 2dddaf50 I\-\-Q\-\-\- 1 perm 3f010000 1000 1000 user mtk:key1: 12
497 For another example of the use of this program, see
501 .\" SRC BEGIN (t_request_key.c)
503 /* t_request_key.c */
505 #include <keyutils.h>
511 main(int argc, char *argv[])
516 fprintf(stderr, "Usage: %s type description callout\-data\en",
521 key = request_key(argv[1], argv[2], argv[3],
522 KEY_SPEC_SESSION_KEYRING);
524 perror("request_key");
528 printf("Key ID is %jx\en", (uintmax_t) key);
541 .BR capabilities (7),
544 .BR persistent\-keyring (7),
545 .BR process\-keyring (7),
546 .BR session\-keyring (7),
547 .BR thread\-keyring (7),
548 .BR user\-keyring (7),
549 .BR user\-session\-keyring (7),
552 The kernel source files
553 .I Documentation/security/keys/core.rst
555 .I Documentation/keys/request\-key.rst
556 (or, before Linux 4.13, in the files
557 .\" commit b68101a1e8f0263dbc7b8375d2a7c57c6216fb76
558 .I Documentation/security/keys.txt
560 .\" commit 3db38ed76890565772fcca3279cc8d454ea6176b
561 .IR Documentation/security/keys\-request\-key.txt ).