keyctl Man page

KEYCTL(1) Linux Key Management Utilities KEYCTL(1)

NAME

keyctl – Key management facility control

SYNOPSIS

keyctl –version
keyctl show [-x] [] keyctl add
keyctl padd
keyctl request [] keyctl request2 [] keyctl prequest2 [] keyctl update
keyctl pupdate
keyctl newring
keyctl revoke
keyctl clear
keyctl link
keyctl unlink [] keyctl search [] keyctl read
keyctl pipe
keyctl print
keyctl list
keyctl rlist
keyctl describe
keyctl rdescribe [sep] keyctl chown
keyctl chgrp
keyctl setperm
keyctl new_session
keyctl session
keyctl session – [ …] keyctl session [ …] keyctl instantiate
keyctl pinstantiate
keyctl negate
keyctl reject
keyctl timeout
keyctl security
keyctl reap [-v] keyctl purge
keyctl purge [-i] [-p]
keyctl purge -s
keyctl get_persistent []

DESCRIPTION

This program is used to control the key management facility in various
ways using a variety of subcommands.

KEY IDENTIFIERS
The key identifiers passed to or returned from keyctl are, in general,
positive integers. There are, however, some special values with special
meanings that can be passed as arguments:

(*) No key: 0

(*) Thread keyring: @t or -1

Each thread may have its own keyring. This is searched first, before
all others. The thread keyring is replaced by (v)fork, exec and clone.

(*) Process keyring: @p or -2

Each process (thread group) may have its own keyring. This is shared
between all members of a group and will be searched after the thread
keyring. The process keyring is replaced by (v)fork and exec.

(*) Session keyring: @s or -3

Each process subscribes to a session keyring that is inherited across
(v)fork, exec and clone. This is searched after the process keyring.
Session keyrings can be named and an extant keyring can be joined in
place of a process’s current session keyring.

(*) User specific keyring: @u or -4

This keyring is shared between all the processes owned by a particular
user. It isn’t searched directly, but is normally linked to from the
session keyring.

(*) User default session keyring: @us or -5

This is the default session keyring for a particular user. Login pro‐
cesses that change to a particular user will bind to this session until
another session is set.

(*) Group specific keyring: @g or -6

This is a place holder for a group specific keyring, but is not actu‐
ally implemented yet in the kernel.

(*) Assumed request_key authorisation key: @a or -7

This selects the authorisation key provided to the request_key() helper
to permit it to access the callers keyrings and instantiate the target
key.

(*) Keyring by name: %:

A named keyring. This will be searched for in the process’s keyrings
and in /proc/keys.

(*) Key by name: %:

A named key of the given type. This will be searched for in the
process’s keyrings and in /proc/keys.

COMMAND SYNTAX
Any non-ambiguous shortening of a command name may be used in lieu of
the full command name. This facility should not be used in scripting as
new commands may be added in future that then cause ambiguity.

(*) Display the package version number

keyctl –version

This command prints the package version number and build date and
exits:

testbox>keyctl –version
keyctl from keyutils-1.5.3 (Built 2011-08-24)

(*) Show process keyrings

keyctl show [-x] []

By default this command recursively shows what keyrings a process is
subscribed to and what keys and keyrings they contain. If a keyring is
specified then that keyring will be dumped instead. If -x is specified
then the keyring IDs will be dumped in hex instead of decimal.

(*) Add a key to a keyring

keyctl add
keyctl padd

This command creates a key of the specified type and description;
instantiates it with the given data and attaches it to the specified
keyring. It then prints the new key’s ID on stdout:

testbox>keyctl add user mykey stuff @u
26

The padd variant of the command reads the data from stdin rather than
taking it from the command line:

testbox>echo -n stuff | keyctl padd user mykey @u
26

(*) Request a key

keyctl request [] keyctl request2 [] keyctl prequest2 []

These three commands request the lookup of a key of the given type and
description. The process’s keyrings will be searched, and if a match is
found the matching key’s ID will be printed to stdout; and if a desti‐
nation keyring is given, the key will be added to that keyring also.

If there is no key, the first command will simply return the error
ENOKEY and fail. The second and third commands will create a partial
key with the type and description, and call out to /sbin/request-key
with that key and the extra information supplied. This will then
attempt to instantiate the key in some manner, such that a valid key is
obtained.

The third command is like the second, except that the callout informa‐
tion is read from stdin rather than being passed on the command line.

If a valid key is obtained, the ID will be printed and the key attached
as if the original search had succeeded.

If there wasn’t a valid key obtained, a temporary negative key will be
attached to the destination keyring if given and the error “Requested
key not available” will be given.

testbox>keyctl request2 user debug:hello wibble
23
testbox>echo -n wibble | keyctl prequest2 user debug:hello
23
testbox>keyctl request user debug:hello
23

(*) Update a key

keyctl update
keyctl pupdate

This command replaces the data attached to a key with a new set of
data. If the type of the key doesn’t support update then error “Opera‐
tion not supported” will be returned.

testbox>keyctl update 23 zebra

The pupdate variant of the command reads the data from stdin rather
than taking it from the command line:

testbox>echo -n zebra | keyctl pupdate 23

(*) Create a keyring

keyctl newring

This command creates a new keyring of the specified name and attaches
it to the specified keyring. The ID of the new keyring will be printed
to stdout if successful.

testbox>keyctl newring squelch @us
27

(*) Revoke a key

keyctl revoke

This command marks a key as being revoked. Any further operations on
that key (apart from unlinking it) will return error “Key has been
revoked”.

testbox>keyctl revoke 26
testbox>keyctl describe 26
keyctl_describe: Key has been revoked

(*) Clear a keyring

keyctl clear

This command unlinks all the keys attached to the specified keyring.
Error “Not a directory” will be returned if the key specified is not a
keyring.

testbox>keyctl clear 27

(*) Link a key to a keyring

keyctl link

This command makes a link from the key to the keyring if there’s enough
capacity to do so. Error “Not a directory” will be returned if the des‐
tination is not a keyring. Error “Permission denied” will be returned
if the key doesn’t have link permission or the keyring doesn’t have
write permission. Error “File table overflow” will be returned if the
keyring is full. Error “Resource deadlock avoided” will be returned if
an attempt was made to introduce a recursive link.

testbox>keyctl link 23 27
testbox>keyctl link 27 27
keyctl_link: Resource deadlock avoided

(*) Unlink a key from a keyring or the session keyring tree

keyctl unlink []

If the keyring is specified, this command removes a link to the key
from the keyring. Error “Not a directory” will be returned if the des‐
tination is not a keyring. Error “Permission denied” will be returned
if the keyring doesn’t have write permission. Error “No such file or
directory” will be returned if the key is not linked to by the keyring.

If the keyring is not specified, this command performs a depth-first
search of the session keyring tree and removes all the links to the
nominated key that it finds (and that it is permitted to remove). It
prints the number of successful unlinks before exiting.

testbox>keyctl unlink 23 27

(*) Search a keyring

keyctl search []

This command non-recursively searches a keyring for a key of a particu‐
lar type and description. If found, the ID of the key will be printed
on stdout and the key will be attached to the destination keyring if
present. Error “Requested key not available” will be returned if the
key is not found.

testbox>keyctl search @us user debug:hello
23
testbox>keyctl search @us user debug:bye
keyctl_search: Requested key not available

(*) Read a key

keyctl read
keyctl pipe
keyctl print

These commands read the payload of a key. “read” prints it on stdout as
a hex dump, “pipe” dumps the raw data to stdout and “print” dumps it to
stdout directly if it’s entirely printable or as a hexdump preceded by
“:hex:” if not.

If the key type does not support reading of the payload, then error
“Operation not supported” will be returned.

testbox>keyctl read 26
1 bytes of data in key:
62
testbox>keyctl print 26
b
testbox>keyctl pipe 26
btestbox>

(*) List a keyring

keyctl list
keyctl rlist

These commands list the contents of a key as a keyring. “list” pretty
prints the contents and “rlist” just produces a space-separated list of
key IDs.

No attempt is made to check that the specified keyring is a keyring.

testbox>keyctl list @us
2 keys in keyring:
22: vrwsl———- 4043 -1 keyring: _uid.4043
23: vrwsl———- 4043 4043 user: debug:hello
testbox>keyctl rlist @us
22 23

(*) Describe a key

keyctl describe
keyctl rdescribe [sep]

These commands fetch a description of a keyring. “describe” pretty
prints the description in the same fashion as the “list” command; “rde‐
scribe” prints the raw data returned from the kernel.

testbox>keyctl describe @us
-5: vrwsl———- 4043 -1 keyring: _uid_ses.4043
testbox>keyctl rdescribe @us
keyring;4043;-1;3f1f0000;_uid_ses.4043

The raw string is “;;;;“, where uid
and gid are the decimal user and group IDs, perms is the permissions
mask in hex, type and description are the type name and description
strings (neither of which will contain semicolons).

(*) Change the access controls on a key

keyctl chown
keyctl chgrp

These two commands change the UID and GID associated with evaluating a
key’s permissions mask. The UID also governs which quota a key is taken
out of.

The chown command is not currently supported; attempting it will earn
the error “Operation not supported” at best.

For non-superuser users, the GID may only be set to the process’s GID
or a GID in the process’s groups list. The superuser may set any GID it
likes.

testbox>sudo keyctl chown 27 0
keyctl_chown: Operation not supported
testbox>sudo keyctl chgrp 27 0

(*) Set the permissions mask on a key

keyctl setperm

This command changes the permission control mask on a key. The mask may
be specified as a hex number if it begins “0x”, an octal number if it
begins “0” or a decimal number otherwise.

The hex numbers are a combination of:

Possessor UID GID Other Permission Granted
======== ======== ======== ======== ==================
01000000 00010000 00000100 00000001 View
02000000 00020000 00000200 00000002 Read
04000000 00040000 00000400 00000004 Write
08000000 00080000 00000800 00000008 Search
10000000 00100000 00001000 00000010 Link
20000000 00200000 00002000 00000020 Set Attribute
3f000000 003f0000 00003f00 0000003f All

View permits the type, description and other parameters of a key to be
viewed.

Read permits the payload (or keyring list) to be read if supported by
the type.

Write permits the payload (or keyring list) to be modified or updated.

Search on a key permits it to be found when a keyring to which it is
linked is searched.

Link permits a key to be linked to a keyring.

Set Attribute permits a key to have its owner, group membership, per‐
missions mask and timeout changed.

testbox>keyctl setperm 27 0x1f1f1f00

(*) Start a new session with fresh keyrings

keyctl session
keyctl session – [ …] keyctl session [ …]

These commands join or create a new keyring and then run a shell or
other program with that keyring as the session key.

The variation with no arguments just creates an anonymous session
keyring and attaches that as the session keyring; it then exec’s
$SHELL.

The variation with a dash in place of a name creates an anonymous ses‐
sion keyring and attaches that as the session keyring; it then exec’s
the supplied command, or $SHELL if one isn’t supplied.

The variation with a name supplied creates or joins the named keyring
and attaches that as the session keyring; it then exec’s the supplied
command, or $SHELL if one isn’t supplied.

testbox>keyctl rdescribe @s
keyring;4043;-1;3f1f0000;_uid_ses.4043

testbox>keyctl session
Joined session keyring: 28
testbox>keyctl rdescribe @s
keyring;4043;4043;3f1f0000;_ses.24082

testbox>keyctl session –
Joined session keyring: 29
testbox>keyctl rdescribe @s
keyring;4043;4043;3f1f0000;_ses.24139

testbox>keyctl session – keyctl rdescribe @s
Joined session keyring: 30
keyring;4043;4043;3f1f0000;_ses.24185

testbox>keyctl session fish
Joined session keyring: 34
testbox>keyctl rdescribe @s
keyring;4043;4043;3f1f0000;fish

testbox>keyctl session fish keyctl rdesc @s
Joined session keyring: 35
keyring;4043;4043;3f1f0000;fish

(*) Instantiate a key

keyctl instantiate
keyctl pinstantiate
keyctl negate
keyctl reject

These commands are used to attach data to a partially set up key (as
created by the kernel and passed to /sbin/request-key). “instantiate”
marks a key as being valid and attaches the data as the payload.
“negate” and “reject” mark a key as invalid and sets a timeout on it so
that it’ll go away after a while. This prevents a lot of quickly
sequential requests from slowing the system down overmuch when they all
fail, as all subsequent requests will then fail with error “Requested
key not found” (if negated) or the specified error (if rejected) until
the negative key has expired.

Reject’s error argument can either be a UNIX error number or one of
‘rejected’, ‘expired’ or ‘revoked’.

The newly instantiated key will be attached to the specified keyring.

These commands may only be run from the program run by request-key – a
special authorisation key is set up by the kernel and attached to the
request-key’s session keyring. This special key is revoked once the key
to which it refers has been instantiated one way or another.

testbox>keyctl instantiate $1 “Debug $3” $4
testbox>keyctl negate $1 30 $4
testbox>keyctl reject $1 30 64 $4

The pinstantiate variant of the command reads the data from stdin
rather than taking it from the command line:

testbox>echo -n “Debug $3” | keyctl pinstantiate $1 $4

(*) Set the expiry time on a key

keyctl timeout

This command is used to set the timeout on a key, or clear an existing
timeout if the value specified is zero. The timeout is given as a num‐
ber of seconds into the future.

testbox>keyctl timeout $1 45

(*) Retrieve a key’s security context

keyctl security

This command is used to retrieve a key’s LSM security context. The
label is printed on stdout.

testbox>keyctl security @s
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

(*) Give the parent process a new session keyring

keyctl new_session

This command is used to give the invoking process (typically a shell) a
new session keyring, discarding its old session keyring.

testbox> keyctl session foo
Joined session keyring: 723488146
testbox> keyctl show
Session Keyring
-3 –alswrv 0 0 keyring: foo
testbox> keyctl new_session
490511412
testbox> keyctl show
Session Keyring
-3 –alswrv 0 0 keyring: _ses

Note that this affects the parent of the process that invokes the sys‐
tem call, and so may only affect processes with matching credentials.
Furthermore, the change does not take effect till the parent process
next transitions from kernel space to user space – typically when the
wait() system call returns.

(*) Remove dead keys from the session keyring tree

keyctl reap

This command performs a depth-first search of the caller’s session
keyring tree and attempts to unlink any key that it finds that is inac‐
cessible due to expiry, revocation, rejection or negation. It does not
attempt to remove live keys that are unavailable simply due to a lack
of granted permission.

A key that is designated reapable will only be removed from a keyring
if the caller has Write permission on that keyring, and only keyrings
that grant Search permission to the caller will be searched.

The command prints the number of keys reaped before it exits. If the
-v flag is passed then the reaped keys are listed as they’re being
reaped, together with the success or failure of the unlink.

(*) Remove matching keys from the session keyring tree

keyctl purge
keyctl purge [-i] [-p]
keyctl purge -s

These commands perform a depth-first search to find matching keys in
the caller’s session keyring tree and attempts to unlink them. The
number of keys successfully unlinked is printed at the end.

The keyrings must grant Read and View permission to the caller to be
searched, and the keys to be removed must also grant View permission.
Keys can only be removed from keyrings that grant Write permission.

The first variant purges all keys of the specified type.

The second variant purges all keys of the specified type that also
match the given description literally. The -i flag allows a case-inde‐
pendent match and the -p flag allows a prefix match.

The third variant purges all keys of the specified type and matching
description using the key type’s comparator in the kernel to match the
description. This permits the key type to match a key with a variety
of descriptions.

(*) Get persistent keyring

keyctl get_persistent []

This command gets the persistent keyring for either the current UID or
the specified UID and attaches it to the nominated keyring. The per‐
sistent keyring’s ID will be printed on stdout.

The kernel will create the keyring if it doesn’t exist and every time
this command is called, will reset the expiration timeout on the
keyring to the value in:

/proc/sys/kernel/keys/persistent_keyring_expiry

(by default three days). Should the timeout be reached, the persistent
keyring will be removed and everything it pins can then be garbage col‐
lected.

If a UID other than the process’s real or effective UIDs is specified,
then an error will be given if the process does not have the CAP_SETUID
capability.

ERRORS
There are a number of common errors returned by this program:

“Not a directory” – a key wasn’t a keyring.

“Requested key not found” – the looked for key isn’t available.

“Key has been revoked” – a revoked key was accessed.

“Key has expired” – an expired key was accessed.

“Permission denied” – permission was denied by a UID/GID/mask combina‐
tion.

SEE ALSO

keyctl, request-key.conf(5)

Linux 20 Feb 2014 KEYCTL(1)

Ils en parlent aussi

VBox & VMware in SecureBoot Linux – Homo programaticus