keyctl_setperm (3) - Linux Manuals
keyctl_setperm: Change the permissions mask on a key
keyctl_setperm - Change the permissions mask on a key
#include <keyutils.h> long keyctl_setperm(key_serial_t key, key_perm_t perm);
DESCRIPTIONkeyctl_setperm() changes the permissions mask on a key.
A process that does not have the SysAdmin capability may not change the permissions mask on a key that doesn't have the same UID as the caller.
The caller must have setattr permission on a key to be able change its permissions mask.
The permissions mask is a bitwise-OR of the following flags:
- Grant permission to view the attributes of a key.
- Grant permission to read the payload of a key or to list a keyring.
- Grant permission to modify the payload of a key or to add or remove links to/from a keyring.
- Grant permission to find a key or to search a keyring.
- Grant permission to make links to a key.
- Grant permission to change the ownership and permissions attributes of a key.
- Grant all the above.
The 'xxx' in the above should be replaced by one of:
- Grant the permission to a process that possesses the key (has it attached searchably to one of the process's keyrings).
- Grant the permission to a process with the same UID as the key.
- Grant the permission to a process with the same GID as the key, or with a match for the key's GID amongst that process's Groups list.
- Grant the permission to any other process.
Examples include: KEY_POS_VIEW, KEY_USR_READ, KEY_GRP_SEARCH and KEY_OTH_ALL.
User, group and other grants are exclusive: if a process qualifies in the 'user' category, it will not qualify in the 'groups' category; and if a process qualifies in either 'user' or 'groups' then it will not qualify in the 'other' category.
RETURN VALUEOn success keyctl_setperm() returns 0 . On error, the value -1 will be returned and errno will have been set to an appropriate error.
- The specified key does not exist.
- The specified key has expired.
- The specified key has been revoked.
- The named key exists, but does not grant setattr permission to the calling process.