xref: /linux/Documentation/security/keys/request-key.rst

46 does not need to link the key to a keyring to prevent it from being immediately
48 it's up to the caller to destroy the key.
50 The request_key_tag() call is like the in-kernel request_key(), except that it
59 The request_key_rcu() call is like the request_key_tag() call, except that it
82      a suitable key there.  If there is, it returns the key.  If there isn't,
86   3) request_key() sees that A doesn't have the desired key yet, so it creates
107      This will permit it to then search the keyrings of process A with the
108      UID, GID, groups and security info of process A as if it was process A,
111   8) The program then does what it must to get the data with which to
112      instantiate key U, using key W as a reference (perhaps it contacts a
115   9) Upon instantiating key U, auth key V is automatically revoked so that it
124 context specified by auth key X will still be process A, as it was in auth key
129 of them, and (b) it requires the same UID/GID/Groups all the way through.
135 Rather than instantiating a key, it is possible for the possessor of an
138 the key while it exists to fail with error ENOKEY if negated or the specified
154   1) When the key management code searches for a key (keyring_search_rcu) it
155      firstly calls key_permission(SEARCH) on the keyring it's starting with,
156      if this denies permission, it doesn't search further.
159      matches the criteria specified, calls key_permission(SEARCH) on it to see
160      if the key is allowed to be found.  If it is, that key is returned; if
164   3) It then considers all the keyring-type keys in the keyring it's currently
166      grants permission, it recurses, executing steps (2) and (3) on that
170 use it.  Any error from a previous match attempt is discarded and the key is
176 When search_process_keyrings() is invoked, it performs the following searches

Last Index update Sat Jun 03 09:59:21 CST 2023