HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. |  |
NAME |LIBRARY |SYNOPSIS |DESCRIPTION |RETURN VALUE |ERRORS |VERSIONS |STANDARDS |HISTORY |SEE ALSO |COLOPHON | |
KEYCTL_SETPERM(2const)KEYCTL_SETPERM(2const)KEYCTL_SETPERM - change the permissions mask on a key
Standard C library (libc,-lc)
#include <linux/keyctl.h>/* Definition ofKEY*constants */#include <sys/syscall.h>/* Definition ofSYS_*constants */#include <unistd.h>long syscall(SYS_keyctl, KEYCTL_SETPERM, key_serial_tkey,key_perm_tperms);
Change the permissions of the key with the ID provided in thekey argument to the permissions provided in theperms argument. If the caller doesn't have theCAP_SYS_ADMINcapability, it can change permissions only for the keys it owns. (More precisely: the caller's filesystem UID must match the UID of the key.) The key must grantsetattr permission to the callerregardless of the caller's capabilities. The permissions inperms specify masks of available operations for each of the following user categories:possessor (since Linux 2.6.14) This is the permission granted to a process that possesses the key (has it attached searchably to one of the process's keyrings); seekeyrings(7).user This is the permission granted to a process whose filesystem UID matches the UID of the key.group This is the permission granted to a process whose filesystem GID or any of its supplementary GIDs matches the GID of the key.other This is the permission granted to other processes that do not match theuser andgroup categories. Theuser,group, andother categories are exclusive: if a process matches theuser category, it will not receive permissions granted in thegroup category; if a process matches theuser orgroup category, then it will not receive permissions granted in theother category. Thepossessor category grants permissions that are cumulative with the grants from theuser,group, orother category. Each permission mask is eight bits in size, with only six bits currently used. The available permissions are:view This permission allows reading attributes of a key. This permission is required for theKEYCTL_DESCRIBE(2const) operation. The permission bits for each category are:KEY_POS_VIEWKEY_USR_VIEWKEY_GRP_VIEWKEY_OTH_VIEWread This permission allows reading a key's payload. This permission is required for theKEYCTL_READ(2const) operation. The permission bits for each category areKEY_POS_READKEY_USR_READKEY_GRP_READKEY_OTH_READwrite This permission allows update or instantiation of a key's payload. For a keyring, it allows keys to be linked and unlinked from the keyring, This permission is required for theKEYCTL_UPDATE(2const),KEYCTL_REVOKE(2const),KEYCTL_CLEAR(2const),KEYCTL_LINK(2const), andKEYCTL_UNLINK(2const) operations. The permission bits for each category are:KEY_POS_WRITEKEY_USR_WRITEKEY_GRP_WRITEKEY_OTH_WRITEsearch This permission allows keyrings to be searched and keys to be found. Searches can recurse only into nested keyrings that havesearch permission set. This permission is required for theKEYCTL_GET_KEYRING_ID(2const),KEYCTL_JOIN_SESSION_KEYRING(2const),KEYCTL_SEARCH(2const), andKEYCTL_INVALIDATE (2const)operations. The permission bits for each category are:KEY_POS_SEARCHKEY_USR_SEARCHKEY_GRP_SEARCHKEY_OTH_SEARCHlink This permission allows a key or keyring to be linked to. This permission is required for theKEYCTL_LINK(2const) andKEYCTL_SESSION_TO_PARENT(2const) operations. The permission bits for each category are:KEY_POS_LINKKEY_USR_LINKKEY_GRP_LINKKEY_OTH_LINKsetattr (since Linux 2.6.15) This permission allows a key's UID, GID, and permissions mask to be changed. This permission is required for theKEYCTL_REVOKE(2const),KEYCTL_CHOWN(2const), andKEYCTL_SETPERM (2const) operations. The permission bits for each category are:KEY_POS_SETATTRKEY_USR_SETATTRKEY_GRP_SETATTRKEY_OTH_SETATTR As a convenience, the following macros are defined as masks for all of the permission bits in each of the user categories:KEY_POS_ALLKEY_USR_ALLKEY_GRP_ALLKEY_OTH_ALL
On success, 0 is returned. On error, -1 is returned, anderrno is set to indicate the error.
EINVALoperation wasKEYCTL_SETPERMand an invalid permission bit was specified inperms.
A wrapper is provided in thelibkeyutils library:keyctl_setperm(3).
Linux.
Linux 2.6.10.
keyctl(2),keyctl_setperm(3)
This page is part of theman-pages (Linux kernel and C library user-space interface documentation) project. Information about the project can be found at ⟨https://www.kernel.org/doc/man-pages/⟩. If you have a bug report for this manual page, see ⟨https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/CONTRIBUTING⟩. This page was obtained from the tarball man-pages-6.15.tar.gz fetched from ⟨https://mirrors.edge.kernel.org/pub/linux/docs/man-pages/⟩ on 2025-08-11. If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up- to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which isnot part of the original manual page), send a mail to man-pages@man7.orgLinux man-pages 6.15 2025-05-17KEYCTL_SETPERM(2const)Pages that refer to this page:keyctl(2)
HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. | |