HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. |  |
NAME |LIBRARY |SYNOPSIS |DESCRIPTION |RETURN VALUE |ERRORS |VERSIONS |STANDARDS |HISTORY |SEE ALSO |COLOPHON | |
KEYCTL_RESTRICT_KEYRING(2const)KEYCTL_RESTRICT_KEYRING(2const)KEYCTL_RESTRICT_KEYRING - restrict keys that may be linked to a keyring
Standard C library (libc,-lc)
#include <linux/keyctl.h>/* Definition ofKEY*constants */#include <sys/syscall.h>/* Definition ofSYS_*constants */#include <unistd.h>long syscall(SYS_keyctl, KEYCTL_RESTRICT_KEYRING, key_serial_tkeyring,const char *_Nullabletype, const char *restriction);
Apply a key-linking restriction to the keyring with the ID provided inkeyring. The caller must havesetattr permission on the key. Iftype is NULL, any attempt to add a key to the keyring is blocked; otherwise it contains a pointer to a string with a key type name andrestriction contains a pointer to string that describes the type-specific restriction. As of Linux 4.12, only the type "asymmetric" has restrictions defined:builtin_trusted Allows only keys that are signed by a key linked to the built-in keyring (".builtin_trusted_keys").builtin_and_secondary_trusted Allows only keys that are signed by a key linked to the secondary keyring (".secondary_trusted_keys") or, by extension, a key in a built-in keyring, as the latter is linked to the former.key_or_keyring:keykey_or_keyring:key:chain Ifkey specifies the ID of a key of type "asymmetric", then only keys that are signed by this key are allowed. Ifkey specifies the ID of a keyring, then only keys that are signed by a key linked to this keyring are allowed. If ":chain" is specified, keys that are signed by a keys linked to the destination keyring (that is, the keyring with the ID specified in thekeyring argument) are also allowed. Note that a restriction can be configured only once for the specified keyring; once a restriction is set, it can't be overridden.On success, 0 is returned. On error, -1 is returned, anderrno is set to indicate the error.
EDEADLK The requested keyring restriction would result in a cycle.EEXISTkeyring already has a restriction set.ENOENTThe type provided intype argument doesn't support setting key linking restrictions.EOPNOTSUPPtype was "asymmetric", and the key specified in the restriction specification provided inrestriction has type other than "asymmetric" or "keyring".
A wrapper is provided in thelibkeyutils library:keyctl_restrict_keyring(3).
Linux.
Linux 4.12.
keyctl(2),keyctl_restrict_keyring(3)
This page is part of theman-pages (Linux kernel and C library user-space interface documentation) project. Information about the project can be found at ⟨https://www.kernel.org/doc/man-pages/⟩. If you have a bug report for this manual page, see ⟨https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/CONTRIBUTING⟩. This page was obtained from the tarball man-pages-6.15.tar.gz fetched from ⟨https://mirrors.edge.kernel.org/pub/linux/docs/man-pages/⟩ on 2025-08-11. If you discover any rendering problems in this HTML version of the page, or you believe there is a better or more up- to-date source for the page, or you have corrections or improvements to the information in this COLOPHON (which isnot part of the original manual page), send a mail to man-pages@man7.orgLinux man-pages 6.15 2025-05-17KEYCTL_RESTRICT_KEYRING(2const)Pages that refer to this page:keyctl(2)
HTML rendering created 2025-09-06 byMichael Kerrisk, author ofThe Linux Programming Interface. For details of in-depthLinux/UNIX system programming training courses that I teach, lookhere. Hosting byjambit GmbH. | |