keyctl.2, KEYCTL_RESTRICT_KEYRING.2const: Split KEYCTL_RESTRICT_KEYRING from keyctl(2)

Signed-off-by: Alejandro Colomar <alx@kernel.org>
author: Alejandro Colomar <alx@kernel.org> 2024-08-18 01:31:55 +0200
committer: Alejandro Colomar <alx@kernel.org> 2024-08-21 23:51:14 +0200
commit: 77ea20c766e5df6b64a79fd6a910aaf7cafe6b18 (patch)
tree: 063b52af43b4c714dc947a47e4605da67d49aae5
parent: 73dd217803e8c0fdcd3eacf3451c4eb83af47dd3 (diff)
download: man-pages-77ea20c766e5df6b64a79fd6a910aaf7cafe6b18.tar.gz
2 files changed, 140 insertions, 91 deletions
diff --git a/man/man2/keyctl.2 b/man/man2/keyctl.2
index 804501a058..b73568485d 100644
--- a/man/man2/keyctl.2
+++ b/man/man2/keyctl.2
@@ -89,65 +89,8 @@ are:
 .BR KEYCTL_GET_PERSISTENT (2const)
 .TQ
 .BR KEYCTL_DH_COMPUTE (2const)
-.TP
-.BR KEYCTL_RESTRICT_KEYRING " (since Linux 4.12)"
-.\" commit 6563c91fd645556c7801748f15bc727c77fcd311
-.\" commit 7228b66aaf723a623e578aa4db7d083bb39546c9
-Apply a key-linking restriction to the keyring with the ID provided in
-.I arg2
-(cast to
-.IR key_serial_t ).
-The caller must have
-.I setattr
-permission on the key.
-If
-.I arg3
-is NULL, any attempt to add a key to the keyring is blocked;
-otherwise it contains a pointer to a string with a key type name and
-.I arg4
-contains a pointer to string that describes the type-specific restriction.
-As of Linux 4.12, only the type "asymmetric" has restrictions defined:
-.RS
-.TP
-.B builtin_trusted
-Allows only keys that are signed by a key linked to the built-in keyring
-(".builtin_trusted_keys").
-.TP
-.B builtin_and_secondary_trusted
-Allows only keys that are signed by a key linked to the secondary keyring
-(".secondary_trusted_keys") or, by extension, a key in a built-in keyring,
-as the latter is linked to the former.
-.TP
-.BI key_or_keyring: key
 .TQ
-.BI key_or_keyring: key :chain
-If
-.I key
-specifies the ID of a key of type "asymmetric",
-then only keys that are signed by this key are allowed.
-.IP
-If
-.I key
-specifies the ID of a keyring,
-then only keys that are signed by a key linked
-to this keyring are allowed.
-.IP
-If ":chain" is specified, keys that are signed by a keys linked to the
-destination keyring (that is, the keyring with the ID specified in the
-.I arg2
-argument) are also allowed.
-.RE
-.IP
-Note that a restriction can be configured only once for the specified keyring;
-once a restriction is set, it can't be overridden.
-.IP
-The argument
-.I arg5
-is ignored.
-.\" FIXME Document KEYCTL_RESTRICT_KEYRING, added in Linux 4.12
-.\"     commit 6563c91fd645556c7801748f15bc727c77fcd311
-.\"     Author: Mat Martineau <mathew.j.martineau@linux.intel.com>
-.\" See Documentation/security/keys.txt
+.BR KEYCTL_RESTRICT_KEYRING (2const)
 .SH RETURN VALUE
 For a successful call, the return value depends on the operation.
 .P
@@ -159,24 +102,10 @@ is set to indicate the error.
 .B EACCES
 The requested operation wasn't permitted.
 .TP
-.B EDEADLK
-.I operation
-was
-.B KEYCTL_RESTRICT_KEYRING
-and the requested keyring restriction would result in a cycle.
-.TP
 .B EDQUOT
 The key quota for the caller's user would be exceeded by creating a key or
 linking it to the keyring.
 .TP
-.B EEXIST
-.I operation
-was
-.B KEYCTL_RESTRICT_KEYRING
-and keyring provided in
-.I arg2
-argument already has a restriction set.
-.TP
 .B EINVAL
 size of the string (including the terminating null byte) specified in
 .I arg3
@@ -195,14 +124,6 @@ A rejected key was found or specified.
 .B EKEYREVOKED
 A revoked key was found or specified.
 .TP
-.B ENOENT
-.I operation
-was
-.B KEYCTL_RESTRICT_KEYRING
-and the type provided in
-.I arg3
-argument doesn't support setting key linking restrictions.
-.TP
 .B ENOKEY
 No matching key was found or an invalid key was specified.
 .TP
@@ -213,17 +134,6 @@ syscall.
 .B ENOTDIR
 A key of keyring type was expected but the ID of a key with
 a different type was provided.
-.TP
-.B EOPNOTSUPP
-.I operation
-was
-.BR KEYCTL_RESTRICT_KEYRING ,
-the type provided in
-.I arg3
-argument was "asymmetric",
-and the key specified in the restriction specification provided in
-.I arg4
-has type other than "asymmetric" or "keyring".
 .SH VERSIONS
 A wrapper is provided in the
 .I libkeyutils
diff --git a/man/man2const/KEYCTL_RESTRICT_KEYRING.2const b/man/man2const/KEYCTL_RESTRICT_KEYRING.2const
new file mode 100644
index 0000000000..9d2f9b0a46
--- /dev/null
+++ b/man/man2const/KEYCTL_RESTRICT_KEYRING.2const
@@ -0,0 +1,139 @@
+.\" Copyright 2016, Michael Kerrisk <mtk.manpages@gmail.com>
+.\" Copyright 2016, Eugene Syromyatnikov <evgsyr@gmail.com>
+.\" A very few fragments remain from an earlier version of this page
+.\" written by David Howells (dhowells@redhat.com)
+.\" Copyright 2024, Alejandro Colomar <alx@kernel.org>
+.\"
+.\" SPDX-License-Identifier: Linux-man-pages-copyleft
+.\"
+.TH KEYCTL_RESTRICT_KEYRING 2const (date) "Linux man-pages (unreleased)"
+.SH NAME
+KEYCTL_RESTRICT_KEYRING
+\-
+restrict keys that may be linked to a keyring
+.SH LIBRARY
+Standard C library
+.RI ( libc ,\~ \-lc )
+.SH SYNOPSIS
+.nf
+.BR "#include <linux/keyctl.h>" "  /* Definition of " KEY* " constants */"
+.BR "#include <sys/syscall.h>" "   /* Definition of " SYS_* " constants */"
+.B #include <unistd.h>
+.P
+.BI "long syscall(SYS_keyctl, KEYCTL_RESTRICT_KEYRING, unsigned long " arg2 ,
+.BI "             unsigned long " arg3 ", unsigned long " arg4 ,
+.BI "             unsigned long " arg5 );
+.fi
+.SH DESCRIPTION
+.TP
+.BR KEYCTL_RESTRICT_KEYRING " (since Linux 4.12)"
+Apply a key-linking restriction to the keyring with the ID provided in
+.I arg2
+(cast to
+.IR key_serial_t ).
+The caller must have
+.I setattr
+permission on the key.
+If
+.I arg3
+is NULL, any attempt to add a key to the keyring is blocked;
+otherwise it contains a pointer to a string with a key type name and
+.I arg4
+contains a pointer to string that describes the type-specific restriction.
+As of Linux 4.12, only the type "asymmetric" has restrictions defined:
+.RS
+.TP
+.B builtin_trusted
+Allows only keys that are signed by a key linked to the built-in keyring
+(".builtin_trusted_keys").
+.TP
+.B builtin_and_secondary_trusted
+Allows only keys that are signed by a key linked to the secondary keyring
+(".secondary_trusted_keys") or, by extension, a key in a built-in keyring,
+as the latter is linked to the former.
+.TP
+.BI key_or_keyring: key
+.TQ
+.BI key_or_keyring: key :chain
+If
+.I key
+specifies the ID of a key of type "asymmetric",
+then only keys that are signed by this key are allowed.
+.IP
+If
+.I key
+specifies the ID of a keyring,
+then only keys that are signed by a key linked
+to this keyring are allowed.
+.IP
+If ":chain" is specified, keys that are signed by a keys linked to the
+destination keyring (that is, the keyring with the ID specified in the
+.I arg2
+argument) are also allowed.
+.RE
+.IP
+Note that a restriction can be configured only once for the specified keyring;
+once a restriction is set, it can't be overridden.
+.IP
+The argument
+.I arg5
+is ignored.
+.\" FIXME Document KEYCTL_RESTRICT_KEYRING, added in Linux 4.12
+.\"     commit 6563c91fd645556c7801748f15bc727c77fcd311
+.\"     Author: Mat Martineau <mathew.j.martineau@linux.intel.com>
+.\" See Documentation/security/keys.txt
+.SH RETURN VALUE
+On success,
+0 is returned.
+.P
+On error, \-1 is returned, and
+.I errno
+is set to indicate the error.
+.SH ERRORS
+.TP
+.B EDEADLK
+.I operation
+was
+.B KEYCTL_RESTRICT_KEYRING
+and the requested keyring restriction would result in a cycle.
+.TP
+.B EEXIST
+.I operation
+was
+.B KEYCTL_RESTRICT_KEYRING
+and keyring provided in
+.I arg2
+argument already has a restriction set.
+.TP
+.B ENOENT
+.I operation
+was
+.B KEYCTL_RESTRICT_KEYRING
+and the type provided in
+.I arg3
+argument doesn't support setting key linking restrictions.
+.TP
+.B EOPNOTSUPP
+.I operation
+was
+.BR KEYCTL_RESTRICT_KEYRING ,
+the type provided in
+.I arg3
+argument was "asymmetric",
+and the key specified in the restriction specification provided in
+.I arg4
+has type other than "asymmetric" or "keyring".
+.SH VERSIONS
+A wrapper is provided in the
+.I libkeyutils
+library:
+.BR keyctl_restrict_keyring (3).
+.SH STANDARDS
+Linux.
+.SH HISTORY
+Linux 4.12.
+.\" commit 6563c91fd645556c7801748f15bc727c77fcd311
+.\" commit 7228b66aaf723a623e578aa4db7d083bb39546c9
+.SH SEE ALSO
+.BR keyctl (2),
+.BR keyctl_restrict_keyring (3)
author	Alejandro Colomar <alx@kernel.org>	2024-08-18 01:31:55 +0200
committer	Alejandro Colomar <alx@kernel.org>	2024-08-21 23:51:14 +0200
commit	77ea20c766e5df6b64a79fd6a910aaf7cafe6b18 (patch)
tree	063b52af43b4c714dc947a47e4605da67d49aae5
parent	73dd217803e8c0fdcd3eacf3451c4eb83af47dd3 (diff)
download	man-pages-77ea20c766e5df6b64a79fd6a910aaf7cafe6b18.tar.gz