KEYCTL_SETPERM


Changes the permissions mask on a key.

Arguments

ecx Key serial number. It may be one of the following special values:

KEY_SPEC_THREAD_KEYRING Caller's thread-specific keyring.
KEY_SPEC_PROCESS_KEYRING Caller's process-specific keyring.
KEY_SPEC_SESSION_KEYRING Caller's session-specific keyring.
KEY_SPEC_USER_KEYRING Caller's UID-specific keyring.
KEY_SPEC_USER_SESSION_KEYRING Caller's UID-session keyring.
KEY_SPEC_GROUP_KEYRING Caller's GID-specific keyring.
KEY_SPEC_REQKEY_AUTH_KEY This specifies the authorization key created by request_key() and passed to the process it spawns to generate a key. If a valid keyring ID is passed in, then this will simply be returned if the key exists; an error will be issued if it doesn't exist.
edx Permission mask. It is a result of a bitwise-or operation of the following flags:

KEY_xxx_VIEW Grant permission to view the attributes of a key.
KEY_xxx_READ Grant permission to read the payload of a key or to list a keyring.
KEY_xxx_WRITE Grant permission to modify the payload of a key or to add or remove links to/from a keyring.
KEY_xxx_SEARCH Grant permission to find a key or to search a keyring.
KEY_xxx_LINK Grant permission to make links to a key.
KEY_xxx_SETATTR Grant permission to change the ownership and permissions attributes of a key.
KEY_xxx_ALL Grant all the above.

'xxx' should be replace by one of the following specifying to whom the permission should be granted:

POS Grant the permission to a process that possesses the key (has it attached searchably to one of the process's keyrings).
USR Grant the permission to a process with the same UID as the key.
GRP
Grant the permission to a process with the same GID as the key, or with a match for the key's GID amongst that process's Groups list.
OTH
Grant the permission to any other process. Examples include: KEY_POS_VIEW, KEY_USR_READ, KEY_GRP_SEARCH and KEY_OTH_ALL. User, group and other grants are exclusive: if a process qualifies in the 'user' category, it will not qualify in the 'groups' category; and if a process qualifies in either 'user' or 'groups' then it will not qualify in the 'other' category. Possessor grants are cumulative with the grants from the 'user', 'groups' and 'other' categories.

Return values

If the system call succeeds the return value is 0.
If the system call fails the return value is one of the following errno values:

-ENOKEY No matching key was found.
-EKEYEXPIRED The specified key has expired.
-EKEYREVOKED The specified key has been revoked.
-EACCES The named key exists, but does not grant SETATTR permission to the calling process.

Remarks

A process that does not have the SysAdmin capability may not change the permissions mask on a key that doesn't have the same UID as the caller. The caller must have SETATTR permission on a key to be able change its permissions mask.