Using Linux kernel add_key and keyctl syscalls with group keyring

Question

I'm building an application that needs to use the Linux group keyring to share some sensitive data between processes with different owners. Whenever I try to access the group keyring (e.g."@g" or "-6") using either the keyctl command or the underlying API, I get an error.

I'm guessing I have to set some kind of state to let it know which of my groups to get the keyring for, but documentation on this kernel feature is sparse. Anybody know how to make it work for groups?

The method call (currently using Python's ctypes, which will directly call shared library functions, which works fine for all other keyrings):

>>> import ctypes
>>> keyutils = ctypes.CDLL('libkeyutils.so.1')
>>> key_id = 'foo'
>>> key_value = 'bar'
>>> keyutils.add_key('user', key_id, key_value, len(key_value), -5)
268186515
>>> keyutils.add_key('user', key_id, key_value, len(key_value), -6)
-1

Answer 1

Based on looking at the man page for keyctl it would seem that group based keyrings aren't implemented in the kernel yet.

(*) Group specific keyring: @g or -6

   This is a place holder for a group specific keyring, but is not actually implemented yet in the kernel.

Taking a look at the most recent stable kernel source it also backs up what the man page says: http://lxr.linux.no/#linux+v3.2.9/security/keys/process_keys.c#L641

So your code is correct... but it's attempting to use functionality that isn't there yet.