1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
.\" Copyright, the authors of the Linux man-pages project
.\"
.\" SPDX-License-Identifier: Linux-man-pages-copyleft
.\"
.TH KEYCTL_INVALIDATE 2const 2025-05-17 "Linux man-pages (unreleased)"
.SH NAME
KEYCTL_INVALIDATE
\-
invalidate a key
.SH LIBRARY
Standard C library
.RI ( libc ,\~ \-lc )
.SH SYNOPSIS
.nf
.BR "#include <linux/keyctl.h>" " /* Definition of " KEY* " constants */"
.BR "#include <sys/syscall.h>" " /* Definition of " SYS_* " constants */"
.B #include <unistd.h>
.P
.BI "long syscall(SYS_keyctl, KEYCTL_INVALIDATE, key_serial_t " key );
.fi
.SH DESCRIPTION
Mark a key as invalid.
.P
The ID of the key to be invalidated is specified in
.IR key .
.P
To invalidate a key,
the caller must have
.I search
permission on the key.
.\" CAP_SYS_ADMIN is permitted to invalidate certain special keys
.P
This operation marks the key as invalid
and schedules immediate garbage collection.
The garbage collector removes the invalidated key from all keyrings and
deletes the key when its reference count reaches zero.
After this operation,
the key will be ignored by all searches,
even if it is not yet deleted.
.P
Keys that are marked invalid become invisible to normal key operations
immediately, though they are still visible in
.I /proc/keys
(marked with an 'i' flag)
until they are actually removed.
.SH RETURN VALUE
On success,
0 is returned.
.P
On error, \-1 is returned, and
.I errno
is set to indicate the error.
.SH VERSIONS
A wrapper is provided in the
.I libkeyutils
library:
.BR keyctl_invalidate (3).
.SH STANDARDS
Linux.
.SH HISTORY
Linux 3.5.
.\" commit fd75815f727f157a05f4c96b5294a4617c0557da
.SH SEE ALSO
.BR keyctl (2),
.BR keyctl_invalidate (3)
|
