sys/linux/key.txt - platform/external/syzkaller - Git at Google

 # Copyright 2015 syzkaller project authors. All rights reserved.
 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

 include <linux/key.h>
 include <linux/keyctl.h>
 include <uapi/linux/keyctl.h>

 # key serial number (key_serial_t)
 resource key[int32]: 0

 # key of type "keyring".  Note: for now we include KEY_SPEC_REQKEY_AUTH_KEY here
 # since it should be listed somewhere, though it's not actually a keyring.
 resource keyring[key]: KEY_SPEC_THREAD_KEYRING, KEY_SPEC_PROCESS_KEYRING, KEY_SPEC_SESSION_KEYRING, KEY_SPEC_USER_KEYRING, KEY_SPEC_USER_SESSION_KEYRING, KEY_SPEC_GROUP_KEYRING, KEY_SPEC_REQKEY_AUTH_KEY, KEY_SPEC_REQUESTOR_KEYRING

 # key of type "user"
 resource user_key[key]

 add_key(type ptr[in, string[key_type]], desc ptr[in, key_desc], payload ptr[in, array[int8], opt], paylen len[payload], keyring keyring[opt]) key
 add_key$keyring(type ptr[in, string["keyring"]], desc ptr[in, key_desc], payload const[0], paylen const[0], keyring keyring[opt]) keyring
 add_key$user(type ptr[in, string["user"]], desc ptr[in, key_desc], payload buffer[in], paylen len[payload], keyring keyring[opt]) user_key
 request_key(type ptr[in, string[key_type]], desc ptr[in, key_desc], callout ptr[in, string], keyring keyring[opt]) key
 keyctl$get_keyring_id(code const[KEYCTL_GET_KEYRING_ID], key key, create intptr)
 keyctl$join(code const[KEYCTL_JOIN_SESSION_KEYRING], session ptr[in, key_desc, opt])
 keyctl$update(code const[KEYCTL_UPDATE], key key, payload ptr[in, array[int8], opt], paylen len[payload])
 keyctl$revoke(code const[KEYCTL_REVOKE], key key)
 keyctl$describe(code const[KEYCTL_DESCRIBE], key key, desc buffer[out], len len[desc])
 keyctl$clear(code const[KEYCTL_CLEAR], keyring keyring)
 keyctl$link(code const[KEYCTL_LINK], key key, keyring keyring)
 keyctl$unlink(code const[KEYCTL_UNLINK], key key, keyring keyring)
 keyctl$search(code const[KEYCTL_SEARCH], key key, type ptr[in, string[key_type]], desc ptr[in, key_desc], destination keyring)
 keyctl$read(code const[KEYCTL_READ], key key, payload buffer[out], len len[payload])
 keyctl$chown(code const[KEYCTL_CHOWN], key key, uid uid, gid gid)
 # perm is a mask of KEY_POS_VIEW, etc consants, but they cover almost whole int32.
 keyctl$setperm(code const[KEYCTL_SETPERM], key key, perm flags[key_perm])
 keyctl$instantiate(code const[KEYCTL_INSTANTIATE], key key, payload ptr[in, key_instantiate_payload, opt], paylen len[payload], keyring keyring[opt])
 keyctl$negate(code const[KEYCTL_NEGATE], key key, timeout intptr, keyring keyring)
 keyctl$set_reqkey_keyring(code const[KEYCTL_SET_REQKEY_KEYRING], reqkey flags[reqkey_keyring])
 keyctl$set_timeout(code const[KEYCTL_SET_TIMEOUT], key key, timeout int32)
 keyctl$assume_authority(code const[KEYCTL_ASSUME_AUTHORITY], key key)
 keyctl$get_security(code const[KEYCTL_GET_SECURITY], key key, label buffer[out], len len[label])
 keyctl$session_to_parent(code const[KEYCTL_SESSION_TO_PARENT])
 keyctl$reject(code const[KEYCTL_REJECT], key key, timeout intptr, error intptr, keyring keyring)
 keyctl$instantiate_iov(code const[KEYCTL_INSTANTIATE_IOV], key key, payload ptr[in, array[iovec_in]], len len[payload], ring key)
 keyctl$invalidate(code const[KEYCTL_INVALIDATE], key key)
 keyctl$get_persistent(code const[KEYCTL_GET_PERSISTENT], uid uid, keyring keyring)
 keyctl$dh_compute(code const[KEYCTL_DH_COMPUTE], params ptr[in, keyctl_dh_params], buffer buffer[out], buflen len[buffer], kdf ptr[in, keyctl_kdf_params, opt])
 keyctl$restrict_keyring(code const[KEYCTL_RESTRICT_KEYRING], keyring keyring, type ptr[in, string[key_type], opt], restriction ptr[in, string, opt])
 keyctl$KEYCTL_PKEY_QUERY(code const[KEYCTL_PKEY_QUERY], key key, arg3 const[0], info ptr[in, string], query ptr[out, array[int8, KEYCTL_PKEY_QUERY_SIZE]])
 keyctl$KEYCTL_PKEY_ENCRYPT(code const[KEYCTL_PKEY_ENCRYPT], params ptr[in, keyctl_pkey_params], info ptr[in, keyctl_pkey_info, opt], inout ptr[in, array[int8]], output ptr[out, array[int8]])
 keyctl$KEYCTL_PKEY_DECRYPT(code const[KEYCTL_PKEY_DECRYPT], params ptr[in, keyctl_pkey_params], info ptr[in, keyctl_pkey_info, opt], inout ptr[in, array[int8]], output ptr[out, array[int8]])
 keyctl$KEYCTL_PKEY_SIGN(code const[KEYCTL_PKEY_SIGN], params ptr[in, keyctl_pkey_params], info ptr[in, keyctl_pkey_info, opt], inout ptr[in, array[int8]], output ptr[out, array[int8]])
 keyctl$KEYCTL_PKEY_VERIFY(code const[KEYCTL_PKEY_VERIFY], params ptr[in, keyctl_pkey_params], info ptr[in, keyctl_pkey_info, opt], inout ptr[in, array[int8]], output ptr[in, array[int8]])
 keyctl$KEYCTL_RESTRICT_KEYRING(code const[KEYCTL_RESTRICT_KEYRING], key key, type ptr[in, string[key_type], opt], restriction ptr[in, key_restriction, opt])
 keyctl$KEYCTL_MOVE(code const[KEYCTL_MOVE], key key, from_keyring keyring, to_keyring keyring, flags flags[keyctl_move_flags])
 keyctl$KEYCTL_CAPABILITIES(code const[KEYCTL_CAPABILITIES], buffer ptr[out, array[int8]], buflen len[buffer])

 reqkey_keyring = KEY_REQKEY_DEFL_NO_CHANGE, KEY_REQKEY_DEFL_DEFAULT, KEY_REQKEY_DEFL_THREAD_KEYRING, KEY_REQKEY_DEFL_PROCESS_KEYRING, KEY_REQKEY_DEFL_SESSION_KEYRING, KEY_REQKEY_DEFL_USER_KEYRING, KEY_REQKEY_DEFL_USER_SESSION_KEYRING, KEY_REQKEY_DEFL_GROUP_KEYRING, KEY_REQKEY_DEFL_REQUESTOR_KEYRING
 keyctl_move_flags = KEYCTL_MOVE_EXCL
 key_perm = KEY_POS_VIEW, KEY_POS_READ, KEY_POS_WRITE, KEY_POS_SEARCH, KEY_POS_LINK, KEY_POS_SETATTR, KEY_USR_VIEW, KEY_USR_READ, KEY_USR_WRITE, KEY_USR_SEARCH, KEY_USR_LINK, KEY_USR_SETATTR, KEY_GRP_VIEW, KEY_GRP_READ, KEY_GRP_WRITE, KEY_GRP_SEARCH, KEY_GRP_LINK, KEY_GRP_SETATTR, KEY_OTH_VIEW, KEY_OTH_READ, KEY_OTH_WRITE, KEY_OTH_SEARCH, KEY_OTH_LINK, KEY_OTH_SETATTR

 key_type = "asymmetric", "big_key", "blacklist", "ceph", "cifs.idmap", "cifs.spnego", ".dead", "dns_resolver", "encrypted", "id_legacy", "id_resolver", "keyring", "logon", "pkcs7_test", ".request_key_auth", "rxrpc", "rxrpc_s", "syzkaller", "trusted", "user"

 # "syzP\x00"
 key_desc {
 	prefix	stringnoz["syz"]
 	id	proc[' ', 4, int8]
 	z	const[0, int8]
 }

 keyctl_dh_params {
 	private	user_key
 	prime	user_key
 	base	user_key
 }

 keyctl_kdf_params {
 	hashname	ptr[in, alg_hash_name]
 	otherinfo	ptr[in, array[int8], opt]
 	otherinfolen	len[otherinfo, int32]
 	__spare		array[const[0, int32], 8]
 }

 key_instantiate_payload [
 	encrypted_new		key_encrypted_new
 	encrypted_load		key_encrypted_load
 	encrypted_update	key_encrypted_update
 ] [varlen]

 key_encrypted_new {
 	cmd		stringnoz["new "]
 	format		stringnoz[key_encrypted_format]
 	sp0		const[' ', int8]
 	key_type	stringnoz[key_encrypted_key_type]
 	key_desc	stringnoz
 	sp1		const[' ', int8]
 	datalen		fmt[dec, int64]
 	z		const[0, int8]
 } [packed]

 key_encrypted_load {
 	cmd		stringnoz["load "]
 	format		stringnoz[key_encrypted_format]
 	sp0		const[' ', int8]
 	key_type	stringnoz[key_encrypted_key_type]
 	key_desc	stringnoz
 	sp1		const[' ', int8]
 	datalen		fmt[dec, int64]
 	sp2		const[' ', int8]
 # TODO: this is something complex: hex-encoded iv of particular length, followed by delim?
 # followed by something-hex-encoded of some particular length, followed by something more?
 	iv_data		array[flags[hex_chars, int8]]
 	z		const[0, int8]
 } [packed]

 key_encrypted_update {
 	cmd		stringnoz["update "]
 	format		stringnoz[key_encrypted_format]
 	sp0		const[' ', int8]
 	key_type	stringnoz[key_encrypted_key_type]
 	key_desc	stringnoz
 	z		const[0, int8]
 } [packed]

 keyctl_pkey_params {
 	key_id	key
 	in_len	bytesize[syscall:inout, int32]
 	out_len	bytesize[syscall:output, int32]
 	__spare	array[const[0, int32], 7]
 }

 keyctl_pkey_info {
 	enc		stringnoz["enc="]
 	env_val		stringnoz[keyctl_pkey_info_enc]
 	hash		stringnoz[" hash="]
 	hash_val	alg_hash_name
 } [packed]

 key_encrypted_format = "ecryptfs", "default"
 key_encrypted_key_type = "trusted:", "user:"
 keyctl_pkey_info_enc = "raw", "pkcs1", "oaep"

 key_restriction [
 	builtin		string["builtin_trusted"]
 	secondary	string["builtin_and_secondary_trusted"]
 	keyring		key_restriction_keyring
 	chain		key_restriction_keyring_chain
 ] [varlen]

 key_restriction_keyring {
 	keyring	stringnoz["key_or_keyring:"]
 	serial	fmt[hex, key]
 	z	const[0, int8]
 } [packed]

 key_restriction_keyring_chain {
 	keyring	stringnoz["key_or_keyring:"]
 	serial	fmt[hex, key]
 	chain	string[":chain"]
 } [packed]

 define KEYCTL_PKEY_QUERY_SIZE	sizeof(struct keyctl_pkey_query)
	# Copyright 2015 syzkaller project authors. All rights reserved.
	# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

	include <linux/key.h>
	include <linux/keyctl.h>
	include <uapi/linux/keyctl.h>

	# key serial number (key_serial_t)
	resource key[int32]: 0

	# key of type "keyring". Note: for now we include KEY_SPEC_REQKEY_AUTH_KEY here
	# since it should be listed somewhere, though it's not actually a keyring.
	resource keyring[key]: KEY_SPEC_THREAD_KEYRING, KEY_SPEC_PROCESS_KEYRING, KEY_SPEC_SESSION_KEYRING, KEY_SPEC_USER_KEYRING, KEY_SPEC_USER_SESSION_KEYRING, KEY_SPEC_GROUP_KEYRING, KEY_SPEC_REQKEY_AUTH_KEY, KEY_SPEC_REQUESTOR_KEYRING

	# key of type "user"
	resource user_key[key]

	add_key(type ptr[in, string[key_type]], desc ptr[in, key_desc], payload ptr[in, array[int8], opt], paylen len[payload], keyring keyring[opt]) key
	add_key$keyring(type ptr[in, string["keyring"]], desc ptr[in, key_desc], payload const[0], paylen const[0], keyring keyring[opt]) keyring
	add_key$user(type ptr[in, string["user"]], desc ptr[in, key_desc], payload buffer[in], paylen len[payload], keyring keyring[opt]) user_key
	request_key(type ptr[in, string[key_type]], desc ptr[in, key_desc], callout ptr[in, string], keyring keyring[opt]) key
	keyctl$get_keyring_id(code const[KEYCTL_GET_KEYRING_ID], key key, create intptr)
	keyctl$join(code const[KEYCTL_JOIN_SESSION_KEYRING], session ptr[in, key_desc, opt])
	keyctl$update(code const[KEYCTL_UPDATE], key key, payload ptr[in, array[int8], opt], paylen len[payload])
	keyctl$revoke(code const[KEYCTL_REVOKE], key key)
	keyctl$describe(code const[KEYCTL_DESCRIBE], key key, desc buffer[out], len len[desc])
	keyctl$clear(code const[KEYCTL_CLEAR], keyring keyring)
	keyctl$link(code const[KEYCTL_LINK], key key, keyring keyring)
	keyctl$unlink(code const[KEYCTL_UNLINK], key key, keyring keyring)
	keyctl$search(code const[KEYCTL_SEARCH], key key, type ptr[in, string[key_type]], desc ptr[in, key_desc], destination keyring)
	keyctl$read(code const[KEYCTL_READ], key key, payload buffer[out], len len[payload])
	keyctl$chown(code const[KEYCTL_CHOWN], key key, uid uid, gid gid)
	# perm is a mask of KEY_POS_VIEW, etc consants, but they cover almost whole int32.
	keyctl$setperm(code const[KEYCTL_SETPERM], key key, perm flags[key_perm])
	keyctl$instantiate(code const[KEYCTL_INSTANTIATE], key key, payload ptr[in, key_instantiate_payload, opt], paylen len[payload], keyring keyring[opt])
	keyctl$negate(code const[KEYCTL_NEGATE], key key, timeout intptr, keyring keyring)
	keyctl$set_reqkey_keyring(code const[KEYCTL_SET_REQKEY_KEYRING], reqkey flags[reqkey_keyring])
	keyctl$set_timeout(code const[KEYCTL_SET_TIMEOUT], key key, timeout int32)
	keyctl$assume_authority(code const[KEYCTL_ASSUME_AUTHORITY], key key)
	keyctl$get_security(code const[KEYCTL_GET_SECURITY], key key, label buffer[out], len len[label])
	keyctl$session_to_parent(code const[KEYCTL_SESSION_TO_PARENT])
	keyctl$reject(code const[KEYCTL_REJECT], key key, timeout intptr, error intptr, keyring keyring)
	keyctl$instantiate_iov(code const[KEYCTL_INSTANTIATE_IOV], key key, payload ptr[in, array[iovec_in]], len len[payload], ring key)
	keyctl$invalidate(code const[KEYCTL_INVALIDATE], key key)
	keyctl$get_persistent(code const[KEYCTL_GET_PERSISTENT], uid uid, keyring keyring)
	keyctl$dh_compute(code const[KEYCTL_DH_COMPUTE], params ptr[in, keyctl_dh_params], buffer buffer[out], buflen len[buffer], kdf ptr[in, keyctl_kdf_params, opt])
	keyctl$restrict_keyring(code const[KEYCTL_RESTRICT_KEYRING], keyring keyring, type ptr[in, string[key_type], opt], restriction ptr[in, string, opt])
	keyctl$KEYCTL_PKEY_QUERY(code const[KEYCTL_PKEY_QUERY], key key, arg3 const[0], info ptr[in, string], query ptr[out, array[int8, KEYCTL_PKEY_QUERY_SIZE]])
	keyctl$KEYCTL_PKEY_ENCRYPT(code const[KEYCTL_PKEY_ENCRYPT], params ptr[in, keyctl_pkey_params], info ptr[in, keyctl_pkey_info, opt], inout ptr[in, array[int8]], output ptr[out, array[int8]])
	keyctl$KEYCTL_PKEY_DECRYPT(code const[KEYCTL_PKEY_DECRYPT], params ptr[in, keyctl_pkey_params], info ptr[in, keyctl_pkey_info, opt], inout ptr[in, array[int8]], output ptr[out, array[int8]])
	keyctl$KEYCTL_PKEY_SIGN(code const[KEYCTL_PKEY_SIGN], params ptr[in, keyctl_pkey_params], info ptr[in, keyctl_pkey_info, opt], inout ptr[in, array[int8]], output ptr[out, array[int8]])
	keyctl$KEYCTL_PKEY_VERIFY(code const[KEYCTL_PKEY_VERIFY], params ptr[in, keyctl_pkey_params], info ptr[in, keyctl_pkey_info, opt], inout ptr[in, array[int8]], output ptr[in, array[int8]])
	keyctl$KEYCTL_RESTRICT_KEYRING(code const[KEYCTL_RESTRICT_KEYRING], key key, type ptr[in, string[key_type], opt], restriction ptr[in, key_restriction, opt])
	keyctl$KEYCTL_MOVE(code const[KEYCTL_MOVE], key key, from_keyring keyring, to_keyring keyring, flags flags[keyctl_move_flags])
	keyctl$KEYCTL_CAPABILITIES(code const[KEYCTL_CAPABILITIES], buffer ptr[out, array[int8]], buflen len[buffer])

	reqkey_keyring = KEY_REQKEY_DEFL_NO_CHANGE, KEY_REQKEY_DEFL_DEFAULT, KEY_REQKEY_DEFL_THREAD_KEYRING, KEY_REQKEY_DEFL_PROCESS_KEYRING, KEY_REQKEY_DEFL_SESSION_KEYRING, KEY_REQKEY_DEFL_USER_KEYRING, KEY_REQKEY_DEFL_USER_SESSION_KEYRING, KEY_REQKEY_DEFL_GROUP_KEYRING, KEY_REQKEY_DEFL_REQUESTOR_KEYRING
	keyctl_move_flags = KEYCTL_MOVE_EXCL
	key_perm = KEY_POS_VIEW, KEY_POS_READ, KEY_POS_WRITE, KEY_POS_SEARCH, KEY_POS_LINK, KEY_POS_SETATTR, KEY_USR_VIEW, KEY_USR_READ, KEY_USR_WRITE, KEY_USR_SEARCH, KEY_USR_LINK, KEY_USR_SETATTR, KEY_GRP_VIEW, KEY_GRP_READ, KEY_GRP_WRITE, KEY_GRP_SEARCH, KEY_GRP_LINK, KEY_GRP_SETATTR, KEY_OTH_VIEW, KEY_OTH_READ, KEY_OTH_WRITE, KEY_OTH_SEARCH, KEY_OTH_LINK, KEY_OTH_SETATTR

	key_type = "asymmetric", "big_key", "blacklist", "ceph", "cifs.idmap", "cifs.spnego", ".dead", "dns_resolver", "encrypted", "id_legacy", "id_resolver", "keyring", "logon", "pkcs7_test", ".request_key_auth", "rxrpc", "rxrpc_s", "syzkaller", "trusted", "user"

	# "syzP\x00"
	key_desc {
	prefix stringnoz["syz"]
	id proc[' ', 4, int8]
	z const[0, int8]
	}

	keyctl_dh_params {
	private user_key
	prime user_key
	base user_key
	}

	keyctl_kdf_params {
	hashname ptr[in, alg_hash_name]
	otherinfo ptr[in, array[int8], opt]
	otherinfolen len[otherinfo, int32]
	__spare array[const[0, int32], 8]
	}

	key_instantiate_payload [
	encrypted_new key_encrypted_new
	encrypted_load key_encrypted_load
	encrypted_update key_encrypted_update
	] [varlen]

	key_encrypted_new {
	cmd stringnoz["new "]
	format stringnoz[key_encrypted_format]
	sp0 const[' ', int8]
	key_type stringnoz[key_encrypted_key_type]
	key_desc stringnoz
	sp1 const[' ', int8]
	datalen fmt[dec, int64]
	z const[0, int8]
	} [packed]

	key_encrypted_load {
	cmd stringnoz["load "]
	format stringnoz[key_encrypted_format]
	sp0 const[' ', int8]
	key_type stringnoz[key_encrypted_key_type]
	key_desc stringnoz
	sp1 const[' ', int8]
	datalen fmt[dec, int64]
	sp2 const[' ', int8]
	# TODO: this is something complex: hex-encoded iv of particular length, followed by delim?
	# followed by something-hex-encoded of some particular length, followed by something more?
	iv_data array[flags[hex_chars, int8]]
	z const[0, int8]
	} [packed]

	key_encrypted_update {
	cmd stringnoz["update "]
	format stringnoz[key_encrypted_format]
	sp0 const[' ', int8]
	key_type stringnoz[key_encrypted_key_type]
	key_desc stringnoz
	z const[0, int8]
	} [packed]

	keyctl_pkey_params {
	key_id key
	in_len bytesize[syscall:inout, int32]
	out_len bytesize[syscall:output, int32]
	__spare array[const[0, int32], 7]
	}

	keyctl_pkey_info {
	enc stringnoz["enc="]
	env_val stringnoz[keyctl_pkey_info_enc]
	hash stringnoz[" hash="]
	hash_val alg_hash_name
	} [packed]

	key_encrypted_format = "ecryptfs", "default"
	key_encrypted_key_type = "trusted:", "user:"
	keyctl_pkey_info_enc = "raw", "pkcs1", "oaep"

	key_restriction [
	builtin string["builtin_trusted"]
	secondary string["builtin_and_secondary_trusted"]
	keyring key_restriction_keyring
	chain key_restriction_keyring_chain
	] [varlen]

	key_restriction_keyring {
	keyring stringnoz["key_or_keyring:"]
	serial fmt[hex, key]
	z const[0, int8]
	} [packed]

	key_restriction_keyring_chain {
	keyring stringnoz["key_or_keyring:"]
	serial fmt[hex, key]
	chain string[":chain"]
	} [packed]

	define KEYCTL_PKEY_QUERY_SIZE sizeof(struct keyctl_pkey_query)