xref: /linux-6.15/include/uapi/linux/keyctl.h (revision 2e12256b) 
1 /* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
2 /* keyctl.h: keyctl command IDs
3  *
4  * Copyright (C) 2004, 2008 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells ([email protected])
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License
9  * as published by the Free Software Foundation; either version
10  * 2 of the License, or (at your option) any later version.
11  */
12 
13 #ifndef _LINUX_KEYCTL_H
14 #define _LINUX_KEYCTL_H
15 
16 #include <linux/types.h>
17 
18 /*
19  * Keyring permission grant definitions
20  */
21 enum key_ace_subject_type {
22 	KEY_ACE_SUBJ_STANDARD	= 0,	/* subject is one of key_ace_standard_subject */
23 	nr__key_ace_subject_type
24 };
25 
26 enum key_ace_standard_subject {
27 	KEY_ACE_EVERYONE	= 0,	/* Everyone, including owner and group */
28 	KEY_ACE_GROUP		= 1,	/* The key's group */
29 	KEY_ACE_OWNER		= 2,	/* The owner of the key */
30 	KEY_ACE_POSSESSOR	= 3,	/* Any process that possesses of the key */
31 	nr__key_ace_standard_subject
32 };
33 
34 #define KEY_ACE_VIEW		0x00000001 /* Can describe the key */
35 #define KEY_ACE_READ		0x00000002 /* Can read the key content */
36 #define KEY_ACE_WRITE		0x00000004 /* Can update/modify the key content */
37 #define KEY_ACE_SEARCH		0x00000008 /* Can find the key by search */
38 #define KEY_ACE_LINK		0x00000010 /* Can make a link to the key */
39 #define KEY_ACE_SET_SECURITY	0x00000020 /* Can set owner, group, ACL */
40 #define KEY_ACE_INVAL		0x00000040 /* Can invalidate the key */
41 #define KEY_ACE_REVOKE		0x00000080 /* Can revoke the key */
42 #define KEY_ACE_JOIN		0x00000100 /* Can join keyring */
43 #define KEY_ACE_CLEAR		0x00000200 /* Can clear keyring */
44 #define KEY_ACE__PERMS		0xffffffff
45 
46 /*
47  * Old-style permissions mask, deprecated in favour of ACL.
48  */
49 #define KEY_POS_VIEW	0x01000000	/* possessor can view a key's attributes */
50 #define KEY_POS_READ	0x02000000	/* possessor can read key payload / view keyring */
51 #define KEY_POS_WRITE	0x04000000	/* possessor can update key payload / add link to keyring */
52 #define KEY_POS_SEARCH	0x08000000	/* possessor can find a key in search / search a keyring */
53 #define KEY_POS_LINK	0x10000000	/* possessor can create a link to a key/keyring */
54 #define KEY_POS_SETATTR	0x20000000	/* possessor can set key attributes */
55 #define KEY_POS_ALL	0x3f000000
56 
57 #define KEY_USR_VIEW	0x00010000	/* user permissions... */
58 #define KEY_USR_READ	0x00020000
59 #define KEY_USR_WRITE	0x00040000
60 #define KEY_USR_SEARCH	0x00080000
61 #define KEY_USR_LINK	0x00100000
62 #define KEY_USR_SETATTR	0x00200000
63 #define KEY_USR_ALL	0x003f0000
64 
65 #define KEY_GRP_VIEW	0x00000100	/* group permissions... */
66 #define KEY_GRP_READ	0x00000200
67 #define KEY_GRP_WRITE	0x00000400
68 #define KEY_GRP_SEARCH	0x00000800
69 #define KEY_GRP_LINK	0x00001000
70 #define KEY_GRP_SETATTR	0x00002000
71 #define KEY_GRP_ALL	0x00003f00
72 
73 #define KEY_OTH_VIEW	0x00000001	/* third party permissions... */
74 #define KEY_OTH_READ	0x00000002
75 #define KEY_OTH_WRITE	0x00000004
76 #define KEY_OTH_SEARCH	0x00000008
77 #define KEY_OTH_LINK	0x00000010
78 #define KEY_OTH_SETATTR	0x00000020
79 #define KEY_OTH_ALL	0x0000003f
80 
81 /* special process keyring shortcut IDs */
82 #define KEY_SPEC_THREAD_KEYRING		-1	/* - key ID for thread-specific keyring */
83 #define KEY_SPEC_PROCESS_KEYRING	-2	/* - key ID for process-specific keyring */
84 #define KEY_SPEC_SESSION_KEYRING	-3	/* - key ID for session-specific keyring */
85 #define KEY_SPEC_USER_KEYRING		-4	/* - key ID for UID-specific keyring */
86 #define KEY_SPEC_USER_SESSION_KEYRING	-5	/* - key ID for UID-session keyring */
87 #define KEY_SPEC_GROUP_KEYRING		-6	/* - key ID for GID-specific keyring */
88 #define KEY_SPEC_REQKEY_AUTH_KEY	-7	/* - key ID for assumed request_key auth key */
89 #define KEY_SPEC_REQUESTOR_KEYRING	-8	/* - key ID for request_key() dest keyring */
90 
91 /* request-key default keyrings */
92 #define KEY_REQKEY_DEFL_NO_CHANGE		-1
93 #define KEY_REQKEY_DEFL_DEFAULT			0
94 #define KEY_REQKEY_DEFL_THREAD_KEYRING		1
95 #define KEY_REQKEY_DEFL_PROCESS_KEYRING		2
96 #define KEY_REQKEY_DEFL_SESSION_KEYRING		3
97 #define KEY_REQKEY_DEFL_USER_KEYRING		4
98 #define KEY_REQKEY_DEFL_USER_SESSION_KEYRING	5
99 #define KEY_REQKEY_DEFL_GROUP_KEYRING		6
100 #define KEY_REQKEY_DEFL_REQUESTOR_KEYRING	7
101 
102 /* keyctl commands */
103 #define KEYCTL_GET_KEYRING_ID		0	/* ask for a keyring's ID */
104 #define KEYCTL_JOIN_SESSION_KEYRING	1	/* join or start named session keyring */
105 #define KEYCTL_UPDATE			2	/* update a key */
106 #define KEYCTL_REVOKE			3	/* revoke a key */
107 #define KEYCTL_CHOWN			4	/* set ownership of a key */
108 #define KEYCTL_SETPERM			5	/* set perms on a key */
109 #define KEYCTL_DESCRIBE			6	/* describe a key */
110 #define KEYCTL_CLEAR			7	/* clear contents of a keyring */
111 #define KEYCTL_LINK			8	/* link a key into a keyring */
112 #define KEYCTL_UNLINK			9	/* unlink a key from a keyring */
113 #define KEYCTL_SEARCH			10	/* search for a key in a keyring */
114 #define KEYCTL_READ			11	/* read a key or keyring's contents */
115 #define KEYCTL_INSTANTIATE		12	/* instantiate a partially constructed key */
116 #define KEYCTL_NEGATE			13	/* negate a partially constructed key */
117 #define KEYCTL_SET_REQKEY_KEYRING	14	/* set default request-key keyring */
118 #define KEYCTL_SET_TIMEOUT		15	/* set key timeout */
119 #define KEYCTL_ASSUME_AUTHORITY		16	/* assume request_key() authorisation */
120 #define KEYCTL_GET_SECURITY		17	/* get key security label */
121 #define KEYCTL_SESSION_TO_PARENT	18	/* apply session keyring to parent process */
122 #define KEYCTL_REJECT			19	/* reject a partially constructed key */
123 #define KEYCTL_INSTANTIATE_IOV		20	/* instantiate a partially constructed key */
124 #define KEYCTL_INVALIDATE		21	/* invalidate a key */
125 #define KEYCTL_GET_PERSISTENT		22	/* get a user's persistent keyring */
126 #define KEYCTL_DH_COMPUTE		23	/* Compute Diffie-Hellman values */
127 #define KEYCTL_PKEY_QUERY		24	/* Query public key parameters */
128 #define KEYCTL_PKEY_ENCRYPT		25	/* Encrypt a blob using a public key */
129 #define KEYCTL_PKEY_DECRYPT		26	/* Decrypt a blob using a public key */
130 #define KEYCTL_PKEY_SIGN		27	/* Create a public key signature */
131 #define KEYCTL_PKEY_VERIFY		28	/* Verify a public key signature */
132 #define KEYCTL_RESTRICT_KEYRING		29	/* Restrict keys allowed to link to a keyring */
133 #define KEYCTL_MOVE			30	/* Move keys between keyrings */
134 #define KEYCTL_CAPABILITIES		31	/* Find capabilities of keyrings subsystem */
135 
136 /* keyctl structures */
137 struct keyctl_dh_params {
138 	union {
139 #ifndef __cplusplus
140 		__s32 private;
141 #endif
142 		__s32 priv;
143 	};
144 	__s32 prime;
145 	__s32 base;
146 };
147 
148 struct keyctl_kdf_params {
149 	char __user *hashname;
150 	char __user *otherinfo;
151 	__u32 otherinfolen;
152 	__u32 __spare[8];
153 };
154 
155 #define KEYCTL_SUPPORTS_ENCRYPT		0x01
156 #define KEYCTL_SUPPORTS_DECRYPT		0x02
157 #define KEYCTL_SUPPORTS_SIGN		0x04
158 #define KEYCTL_SUPPORTS_VERIFY		0x08
159 
160 struct keyctl_pkey_query {
161 	__u32		supported_ops;	/* Which ops are supported */
162 	__u32		key_size;	/* Size of the key in bits */
163 	__u16		max_data_size;	/* Maximum size of raw data to sign in bytes */
164 	__u16		max_sig_size;	/* Maximum size of signature in bytes */
165 	__u16		max_enc_size;	/* Maximum size of encrypted blob in bytes */
166 	__u16		max_dec_size;	/* Maximum size of decrypted blob in bytes */
167 	__u32		__spare[10];
168 };
169 
170 struct keyctl_pkey_params {
171 	__s32		key_id;		/* Serial no. of public key to use */
172 	__u32		in_len;		/* Input data size */
173 	union {
174 		__u32		out_len;	/* Output buffer size (encrypt/decrypt/sign) */
175 		__u32		in2_len;	/* 2nd input data size (verify) */
176 	};
177 	__u32		__spare[7];
178 };
179 
180 #define KEYCTL_MOVE_EXCL	0x00000001 /* Do not displace from the to-keyring */
181 
182 /*
183  * Capabilities flags.  The capabilities list is an array of 8-bit integers;
184  * each integer can carry up to 8 flags.
185  */
186 #define KEYCTL_CAPS0_CAPABILITIES	0x01 /* KEYCTL_CAPABILITIES supported */
187 #define KEYCTL_CAPS0_PERSISTENT_KEYRINGS 0x02 /* Persistent keyrings enabled */
188 #define KEYCTL_CAPS0_DIFFIE_HELLMAN	0x04 /* Diffie-Hellman computation enabled */
189 #define KEYCTL_CAPS0_PUBLIC_KEY		0x08 /* Public key ops enabled */
190 #define KEYCTL_CAPS0_BIG_KEY		0x10 /* big_key-type enabled */
191 #define KEYCTL_CAPS0_INVALIDATE		0x20 /* KEYCTL_INVALIDATE supported */
192 #define KEYCTL_CAPS0_RESTRICT_KEYRING	0x40 /* KEYCTL_RESTRICT_KEYRING supported */
193 #define KEYCTL_CAPS0_MOVE		0x80 /* KEYCTL_MOVE supported */
194 #define KEYCTL_CAPS1_NS_KEYRING_NAME	0x01 /* Keyring names are per-user_namespace */
195 #define KEYCTL_CAPS1_NS_KEY_TAG		0x02 /* Key indexing can include a namespace tag */
196 
197 #endif /*  _LINUX_KEYCTL_H */
198