github.com/google/syzkaller@v0.0.0-20240517125934-c0f1611a36d6/sys/linux/socket_netlink_xfrm.txt (about) 1 # Copyright 2017 syzkaller project authors. All rights reserved. 2 # Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file. 3 4 # AF_NETLINK/NETLINK_XFRM support. 5 6 include <linux/net.h> 7 include <uapi/linux/netlink.h> 8 include <uapi/linux/in.h> 9 include <uapi/linux/xfrm.h> 10 include <uapi/linux/ipsec.h> 11 12 resource sock_nl_xfrm[sock_netlink] 13 type xfrm_req_id int32[13567:13575, opt] 14 type xfrm_policy_index int32[7236528:7236544, opt] 15 type xfrm_spi int32be[1234:1238] 16 17 # Note: executor sets up xfrm0 device with XFRM_IF_ID=1. 18 type xfrm_if_id int32[1:4] 19 20 socket$nl_xfrm(domain const[AF_NETLINK], type const[SOCK_RAW], proto const[NETLINK_XFRM]) sock_nl_xfrm 21 22 sendmsg$nl_xfrm(fd sock_nl_xfrm, msg ptr[in, msghdr_nl_xfrm], f flags[send_flags]) 23 24 type msghdr_nl_xfrm msghdr_netlink[netlink_msg_xfrm] 25 26 netlink_msg_xfrm [ 27 newsa netlink_msg[XFRM_MSG_NEWSA, xfrm_usersa_info, xfrma_policy] 28 updsa netlink_msg[XFRM_MSG_UPDSA, xfrm_usersa_info, xfrma_policy] 29 delsa netlink_msg[XFRM_MSG_DELSA, xfrm_usersa_id, xfrma_policy] 30 getsa netlink_msg[XFRM_MSG_GETSA, xfrm_usersa_id, xfrma_policy] 31 newpolicy netlink_msg[XFRM_MSG_NEWPOLICY, xfrm_userpolicy_info, xfrma_policy] 32 updpolicy netlink_msg[XFRM_MSG_UPDPOLICY, xfrm_userpolicy_info, xfrma_policy] 33 delpolicy netlink_msg[XFRM_MSG_DELPOLICY, xfrm_userpolicy_id, xfrma_policy] 34 getpolicy netlink_msg[XFRM_MSG_GETPOLICY, xfrm_userpolicy_id, xfrma_policy] 35 migrate netlink_msg[XFRM_MSG_MIGRATE, xfrm_userpolicy_id, xfrma_policy] 36 allocspi netlink_msg[XFRM_MSG_ALLOCSPI, xfrm_userspi_info, xfrma_policy] 37 acquire netlink_msg[XFRM_MSG_ACQUIRE, xfrm_user_acquire, xfrma_policy] 38 expire netlink_msg[XFRM_MSG_EXPIRE, xfrm_user_expire, xfrma_policy] 39 polexpire netlink_msg[XFRM_MSG_POLEXPIRE, xfrm_user_polexpire, xfrma_policy] 40 flushsa netlink_msg[XFRM_MSG_FLUSHSA, xfrm_usersa_flush, xfrma_policy] 41 report netlink_msg[XFRM_MSG_REPORT, xfrm_user_report, xfrma_policy] 42 flushpolicy netlink_msg[XFRM_MSG_FLUSHPOLICY, void, xfrma_policy] 43 newae netlink_msg[XFRM_MSG_NEWAE, xfrm_aevent_id, xfrma_policy] 44 getae netlink_msg[XFRM_MSG_GETAE, xfrm_aevent_id, xfrma_policy] 45 getsadinfo netlink_msg[XFRM_MSG_GETSADINFO, const[0, int32], xfrma_policy] 46 newspdinfo netlink_msg[XFRM_MSG_NEWSPDINFO, int32, xfrma_spd_policy] 47 getspdinfo netlink_msg[XFRM_MSG_GETSPDINFO, int32, void] 48 ] [varlen] 49 50 xfrm_usersa_info { 51 sel xfrm_selector 52 id xfrm_id 53 saddr xfrm_address_t 54 lft xfrm_lifetime_cfg 55 curlft xfrm_lifetime_cur 56 stats xfrm_stats 57 seq netlink_seq 58 reqid xfrm_req_id 59 family flags[xfrm_family, int16] 60 mode flags[xfrm_mode, int8] 61 replay_window int8 62 flags flags[xfrm_state, int8] 63 } 64 65 xfrm_usersa_id { 66 daddr xfrm_address_t 67 spi xfrm_spi 68 family flags[xfrm_family, int16] 69 proto flags[xfrm_proto, int8] 70 } 71 72 xfrm_userpolicy_id { 73 sel xfrm_selector 74 index xfrm_policy_index 75 dir flags[xfrm_policy_dir, int8] 76 } 77 78 xfrm_userspi_info { 79 info xfrm_usersa_info 80 min int32 81 max int32 82 } 83 84 xfrm_user_acquire { 85 id xfrm_id 86 saddr xfrm_address_t 87 sel xfrm_selector 88 policy xfrm_userpolicy_info 89 aalgos int32 90 ealgos int32 91 calgo int32 92 seq netlink_seq 93 } 94 95 xfrm_user_expire { 96 state xfrm_usersa_info 97 hard int8 98 } 99 100 xfrm_user_polexpire { 101 pol xfrm_userpolicy_info 102 hard int8 103 } 104 105 xfrm_usersa_flush { 106 proto flags[xfrm_proto, int8] 107 } 108 109 xfrm_user_report { 110 proto flags[xfrm_proto, int8] 111 sel xfrm_selector 112 } 113 114 xfrm_aevent_id { 115 sa_id xfrm_usersa_id 116 saddr xfrm_address_t 117 flags int32 118 reqid xfrm_req_id 119 } 120 121 xfrma_policy [ 122 sa nlattr[XFRMA_SA, xfrm_usersa_info] 123 policy nlattr[XFRMA_POLICY, xfrm_userpolicy_info] 124 lastused nlattr[XFRMA_LASTUSED, int64] 125 algo_auth_trunc nlattr[XFRMA_ALG_AUTH_TRUNC, xfrm_algo_auth] 126 algo_aead nlattr[XFRMA_ALG_AEAD, xfrm_algo_aead] 127 algo_auth nlattr[XFRMA_ALG_AUTH, xfrm_algo_hash] 128 algo_crypt nlattr[XFRMA_ALG_CRYPT, xfrm_algo_skcipher] 129 algo_comp nlattr[XFRMA_ALG_COMP, xfrm_algo_compress] 130 srcaddr nlattr[XFRMA_SRCADDR, xfrm_address_t] 131 coaddr nlattr[XFRMA_COADDR, xfrm_address_t] 132 extra_flags nlattr[XFRMA_SA_EXTRA_FLAGS, int32] 133 tfcpad nlattr[XFRMA_TFCPAD, int32] 134 replay_thresh nlattr[XFRMA_REPLAY_THRESH, int32] 135 etimer_thresh nlattr[XFRMA_ETIMER_THRESH, int32] 136 encap nlattr[XFRMA_ENCAP, xfrm_encap_tmpl] 137 offload nlattr[XFRMA_OFFLOAD_DEV, xfrm_user_offload] 138 sec_ctx nlattr[XFRMA_SEC_CTX, xfrm_user_sec_ctx] 139 lifetime_val nlattr[XFRMA_LTIME_VAL, xfrm_lifetime_cur] 140 tmpl nlattr[XFRMA_TMPL, array[xfrm_user_tmpl, 1:XFRM_MAX_DEPTH]] 141 replay_val nlattr[XFRMA_REPLAY_VAL, xfrm_replay_state] 142 replay_esn_val nlattr[XFRMA_REPLAY_ESN_VAL, xfrm_replay_state_esn] 143 policy_type nlattr[XFRMA_POLICY_TYPE, xfrm_userpolicy_type] 144 migrate nlattr[XFRMA_MIGRATE, array[xfrm_user_migrate, 1:XFRM_MAX_DEPTH]] 145 user_kmaddress nlattr[XFRMA_KMADDRESS, xfrm_user_kmaddress] 146 mark nlattr[XFRMA_MARK, xfrm_mark] 147 proto nlattr[XFRMA_PROTO, flags[xfrm_proto, int8]] 148 address_filter nlattr[XFRMA_ADDRESS_FILTER, xfrm_address_filter] 149 XFRMA_SET_MARK nlattr[XFRMA_SET_MARK, int32] 150 XFRMA_SET_MARK_MASK nlattr[XFRMA_SET_MARK_MASK, int32] 151 XFRMA_IF_ID nlattr[XFRMA_IF_ID, xfrm_if_id] 152 ] [varlen] 153 154 define XFRM_MAX_DEPTH 6 155 156 xfrma_spd_policy [ 157 XFRMA_SPD_IPV4_HTHRESH nlattr[XFRMA_SPD_IPV4_HTHRESH, xfrmu_spdhthresh[32]] 158 XFRMA_SPD_IPV6_HTHRESH nlattr[XFRMA_SPD_IPV6_HTHRESH, xfrmu_spdhthresh[128]] 159 ] [varlen] 160 161 xfrm_encap_tmpl { 162 encap_type flags[xfrm_encap_type, int16] 163 encap_sport sock_port 164 encap_dport sock_port 165 encap_oa xfrm_address_t 166 } 167 168 xfrm_user_offload { 169 ifindex ifindex[opt] 170 flags flags[xfrm_offload_flags, int8] 171 } 172 173 xfrm_offload_flags = XFRM_OFFLOAD_IPV6, XFRM_OFFLOAD_INBOUND 174 175 xfrm_user_sec_ctx { 176 len len[parent, int16] 177 exttype const[XFRMA_SEC_CTX, int16] 178 ctx_alg flags[xfrm_sec_ctx_alg, int8] 179 ctx_doi int8 180 ctx_len len[payload, int16] 181 # TODO: what's this? looks intersting. 182 payload array[int8] 183 } 184 185 xfrm_sec_ctx_alg = XFRM_SC_ALG_SELINUX 186 187 xfrm_replay_state { 188 oseq netlink_seq 189 seq netlink_seq 190 bitmap int32 191 } 192 193 xfrm_replay_state_esn { 194 bmp_len len[bmp, int32] 195 oseq netlink_seq 196 seq netlink_seq 197 oseq_hi netlink_seq 198 seq_hi netlink_seq 199 replay_window int32 200 bmp array[int32] 201 } 202 203 xfrm_userpolicy_type { 204 type flags[xfrm_policy_types, int8] 205 reserved1 const[0, int16] 206 reserved2 const[0, int8] 207 } 208 209 xfrm_user_migrate { 210 old_daddr xfrm_address_t 211 old_saddr xfrm_address_t 212 new_daddr xfrm_address_t 213 new_saddr xfrm_address_t 214 proto flags[xfrm_proto, int8] 215 mode flags[xfrm_mode, int8] 216 reserved const[0, int16] 217 reqid xfrm_req_id 218 old_family flags[xfrm_family, int16] 219 new_family flags[xfrm_family, int16] 220 } 221 222 xfrm_user_kmaddress { 223 local xfrm_address_t 224 remote xfrm_address_t 225 reserved const[0, int32] 226 family flags[xfrm_family, int16] 227 } 228 229 xfrm_mark { 230 v int32[3475289:3475293] 231 m int32 232 } 233 234 xfrm_address_filter { 235 saddr xfrm_address_t 236 daddr xfrm_address_t 237 family flags[xfrm_family, int16] 238 splen int8 239 dplen int8 240 } 241 242 type xfrmu_spdhthresh[BOUND] { 243 lbits int8[0:BOUND] 244 rbits int8[0:BOUND] 245 } 246 247 xfrm_selector { 248 daddr xfrm_address_t 249 saddr xfrm_address_t 250 dport sock_port 251 dport_mask int16be[opt] 252 sport sock_port 253 sport_mask int16be[opt] 254 family flags[xfrm_family, int16] 255 prefixlen_d flags[xfrm_prefixlens, int8] 256 prefixlen_s flags[xfrm_prefixlens, int8] 257 proto flags[ipv6_types, int8] 258 ifindex ifindex[opt] 259 user uid 260 } 261 262 xfrm_lifetime_cfg { 263 soft_byte_limit int64 264 hard_byte_limit int64 265 soft_packet_limit int64 266 hard_packet_limit int64 267 soft_add_expires_seconds int64 268 hard_add_expires_seconds int64 269 soft_use_expires_seconds int64 270 hard_use_expires_seconds int64 271 } 272 273 xfrm_lifetime_cur { 274 bytes int64 275 packets int64 276 add_time int64 277 use_time int64 278 } 279 280 xfrm_stats { 281 replay_window int32 282 replay int32 283 integrity_failed int32 284 } 285 286 xfrm_algo_hash { 287 alg_name alg_hash_name 288 alg_key_len bitsize[alg_key, int32] 289 alg_key array[int8] 290 } 291 292 xfrm_algo_skcipher { 293 alg_name alg_skcipher_name 294 alg_key_len bitsize[alg_key, int32] 295 alg_key array[int8] 296 } 297 298 xfrm_algo_compress { 299 alg_name alg_compress_name 300 alg_key_len bitsize[alg_key, int32] 301 alg_key array[int8] 302 } 303 304 xfrm_algo_auth { 305 alg_name alg_hash_name 306 alg_key_len bitsize[alg_key, int32] 307 alg_icv_len flags[xfrm_algo_truncbits, int32] 308 alg_key array[int8] 309 } 310 311 xfrm_algo_aead { 312 alg_name alg_aead_name 313 alg_key_len bitsize[alg_key, int32] 314 alg_icv_len flags[xfrm_algo_truncbits, int32] 315 alg_key array[int8] 316 } 317 318 xfrm_algo_truncbits = 0, 64, 96, 128, 160, 192, 256, 384, 512 319 320 xfrm_id { 321 daddr xfrm_address_t 322 spi xfrm_spi 323 proto flags[xfrm_proto, int8] 324 } 325 326 xfrm_address_t [ 327 in ipv4_addr 328 in6 ipv6_addr 329 ] 330 331 xfrm_filter { 332 info xfrm_userpolicy_info 333 tmpl xfrm_user_tmpl 334 } 335 336 xfrm_userpolicy_info { 337 sel xfrm_selector 338 lft xfrm_lifetime_cfg 339 curlft xfrm_lifetime_cur 340 priority int32 341 index xfrm_policy_index 342 dir flags[xfrm_policy_dir, int8] 343 action flags[xfrm_policy_actions, int8] 344 flags flags[xfrm_policy_flags, int8] 345 share flags[xfrm_policy_shares, int8] 346 } 347 348 xfrm_user_tmpl { 349 id xfrm_id 350 family flags[xfrm_family, int16] 351 saddr xfrm_address_t 352 reqid xfrm_req_id 353 mode flags[xfrm_mode, int8] 354 share flags[xfrm_policy_shares, int8] 355 optional int8 356 aalgos int32 357 ealgos int32 358 calgos int32 359 } 360 361 xfrm_mode = XFRM_MODE_TRANSPORT, XFRM_MODE_TUNNEL, XFRM_MODE_ROUTEOPTIMIZATION, XFRM_MODE_IN_TRIGGER, XFRM_MODE_BEET 362 xfrm_state = XFRM_STATE_NOECN, XFRM_STATE_DECAP_DSCP, XFRM_STATE_NOPMTUDISC, XFRM_STATE_WILDRECV, XFRM_STATE_ICMP, XFRM_STATE_AF_UNSPEC, XFRM_STATE_ALIGN4, XFRM_STATE_ESN 363 xfrm_family = AF_INET, AF_INET6 364 xfrm_proto = IPPROTO_AH, IPPROTO_ESP, IPPROTO_COMP, IPPROTO_DSTOPTS, IPPROTO_ROUTING, IPSEC_PROTO_ANY 365 xfrm_policy_types = XFRM_POLICY_TYPE_MAIN, XFRM_POLICY_TYPE_SUB 366 xfrm_policy_actions = XFRM_POLICY_ALLOW, XFRM_POLICY_BLOCK 367 xfrm_policy_flags = XFRM_POLICY_LOCALOK, XFRM_POLICY_ICMP 368 xfrm_policy_shares = XFRM_SHARE_ANY, XFRM_SHARE_SESSION, XFRM_SHARE_USER, XFRM_SHARE_UNIQUE 369 xfrm_policy_dir = XFRM_POLICY_IN, XFRM_POLICY_OUT, XFRM_POLICY_FWD 370 xfrm_prefixlens = 32, 128 371 xfrm_encap_type = -3, -2, -1, 0, 1, 2, 3