unix: add KEYCTL_RESTRICT_KEYRING capabilities

Asymmetric keyrings can require key payloads to be X.509 certificates signed by a key in a different keyring. This can be helpful for rotating keys on a live machines for subsystems like IMA while preventing local tampering. Tested locally by applying the "key_or_keyring:<id>" restriction to a keyring. Change-Id: Ia8dcb343abc5f405d374c357d5cac3d5181d7159 Reviewed-on: https://go-review.googlesource.com/c/sys/+/178400 Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Tobias Klauser <tobias.klauser@gmail.com>
2026-02-08 11:46:04 +03:00 · 2019-05-21 13:35:56 -07:00
parent 0c1ff786ef
commit ef0ce17483
14 changed files with 418 additions and 0 deletions
--- a/unix/syscall_linux.go
+++ b/unix/syscall_linux.go
@@ -1222,6 +1222,34 @@ func KeyctlDHCompute(params *KeyctlDHParams, buffer []byte) (size int, err error
 	return keyctlDH(KEYCTL_DH_COMPUTE, params, buffer)
 }

+// KeyctlRestrictKeyring implements the KEYCTL_RESTRICT_KEYRING command. This
+// command limits the set of keys that can be linked to the keyring, regardless
+// of keyring permissions. The command requires the "setattr" permission.
+//
+// When called with an empty keyType the command locks the keyring, preventing
+// any further keys from being linked to the keyring.
+//
+// The "asymmetric" keyType defines restrictions requiring key payloads to be
+// DER encoded X.509 certificates signed by keys in another keyring. Restrictions
+// for "asymmetric" include "builtin_trusted", "builtin_and_secondary_trusted",
+// "key_or_keyring:<key>", and "key_or_keyring:<key>:chain".
+//
+// As of Linux 4.12, only the "asymmetric" keyType defines type-specific
+// restrictions.
+//
+// See the full documentation at:
+// http://man7.org/linux/man-pages/man3/keyctl_restrict_keyring.3.html
+// http://man7.org/linux/man-pages/man2/keyctl.2.html
+func KeyctlRestrictKeyring(ringid int, keyType string, restriction string) error {
+	if keyType == "" {
+		return keyctlRestrictKeyring(KEYCTL_RESTRICT_KEYRING, ringid)
+	}
+	return keyctlRestrictKeyringByType(KEYCTL_RESTRICT_KEYRING, ringid, keyType, restriction)
+}
+
+//sys keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) = SYS_KEYCTL
+//sys keyctlRestrictKeyring(cmd int, arg2 int) (err error) = SYS_KEYCTL
+
 func Recvmsg(fd int, p, oob []byte, flags int) (n, oobn int, recvflags int, from Sockaddr, err error) {
 	var msg Msghdr
 	var rsa RawSockaddrAny
--- a/unix/zsyscall_linux_386.go
+++ b/unix/zsyscall_linux_386.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {
--- a/unix/zsyscall_linux_amd64.go
+++ b/unix/zsyscall_linux_amd64.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {
--- a/unix/zsyscall_linux_arm.go
+++ b/unix/zsyscall_linux_arm.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {
--- a/unix/zsyscall_linux_arm64.go
+++ b/unix/zsyscall_linux_arm64.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {
--- a/unix/zsyscall_linux_mips.go
+++ b/unix/zsyscall_linux_mips.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {
--- a/unix/zsyscall_linux_mips64.go
+++ b/unix/zsyscall_linux_mips64.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {
--- a/unix/zsyscall_linux_mips64le.go
+++ b/unix/zsyscall_linux_mips64le.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {
--- a/unix/zsyscall_linux_mipsle.go
+++ b/unix/zsyscall_linux_mipsle.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {
--- a/unix/zsyscall_linux_ppc64.go
+++ b/unix/zsyscall_linux_ppc64.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {
--- a/unix/zsyscall_linux_ppc64le.go
+++ b/unix/zsyscall_linux_ppc64le.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {
--- a/unix/zsyscall_linux_riscv64.go
+++ b/unix/zsyscall_linux_riscv64.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {
--- a/unix/zsyscall_linux_s390x.go
+++ b/unix/zsyscall_linux_s390x.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {
--- a/unix/zsyscall_linux_sparc64.go
+++ b/unix/zsyscall_linux_sparc64.go
@@ -305,6 +305,36 @@ func keyctlDH(cmd int, arg2 *KeyctlDHParams, buf []byte) (ret int, err error) {

 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT

+func keyctlRestrictKeyringByType(cmd int, arg2 int, keyType string, restriction string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(keyType)
+	if err != nil {
+		return
+	}
+	var _p1 *byte
+	_p1, err = BytePtrFromString(restriction)
+	if err != nil {
+		return
+	}
+	_, _, e1 := Syscall6(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), uintptr(unsafe.Pointer(_p0)), uintptr(unsafe.Pointer(_p1)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func keyctlRestrictKeyring(cmd int, arg2 int) (err error) {
+	_, _, e1 := Syscall(SYS_KEYCTL, uintptr(cmd), uintptr(arg2), 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func ptrace(request int, pid int, addr uintptr, data uintptr) (err error) {
 	_, _, e1 := Syscall6(SYS_PTRACE, uintptr(request), uintptr(pid), uintptr(addr), uintptr(data), 0, 0)
 	if e1 != 0 {