Wire formats reference

The byte-level binary formats used to pass data between userspace and kernel — token specs, session specs, security descriptors, conditional ACE bytecode, CAAP policies. This page covers the conventions every format follows and points to the per-format details.

The wire format the caller passes to kacs_create_token to mint a new token, and to kacs_create_session to create a new logon session. This page covers the layout of both, the claim entry format used inside token specs, and the validation rules the kernel applies.

The self-relative binary format used to encode security descriptors everywhere they cross the kernel boundary. This page covers the SD header, the control flags, ACL and ACE binary layouts, and the access mask byte layout.

The byte-level format for conditional ACE expressions and CAAP applies-to expressions. A stack-based postfix bytecode with four attribute namespaces, six value types, and a complete operator catalog. This page covers the encoding for every token, literal, and operator.

The byte-level format for central access policies passed to kacs_set_caap. A versioned bundle of rules, each with an applies-to expression, an effective DACL/SACL, and optional staged variants for testing. This page covers the layout, the rule structure, and the size limits.