Linus Torvalds | 32190f0 | 2017-11-14 11:35:15 -0800 | [diff] [blame] | 1 | /* SPDX-License-Identifier: GPL-2.0 */ |
Eric Biggers | 46f47e4 | 2017-01-24 10:58:06 -0800 | [diff] [blame] | 2 | /* |
Dave Chinner | 734f0d2 | 2017-10-09 12:15:34 -0700 | [diff] [blame] | 3 | * fscrypt.h: declarations for per-file encryption |
| 4 | * |
| 5 | * Filesystems that implement per-file encryption include this header |
| 6 | * file with the __FS_HAS_ENCRYPTION set according to whether that filesystem |
| 7 | * is being built with encryption support or not. |
Eric Biggers | 46f47e4 | 2017-01-24 10:58:06 -0800 | [diff] [blame] | 8 | * |
| 9 | * Copyright (C) 2015, Google, Inc. |
| 10 | * |
| 11 | * Written by Michael Halcrow, 2015. |
| 12 | * Modified by Jaegeuk Kim, 2015. |
| 13 | */ |
Dave Chinner | 734f0d2 | 2017-10-09 12:15:34 -0700 | [diff] [blame] | 14 | #ifndef _LINUX_FSCRYPT_H |
| 15 | #define _LINUX_FSCRYPT_H |
Eric Biggers | 46f47e4 | 2017-01-24 10:58:06 -0800 | [diff] [blame] | 16 | |
Eric Biggers | 46f47e4 | 2017-01-24 10:58:06 -0800 | [diff] [blame] | 17 | #include <linux/fs.h> |
Eric Biggers | 46f47e4 | 2017-01-24 10:58:06 -0800 | [diff] [blame] | 18 | |
| 19 | #define FS_CRYPTO_BLOCK_SIZE 16 |
| 20 | |
Eric Biggers | 542060c | 2018-01-05 10:44:55 -0800 | [diff] [blame] | 21 | struct fscrypt_ctx; |
Zhen Kong | ee7bdc6 | 2019-03-14 10:55:19 -0700 | [diff] [blame^] | 22 | |
| 23 | /* iv sector for security/pfe/pfk_fscrypt.c and f2fs */ |
| 24 | #define PG_DUN(i, p) \ |
| 25 | (((((u64)(i)->i_ino) & 0xffffffff) << 32) | ((p)->index & 0xffffffff)) |
| 26 | |
Eric Biggers | 46f47e4 | 2017-01-24 10:58:06 -0800 | [diff] [blame] | 27 | struct fscrypt_info; |
| 28 | |
Eric Biggers | 46f47e4 | 2017-01-24 10:58:06 -0800 | [diff] [blame] | 29 | struct fscrypt_str { |
| 30 | unsigned char *name; |
| 31 | u32 len; |
| 32 | }; |
| 33 | |
| 34 | struct fscrypt_name { |
| 35 | const struct qstr *usr_fname; |
| 36 | struct fscrypt_str disk_name; |
| 37 | u32 hash; |
| 38 | u32 minor_hash; |
| 39 | struct fscrypt_str crypto_buf; |
| 40 | }; |
| 41 | |
| 42 | #define FSTR_INIT(n, l) { .name = n, .len = l } |
| 43 | #define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len) |
| 44 | #define fname_name(p) ((p)->disk_name.name) |
| 45 | #define fname_len(p) ((p)->disk_name.len) |
| 46 | |
Tahsin Erdogan | af65207 | 2017-07-06 00:01:59 -0400 | [diff] [blame] | 47 | /* Maximum value for the third parameter of fscrypt_operations.set_context(). */ |
| 48 | #define FSCRYPT_SET_CONTEXT_MAX_SIZE 28 |
| 49 | |
Dave Chinner | 734f0d2 | 2017-10-09 12:15:34 -0700 | [diff] [blame] | 50 | #if __FS_HAS_ENCRYPTION |
Dave Chinner | 734f0d2 | 2017-10-09 12:15:34 -0700 | [diff] [blame] | 51 | #include <linux/fscrypt_supp.h> |
Eric Biggers | 4fd4b15 | 2018-01-05 10:44:53 -0800 | [diff] [blame] | 52 | #else |
Dave Chinner | 734f0d2 | 2017-10-09 12:15:34 -0700 | [diff] [blame] | 53 | #include <linux/fscrypt_notsupp.h> |
Eric Biggers | 4fd4b15 | 2018-01-05 10:44:53 -0800 | [diff] [blame] | 54 | #endif |
Dave Chinner | 734f0d2 | 2017-10-09 12:15:34 -0700 | [diff] [blame] | 55 | |
Eric Biggers | d293c3e | 2017-10-09 12:15:39 -0700 | [diff] [blame] | 56 | /** |
| 57 | * fscrypt_require_key - require an inode's encryption key |
| 58 | * @inode: the inode we need the key for |
| 59 | * |
| 60 | * If the inode is encrypted, set up its encryption key if not already done. |
| 61 | * Then require that the key be present and return -ENOKEY otherwise. |
| 62 | * |
| 63 | * No locks are needed, and the key will live as long as the struct inode --- so |
| 64 | * it won't go away from under you. |
| 65 | * |
| 66 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code |
| 67 | * if a problem occurred while setting up the encryption key. |
| 68 | */ |
| 69 | static inline int fscrypt_require_key(struct inode *inode) |
| 70 | { |
| 71 | if (IS_ENCRYPTED(inode)) { |
| 72 | int err = fscrypt_get_encryption_info(inode); |
| 73 | |
| 74 | if (err) |
| 75 | return err; |
| 76 | if (!fscrypt_has_encryption_key(inode)) |
| 77 | return -ENOKEY; |
| 78 | } |
| 79 | return 0; |
| 80 | } |
Dave Chinner | 734f0d2 | 2017-10-09 12:15:34 -0700 | [diff] [blame] | 81 | |
Eric Biggers | 0ea87a9 | 2017-10-09 12:15:41 -0700 | [diff] [blame] | 82 | /** |
| 83 | * fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory |
| 84 | * @old_dentry: an existing dentry for the inode being linked |
| 85 | * @dir: the target directory |
| 86 | * @dentry: negative dentry for the target filename |
| 87 | * |
| 88 | * A new link can only be added to an encrypted directory if the directory's |
| 89 | * encryption key is available --- since otherwise we'd have no way to encrypt |
| 90 | * the filename. Therefore, we first set up the directory's encryption key (if |
| 91 | * not already done) and return an error if it's unavailable. |
| 92 | * |
| 93 | * We also verify that the link will not violate the constraint that all files |
| 94 | * in an encrypted directory tree use the same encryption policy. |
| 95 | * |
| 96 | * Return: 0 on success, -ENOKEY if the directory's encryption key is missing, |
| 97 | * -EPERM if the link would result in an inconsistent encryption policy, or |
| 98 | * another -errno code. |
| 99 | */ |
| 100 | static inline int fscrypt_prepare_link(struct dentry *old_dentry, |
| 101 | struct inode *dir, |
| 102 | struct dentry *dentry) |
| 103 | { |
| 104 | if (IS_ENCRYPTED(dir)) |
| 105 | return __fscrypt_prepare_link(d_inode(old_dentry), dir); |
| 106 | return 0; |
| 107 | } |
| 108 | |
Eric Biggers | 94b26f3 | 2017-10-09 12:15:42 -0700 | [diff] [blame] | 109 | /** |
| 110 | * fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories |
| 111 | * @old_dir: source directory |
| 112 | * @old_dentry: dentry for source file |
| 113 | * @new_dir: target directory |
| 114 | * @new_dentry: dentry for target location (may be negative unless exchanging) |
| 115 | * @flags: rename flags (we care at least about %RENAME_EXCHANGE) |
| 116 | * |
| 117 | * Prepare for ->rename() where the source and/or target directories may be |
| 118 | * encrypted. A new link can only be added to an encrypted directory if the |
| 119 | * directory's encryption key is available --- since otherwise we'd have no way |
| 120 | * to encrypt the filename. A rename to an existing name, on the other hand, |
| 121 | * *is* cryptographically possible without the key. However, we take the more |
| 122 | * conservative approach and just forbid all no-key renames. |
| 123 | * |
| 124 | * We also verify that the rename will not violate the constraint that all files |
| 125 | * in an encrypted directory tree use the same encryption policy. |
| 126 | * |
| 127 | * Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the |
| 128 | * rename would cause inconsistent encryption policies, or another -errno code. |
| 129 | */ |
| 130 | static inline int fscrypt_prepare_rename(struct inode *old_dir, |
| 131 | struct dentry *old_dentry, |
| 132 | struct inode *new_dir, |
| 133 | struct dentry *new_dentry, |
| 134 | unsigned int flags) |
| 135 | { |
| 136 | if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir)) |
| 137 | return __fscrypt_prepare_rename(old_dir, old_dentry, |
| 138 | new_dir, new_dentry, flags); |
| 139 | return 0; |
| 140 | } |
| 141 | |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 142 | /** |
| 143 | * fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory |
| 144 | * @dir: directory being searched |
| 145 | * @dentry: filename being looked up |
| 146 | * @flags: lookup flags |
| 147 | * |
| 148 | * Prepare for ->lookup() in a directory which may be encrypted. Lookups can be |
| 149 | * done with or without the directory's encryption key; without the key, |
| 150 | * filenames are presented in encrypted form. Therefore, we'll try to set up |
| 151 | * the directory's encryption key, but even without it the lookup can continue. |
| 152 | * |
| 153 | * To allow invalidating stale dentries if the directory's encryption key is |
| 154 | * added later, we also install a custom ->d_revalidate() method and use the |
| 155 | * DCACHE_ENCRYPTED_WITH_KEY flag to indicate whether a given dentry is a |
| 156 | * plaintext name (flag set) or a ciphertext name (flag cleared). |
| 157 | * |
| 158 | * Return: 0 on success, -errno if a problem occurred while setting up the |
| 159 | * encryption key |
| 160 | */ |
| 161 | static inline int fscrypt_prepare_lookup(struct inode *dir, |
| 162 | struct dentry *dentry, |
| 163 | unsigned int flags) |
| 164 | { |
| 165 | if (IS_ENCRYPTED(dir)) |
| 166 | return __fscrypt_prepare_lookup(dir, dentry); |
| 167 | return 0; |
| 168 | } |
| 169 | |
Eric Biggers | 815dac3 | 2017-10-09 12:15:44 -0700 | [diff] [blame] | 170 | /** |
| 171 | * fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes |
| 172 | * @dentry: dentry through which the inode is being changed |
| 173 | * @attr: attributes to change |
| 174 | * |
| 175 | * Prepare for ->setattr() on a possibly-encrypted inode. On an encrypted file, |
| 176 | * most attribute changes are allowed even without the encryption key. However, |
| 177 | * without the encryption key we do have to forbid truncates. This is needed |
| 178 | * because the size being truncated to may not be a multiple of the filesystem |
| 179 | * block size, and in that case we'd have to decrypt the final block, zero the |
| 180 | * portion past i_size, and re-encrypt it. (We *could* allow truncating to a |
| 181 | * filesystem block boundary, but it's simpler to just forbid all truncates --- |
| 182 | * and we already forbid all other contents modifications without the key.) |
| 183 | * |
| 184 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code |
| 185 | * if a problem occurred while setting up the encryption key. |
| 186 | */ |
| 187 | static inline int fscrypt_prepare_setattr(struct dentry *dentry, |
| 188 | struct iattr *attr) |
| 189 | { |
| 190 | if (attr->ia_valid & ATTR_SIZE) |
| 191 | return fscrypt_require_key(d_inode(dentry)); |
| 192 | return 0; |
| 193 | } |
| 194 | |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 195 | /** |
| 196 | * fscrypt_prepare_symlink - prepare to create a possibly-encrypted symlink |
| 197 | * @dir: directory in which the symlink is being created |
| 198 | * @target: plaintext symlink target |
| 199 | * @len: length of @target excluding null terminator |
| 200 | * @max_len: space the filesystem has available to store the symlink target |
| 201 | * @disk_link: (out) the on-disk symlink target being prepared |
| 202 | * |
| 203 | * This function computes the size the symlink target will require on-disk, |
| 204 | * stores it in @disk_link->len, and validates it against @max_len. An |
| 205 | * encrypted symlink may be longer than the original. |
| 206 | * |
| 207 | * Additionally, @disk_link->name is set to @target if the symlink will be |
| 208 | * unencrypted, but left NULL if the symlink will be encrypted. For encrypted |
| 209 | * symlinks, the filesystem must call fscrypt_encrypt_symlink() to create the |
| 210 | * on-disk target later. (The reason for the two-step process is that some |
| 211 | * filesystems need to know the size of the symlink target before creating the |
| 212 | * inode, e.g. to determine whether it will be a "fast" or "slow" symlink.) |
| 213 | * |
| 214 | * Return: 0 on success, -ENAMETOOLONG if the symlink target is too long, |
| 215 | * -ENOKEY if the encryption key is missing, or another -errno code if a problem |
| 216 | * occurred while setting up the encryption key. |
| 217 | */ |
| 218 | static inline int fscrypt_prepare_symlink(struct inode *dir, |
| 219 | const char *target, |
| 220 | unsigned int len, |
| 221 | unsigned int max_len, |
| 222 | struct fscrypt_str *disk_link) |
| 223 | { |
| 224 | if (IS_ENCRYPTED(dir) || fscrypt_dummy_context_enabled(dir)) |
| 225 | return __fscrypt_prepare_symlink(dir, len, max_len, disk_link); |
| 226 | |
| 227 | disk_link->name = (unsigned char *)target; |
| 228 | disk_link->len = len + 1; |
| 229 | if (disk_link->len > max_len) |
| 230 | return -ENAMETOOLONG; |
| 231 | return 0; |
| 232 | } |
| 233 | |
| 234 | /** |
| 235 | * fscrypt_encrypt_symlink - encrypt the symlink target if needed |
| 236 | * @inode: symlink inode |
| 237 | * @target: plaintext symlink target |
| 238 | * @len: length of @target excluding null terminator |
| 239 | * @disk_link: (in/out) the on-disk symlink target being prepared |
| 240 | * |
| 241 | * If the symlink target needs to be encrypted, then this function encrypts it |
| 242 | * into @disk_link->name. fscrypt_prepare_symlink() must have been called |
| 243 | * previously to compute @disk_link->len. If the filesystem did not allocate a |
| 244 | * buffer for @disk_link->name after calling fscrypt_prepare_link(), then one |
| 245 | * will be kmalloc()'ed and the filesystem will be responsible for freeing it. |
| 246 | * |
| 247 | * Return: 0 on success, -errno on failure |
| 248 | */ |
| 249 | static inline int fscrypt_encrypt_symlink(struct inode *inode, |
| 250 | const char *target, |
| 251 | unsigned int len, |
| 252 | struct fscrypt_str *disk_link) |
| 253 | { |
| 254 | if (IS_ENCRYPTED(inode)) |
| 255 | return __fscrypt_encrypt_symlink(inode, target, len, disk_link); |
| 256 | return 0; |
| 257 | } |
| 258 | |
Dave Chinner | 734f0d2 | 2017-10-09 12:15:34 -0700 | [diff] [blame] | 259 | #endif /* _LINUX_FSCRYPT_H */ |