Jaegeuk Kim | 8dec074 | 2017-06-22 12:14:40 -0700 | [diff] [blame] | 1 | /* |
| 2 | * fscrypt.h: declarations for per-file encryption |
| 3 | * |
| 4 | * Filesystems that implement per-file encryption include this header |
| 5 | * file with the __FS_HAS_ENCRYPTION set according to whether that filesystem |
| 6 | * is being built with encryption support or not. |
| 7 | * |
| 8 | * Copyright (C) 2015, Google, Inc. |
| 9 | * |
| 10 | * Written by Michael Halcrow, 2015. |
| 11 | * Modified by Jaegeuk Kim, 2015. |
| 12 | */ |
| 13 | #ifndef _LINUX_FSCRYPT_H |
| 14 | #define _LINUX_FSCRYPT_H |
| 15 | |
| 16 | #include <linux/key.h> |
| 17 | #include <linux/fs.h> |
| 18 | #include <linux/mm.h> |
| 19 | #include <linux/bio.h> |
| 20 | #include <linux/dcache.h> |
| 21 | #include <crypto/skcipher.h> |
| 22 | #include <uapi/linux/fs.h> |
| 23 | |
| 24 | #define FS_CRYPTO_BLOCK_SIZE 16 |
| 25 | |
| 26 | struct fscrypt_info; |
| 27 | |
| 28 | struct fscrypt_ctx { |
| 29 | union { |
| 30 | struct { |
| 31 | struct page *bounce_page; /* Ciphertext page */ |
| 32 | struct page *control_page; /* Original page */ |
| 33 | } w; |
| 34 | struct { |
| 35 | struct bio *bio; |
| 36 | struct work_struct work; |
| 37 | } r; |
| 38 | struct list_head free_list; /* Free list */ |
| 39 | }; |
| 40 | u8 flags; /* Flags */ |
| 41 | }; |
| 42 | |
| 43 | /** |
| 44 | * For encrypted symlinks, the ciphertext length is stored at the beginning |
| 45 | * of the string in little-endian format. |
| 46 | */ |
| 47 | struct fscrypt_symlink_data { |
| 48 | __le16 len; |
| 49 | char encrypted_path[1]; |
| 50 | } __packed; |
| 51 | |
| 52 | struct fscrypt_str { |
| 53 | unsigned char *name; |
| 54 | u32 len; |
| 55 | }; |
| 56 | |
| 57 | struct fscrypt_name { |
| 58 | const struct qstr *usr_fname; |
| 59 | struct fscrypt_str disk_name; |
| 60 | u32 hash; |
| 61 | u32 minor_hash; |
| 62 | struct fscrypt_str crypto_buf; |
| 63 | }; |
| 64 | |
| 65 | #define FSTR_INIT(n, l) { .name = n, .len = l } |
| 66 | #define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len) |
| 67 | #define fname_name(p) ((p)->disk_name.name) |
| 68 | #define fname_len(p) ((p)->disk_name.len) |
| 69 | |
| 70 | /* |
| 71 | * fscrypt superblock flags |
| 72 | */ |
| 73 | #define FS_CFLG_OWN_PAGES (1U << 1) |
| 74 | |
| 75 | /* |
| 76 | * crypto opertions for filesystems |
| 77 | */ |
| 78 | struct fscrypt_operations { |
| 79 | unsigned int flags; |
| 80 | const char *key_prefix; |
| 81 | int (*get_context)(struct inode *, void *, size_t); |
| 82 | int (*set_context)(struct inode *, const void *, size_t, void *); |
| 83 | bool (*dummy_context)(struct inode *); |
| 84 | bool (*empty_dir)(struct inode *); |
| 85 | unsigned (*max_namelen)(struct inode *); |
| 86 | }; |
| 87 | |
| 88 | static inline bool fscrypt_dummy_context_enabled(struct inode *inode) |
| 89 | { |
| 90 | if (inode->i_sb->s_cop->dummy_context && |
| 91 | inode->i_sb->s_cop->dummy_context(inode)) |
| 92 | return true; |
| 93 | return false; |
| 94 | } |
| 95 | |
| 96 | static inline bool fscrypt_valid_enc_modes(u32 contents_mode, |
| 97 | u32 filenames_mode) |
| 98 | { |
| 99 | if (contents_mode == FS_ENCRYPTION_MODE_AES_128_CBC && |
| 100 | filenames_mode == FS_ENCRYPTION_MODE_AES_128_CTS) |
| 101 | return true; |
| 102 | |
| 103 | if (contents_mode == FS_ENCRYPTION_MODE_AES_256_XTS && |
| 104 | filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS) |
| 105 | return true; |
| 106 | |
| 107 | return false; |
| 108 | } |
| 109 | |
| 110 | static inline bool fscrypt_is_dot_dotdot(const struct qstr *str) |
| 111 | { |
| 112 | if (str->len == 1 && str->name[0] == '.') |
| 113 | return true; |
| 114 | |
| 115 | if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.') |
| 116 | return true; |
| 117 | |
| 118 | return false; |
| 119 | } |
| 120 | |
| 121 | #if __FS_HAS_ENCRYPTION |
| 122 | |
| 123 | static inline struct page *fscrypt_control_page(struct page *page) |
| 124 | { |
| 125 | return ((struct fscrypt_ctx *)page_private(page))->w.control_page; |
| 126 | } |
| 127 | |
| 128 | static inline bool fscrypt_has_encryption_key(const struct inode *inode) |
| 129 | { |
| 130 | return (inode->i_crypt_info != NULL); |
| 131 | } |
| 132 | |
| 133 | #include <linux/fscrypt_supp.h> |
| 134 | |
| 135 | #else /* !__FS_HAS_ENCRYPTION */ |
| 136 | |
| 137 | static inline struct page *fscrypt_control_page(struct page *page) |
| 138 | { |
| 139 | WARN_ON_ONCE(1); |
| 140 | return ERR_PTR(-EINVAL); |
| 141 | } |
| 142 | |
| 143 | static inline bool fscrypt_has_encryption_key(const struct inode *inode) |
| 144 | { |
| 145 | return 0; |
| 146 | } |
| 147 | |
| 148 | #include <linux/fscrypt_notsupp.h> |
| 149 | #endif /* __FS_HAS_ENCRYPTION */ |
| 150 | |
| 151 | /** |
| 152 | * fscrypt_require_key - require an inode's encryption key |
| 153 | * @inode: the inode we need the key for |
| 154 | * |
| 155 | * If the inode is encrypted, set up its encryption key if not already done. |
| 156 | * Then require that the key be present and return -ENOKEY otherwise. |
| 157 | * |
| 158 | * No locks are needed, and the key will live as long as the struct inode --- so |
| 159 | * it won't go away from under you. |
| 160 | * |
| 161 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code |
| 162 | * if a problem occurred while setting up the encryption key. |
| 163 | */ |
| 164 | static inline int fscrypt_require_key(struct inode *inode) |
| 165 | { |
| 166 | if (IS_ENCRYPTED(inode)) { |
| 167 | int err = fscrypt_get_encryption_info(inode); |
| 168 | |
| 169 | if (err) |
| 170 | return err; |
| 171 | if (!fscrypt_has_encryption_key(inode)) |
| 172 | return -ENOKEY; |
| 173 | } |
| 174 | return 0; |
| 175 | } |
| 176 | |
| 177 | /** |
| 178 | * fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory |
| 179 | * @old_dentry: an existing dentry for the inode being linked |
| 180 | * @dir: the target directory |
| 181 | * @dentry: negative dentry for the target filename |
| 182 | * |
| 183 | * A new link can only be added to an encrypted directory if the directory's |
| 184 | * encryption key is available --- since otherwise we'd have no way to encrypt |
| 185 | * the filename. Therefore, we first set up the directory's encryption key (if |
| 186 | * not already done) and return an error if it's unavailable. |
| 187 | * |
| 188 | * We also verify that the link will not violate the constraint that all files |
| 189 | * in an encrypted directory tree use the same encryption policy. |
| 190 | * |
| 191 | * Return: 0 on success, -ENOKEY if the directory's encryption key is missing, |
| 192 | * -EPERM if the link would result in an inconsistent encryption policy, or |
| 193 | * another -errno code. |
| 194 | */ |
| 195 | static inline int fscrypt_prepare_link(struct dentry *old_dentry, |
| 196 | struct inode *dir, |
| 197 | struct dentry *dentry) |
| 198 | { |
| 199 | if (IS_ENCRYPTED(dir)) |
| 200 | return __fscrypt_prepare_link(d_inode(old_dentry), dir); |
| 201 | return 0; |
| 202 | } |
| 203 | |
| 204 | /** |
| 205 | * fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories |
| 206 | * @old_dir: source directory |
| 207 | * @old_dentry: dentry for source file |
| 208 | * @new_dir: target directory |
| 209 | * @new_dentry: dentry for target location (may be negative unless exchanging) |
| 210 | * @flags: rename flags (we care at least about %RENAME_EXCHANGE) |
| 211 | * |
| 212 | * Prepare for ->rename() where the source and/or target directories may be |
| 213 | * encrypted. A new link can only be added to an encrypted directory if the |
| 214 | * directory's encryption key is available --- since otherwise we'd have no way |
| 215 | * to encrypt the filename. A rename to an existing name, on the other hand, |
| 216 | * *is* cryptographically possible without the key. However, we take the more |
| 217 | * conservative approach and just forbid all no-key renames. |
| 218 | * |
| 219 | * We also verify that the rename will not violate the constraint that all files |
| 220 | * in an encrypted directory tree use the same encryption policy. |
| 221 | * |
| 222 | * Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the |
| 223 | * rename would cause inconsistent encryption policies, or another -errno code. |
| 224 | */ |
| 225 | static inline int fscrypt_prepare_rename(struct inode *old_dir, |
| 226 | struct dentry *old_dentry, |
| 227 | struct inode *new_dir, |
| 228 | struct dentry *new_dentry, |
| 229 | unsigned int flags) |
| 230 | { |
| 231 | if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir)) |
| 232 | return __fscrypt_prepare_rename(old_dir, old_dentry, |
| 233 | new_dir, new_dentry, flags); |
| 234 | return 0; |
| 235 | } |
| 236 | |
| 237 | /** |
| 238 | * fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory |
| 239 | * @dir: directory being searched |
| 240 | * @dentry: filename being looked up |
| 241 | * @flags: lookup flags |
| 242 | * |
| 243 | * Prepare for ->lookup() in a directory which may be encrypted. Lookups can be |
| 244 | * done with or without the directory's encryption key; without the key, |
| 245 | * filenames are presented in encrypted form. Therefore, we'll try to set up |
| 246 | * the directory's encryption key, but even without it the lookup can continue. |
| 247 | * |
| 248 | * To allow invalidating stale dentries if the directory's encryption key is |
| 249 | * added later, we also install a custom ->d_revalidate() method and use the |
| 250 | * DCACHE_ENCRYPTED_WITH_KEY flag to indicate whether a given dentry is a |
| 251 | * plaintext name (flag set) or a ciphertext name (flag cleared). |
| 252 | * |
| 253 | * Return: 0 on success, -errno if a problem occurred while setting up the |
| 254 | * encryption key |
| 255 | */ |
| 256 | static inline int fscrypt_prepare_lookup(struct inode *dir, |
| 257 | struct dentry *dentry, |
| 258 | unsigned int flags) |
| 259 | { |
| 260 | if (IS_ENCRYPTED(dir)) |
| 261 | return __fscrypt_prepare_lookup(dir, dentry); |
| 262 | return 0; |
| 263 | } |
| 264 | |
| 265 | /** |
| 266 | * fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes |
| 267 | * @dentry: dentry through which the inode is being changed |
| 268 | * @attr: attributes to change |
| 269 | * |
| 270 | * Prepare for ->setattr() on a possibly-encrypted inode. On an encrypted file, |
| 271 | * most attribute changes are allowed even without the encryption key. However, |
| 272 | * without the encryption key we do have to forbid truncates. This is needed |
| 273 | * because the size being truncated to may not be a multiple of the filesystem |
| 274 | * block size, and in that case we'd have to decrypt the final block, zero the |
| 275 | * portion past i_size, and re-encrypt it. (We *could* allow truncating to a |
| 276 | * filesystem block boundary, but it's simpler to just forbid all truncates --- |
| 277 | * and we already forbid all other contents modifications without the key.) |
| 278 | * |
| 279 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code |
| 280 | * if a problem occurred while setting up the encryption key. |
| 281 | */ |
| 282 | static inline int fscrypt_prepare_setattr(struct dentry *dentry, |
| 283 | struct iattr *attr) |
| 284 | { |
| 285 | if (attr->ia_valid & ATTR_SIZE) |
| 286 | return fscrypt_require_key(d_inode(dentry)); |
| 287 | return 0; |
| 288 | } |
| 289 | |
| 290 | #endif /* _LINUX_FSCRYPT_H */ |