| policy.c (66da65005aa819e0b8d3a08f5ec1491b7690cb67) | policy.c (6b2a51ff03bf0c54cbc699ee85a9a49eb203ebfc) |
|---|---|
| 1// SPDX-License-Identifier: GPL-2.0 2/* 3 * Encryption policy functions for per-file encryption support. 4 * 5 * Copyright (C) 2015, Google, Inc. 6 * Copyright (C) 2015, Motorola Mobility. 7 * 8 * Originally written by Michael Halcrow, 2015. 9 * Modified by Jaegeuk Kim, 2015. 10 * Modified by Eric Biggers, 2019 for v2 policy support. 11 */ 12 13#include <linux/fs_context.h> 14#include <linux/random.h> 15#include <linux/seq_file.h> 16#include <linux/string.h> 17#include <linux/mount.h> 18#include "fscrypt_private.h" 19 20/** 21 * fscrypt_policies_equal() - check whether two encryption policies are the same 22 * @policy1: the first policy 23 * @policy2: the second policy 24 * 25 * Return: %true if equal, else %false 26 */ 27bool fscrypt_policies_equal(const union fscrypt_policy *policy1, 28 const union fscrypt_policy *policy2) 29{ 30 if (policy1->version != policy2->version) 31 return false; 32 33 return !memcmp(policy1, policy2, fscrypt_policy_size(policy1)); 34} 35 36int fscrypt_policy_to_key_spec(const union fscrypt_policy *policy, 37 struct fscrypt_key_specifier *key_spec) 38{ 39 switch (policy->version) { 40 case FSCRYPT_POLICY_V1: 41 key_spec->type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR; 42 memcpy(key_spec->u.descriptor, policy->v1.master_key_descriptor, 43 FSCRYPT_KEY_DESCRIPTOR_SIZE); 44 return 0; 45 case FSCRYPT_POLICY_V2: 46 key_spec->type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER; 47 memcpy(key_spec->u.identifier, policy->v2.master_key_identifier, 48 FSCRYPT_KEY_IDENTIFIER_SIZE); 49 return 0; 50 default: 51 WARN_ON(1); 52 return -EINVAL; 53 } 54} 55 56static const union fscrypt_policy * 57fscrypt_get_dummy_policy(struct super_block *sb) 58{ 59 if (!sb->s_cop->get_dummy_policy) 60 return NULL; 61 return sb->s_cop->get_dummy_policy(sb); 62} 63 | 1// SPDX-License-Identifier: GPL-2.0 2/* 3 * Encryption policy functions for per-file encryption support. 4 * 5 * Copyright (C) 2015, Google, Inc. 6 * Copyright (C) 2015, Motorola Mobility. 7 * 8 * Originally written by Michael Halcrow, 2015. 9 * Modified by Jaegeuk Kim, 2015. 10 * Modified by Eric Biggers, 2019 for v2 policy support. 11 */ 12 13#include <linux/fs_context.h> 14#include <linux/random.h> 15#include <linux/seq_file.h> 16#include <linux/string.h> 17#include <linux/mount.h> 18#include "fscrypt_private.h" 19 20/** 21 * fscrypt_policies_equal() - check whether two encryption policies are the same 22 * @policy1: the first policy 23 * @policy2: the second policy 24 * 25 * Return: %true if equal, else %false 26 */ 27bool fscrypt_policies_equal(const union fscrypt_policy *policy1, 28 const union fscrypt_policy *policy2) 29{ 30 if (policy1->version != policy2->version) 31 return false; 32 33 return !memcmp(policy1, policy2, fscrypt_policy_size(policy1)); 34} 35 36int fscrypt_policy_to_key_spec(const union fscrypt_policy *policy, 37 struct fscrypt_key_specifier *key_spec) 38{ 39 switch (policy->version) { 40 case FSCRYPT_POLICY_V1: 41 key_spec->type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR; 42 memcpy(key_spec->u.descriptor, policy->v1.master_key_descriptor, 43 FSCRYPT_KEY_DESCRIPTOR_SIZE); 44 return 0; 45 case FSCRYPT_POLICY_V2: 46 key_spec->type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER; 47 memcpy(key_spec->u.identifier, policy->v2.master_key_identifier, 48 FSCRYPT_KEY_IDENTIFIER_SIZE); 49 return 0; 50 default: 51 WARN_ON(1); 52 return -EINVAL; 53 } 54} 55 56static const union fscrypt_policy * 57fscrypt_get_dummy_policy(struct super_block *sb) 58{ 59 if (!sb->s_cop->get_dummy_policy) 60 return NULL; 61 return sb->s_cop->get_dummy_policy(sb); 62} 63 |
| 64static bool fscrypt_valid_enc_modes(u32 contents_mode, u32 filenames_mode) | 64static bool fscrypt_valid_enc_modes_v1(u32 contents_mode, u32 filenames_mode) |
| 65{ 66 if (contents_mode == FSCRYPT_MODE_AES_256_XTS && 67 filenames_mode == FSCRYPT_MODE_AES_256_CTS) 68 return true; 69 70 if (contents_mode == FSCRYPT_MODE_AES_128_CBC && 71 filenames_mode == FSCRYPT_MODE_AES_128_CTS) 72 return true; 73 74 if (contents_mode == FSCRYPT_MODE_ADIANTUM && 75 filenames_mode == FSCRYPT_MODE_ADIANTUM) 76 return true; 77 78 return false; 79} 80 | 65{ 66 if (contents_mode == FSCRYPT_MODE_AES_256_XTS && 67 filenames_mode == FSCRYPT_MODE_AES_256_CTS) 68 return true; 69 70 if (contents_mode == FSCRYPT_MODE_AES_128_CBC && 71 filenames_mode == FSCRYPT_MODE_AES_128_CTS) 72 return true; 73 74 if (contents_mode == FSCRYPT_MODE_ADIANTUM && 75 filenames_mode == FSCRYPT_MODE_ADIANTUM) 76 return true; 77 78 return false; 79} 80 |
| 81static bool fscrypt_valid_enc_modes_v2(u32 contents_mode, u32 filenames_mode) 82{ 83 if (contents_mode == FSCRYPT_MODE_AES_256_XTS && 84 filenames_mode == FSCRYPT_MODE_AES_256_HCTR2) 85 return true; 86 return fscrypt_valid_enc_modes_v1(contents_mode, filenames_mode); 87} 88 |
|
| 81static bool supported_direct_key_modes(const struct inode *inode, 82 u32 contents_mode, u32 filenames_mode) 83{ 84 const struct fscrypt_mode *mode; 85 86 if (contents_mode != filenames_mode) { 87 fscrypt_warn(inode, 88 "Direct key flag not allowed with different contents and filenames modes"); 89 return false; 90 } 91 mode = &fscrypt_modes[contents_mode]; 92 93 if (mode->ivsize < offsetofend(union fscrypt_iv, nonce)) { 94 fscrypt_warn(inode, "Direct key flag not allowed with %s", 95 mode->friendly_name); 96 return false; 97 } 98 return true; 99} 100 101static bool supported_iv_ino_lblk_policy(const struct fscrypt_policy_v2 *policy, 102 const struct inode *inode, 103 const char *type, 104 int max_ino_bits, int max_lblk_bits) 105{ 106 struct super_block *sb = inode->i_sb; 107 int ino_bits = 64, lblk_bits = 64; 108 109 /* 110 * IV_INO_LBLK_* exist only because of hardware limitations, and 111 * currently the only known use case for them involves AES-256-XTS. 112 * That's also all we test currently. For these reasons, for now only 113 * allow AES-256-XTS here. This can be relaxed later if a use case for 114 * IV_INO_LBLK_* with other encryption modes arises. 115 */ 116 if (policy->contents_encryption_mode != FSCRYPT_MODE_AES_256_XTS) { 117 fscrypt_warn(inode, 118 "Can't use %s policy with contents mode other than AES-256-XTS", 119 type); 120 return false; 121 } 122 123 /* 124 * It's unsafe to include inode numbers in the IVs if the filesystem can 125 * potentially renumber inodes, e.g. via filesystem shrinking. 126 */ 127 if (!sb->s_cop->has_stable_inodes || 128 !sb->s_cop->has_stable_inodes(sb)) { 129 fscrypt_warn(inode, 130 "Can't use %s policy on filesystem '%s' because it doesn't have stable inode numbers", 131 type, sb->s_id); 132 return false; 133 } 134 if (sb->s_cop->get_ino_and_lblk_bits) 135 sb->s_cop->get_ino_and_lblk_bits(sb, &ino_bits, &lblk_bits); 136 if (ino_bits > max_ino_bits) { 137 fscrypt_warn(inode, 138 "Can't use %s policy on filesystem '%s' because its inode numbers are too long", 139 type, sb->s_id); 140 return false; 141 } 142 if (lblk_bits > max_lblk_bits) { 143 fscrypt_warn(inode, 144 "Can't use %s policy on filesystem '%s' because its block numbers are too long", 145 type, sb->s_id); 146 return false; 147 } 148 return true; 149} 150 151static bool fscrypt_supported_v1_policy(const struct fscrypt_policy_v1 *policy, 152 const struct inode *inode) 153{ | 89static bool supported_direct_key_modes(const struct inode *inode, 90 u32 contents_mode, u32 filenames_mode) 91{ 92 const struct fscrypt_mode *mode; 93 94 if (contents_mode != filenames_mode) { 95 fscrypt_warn(inode, 96 "Direct key flag not allowed with different contents and filenames modes"); 97 return false; 98 } 99 mode = &fscrypt_modes[contents_mode]; 100 101 if (mode->ivsize < offsetofend(union fscrypt_iv, nonce)) { 102 fscrypt_warn(inode, "Direct key flag not allowed with %s", 103 mode->friendly_name); 104 return false; 105 } 106 return true; 107} 108 109static bool supported_iv_ino_lblk_policy(const struct fscrypt_policy_v2 *policy, 110 const struct inode *inode, 111 const char *type, 112 int max_ino_bits, int max_lblk_bits) 113{ 114 struct super_block *sb = inode->i_sb; 115 int ino_bits = 64, lblk_bits = 64; 116 117 /* 118 * IV_INO_LBLK_* exist only because of hardware limitations, and 119 * currently the only known use case for them involves AES-256-XTS. 120 * That's also all we test currently. For these reasons, for now only 121 * allow AES-256-XTS here. This can be relaxed later if a use case for 122 * IV_INO_LBLK_* with other encryption modes arises. 123 */ 124 if (policy->contents_encryption_mode != FSCRYPT_MODE_AES_256_XTS) { 125 fscrypt_warn(inode, 126 "Can't use %s policy with contents mode other than AES-256-XTS", 127 type); 128 return false; 129 } 130 131 /* 132 * It's unsafe to include inode numbers in the IVs if the filesystem can 133 * potentially renumber inodes, e.g. via filesystem shrinking. 134 */ 135 if (!sb->s_cop->has_stable_inodes || 136 !sb->s_cop->has_stable_inodes(sb)) { 137 fscrypt_warn(inode, 138 "Can't use %s policy on filesystem '%s' because it doesn't have stable inode numbers", 139 type, sb->s_id); 140 return false; 141 } 142 if (sb->s_cop->get_ino_and_lblk_bits) 143 sb->s_cop->get_ino_and_lblk_bits(sb, &ino_bits, &lblk_bits); 144 if (ino_bits > max_ino_bits) { 145 fscrypt_warn(inode, 146 "Can't use %s policy on filesystem '%s' because its inode numbers are too long", 147 type, sb->s_id); 148 return false; 149 } 150 if (lblk_bits > max_lblk_bits) { 151 fscrypt_warn(inode, 152 "Can't use %s policy on filesystem '%s' because its block numbers are too long", 153 type, sb->s_id); 154 return false; 155 } 156 return true; 157} 158 159static bool fscrypt_supported_v1_policy(const struct fscrypt_policy_v1 *policy, 160 const struct inode *inode) 161{ |
| 154 if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode, | 162 if (!fscrypt_valid_enc_modes_v1(policy->contents_encryption_mode, |
| 155 policy->filenames_encryption_mode)) { 156 fscrypt_warn(inode, 157 "Unsupported encryption modes (contents %d, filenames %d)", 158 policy->contents_encryption_mode, 159 policy->filenames_encryption_mode); 160 return false; 161 } 162 163 if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK | 164 FSCRYPT_POLICY_FLAG_DIRECT_KEY)) { 165 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", 166 policy->flags); 167 return false; 168 } 169 170 if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) && 171 !supported_direct_key_modes(inode, policy->contents_encryption_mode, 172 policy->filenames_encryption_mode)) 173 return false; 174 175 if (IS_CASEFOLDED(inode)) { 176 /* With v1, there's no way to derive dirhash keys. */ 177 fscrypt_warn(inode, 178 "v1 policies can't be used on casefolded directories"); 179 return false; 180 } 181 182 return true; 183} 184 185static bool fscrypt_supported_v2_policy(const struct fscrypt_policy_v2 *policy, 186 const struct inode *inode) 187{ 188 int count = 0; 189 | 163 policy->filenames_encryption_mode)) { 164 fscrypt_warn(inode, 165 "Unsupported encryption modes (contents %d, filenames %d)", 166 policy->contents_encryption_mode, 167 policy->filenames_encryption_mode); 168 return false; 169 } 170 171 if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK | 172 FSCRYPT_POLICY_FLAG_DIRECT_KEY)) { 173 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", 174 policy->flags); 175 return false; 176 } 177 178 if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) && 179 !supported_direct_key_modes(inode, policy->contents_encryption_mode, 180 policy->filenames_encryption_mode)) 181 return false; 182 183 if (IS_CASEFOLDED(inode)) { 184 /* With v1, there's no way to derive dirhash keys. */ 185 fscrypt_warn(inode, 186 "v1 policies can't be used on casefolded directories"); 187 return false; 188 } 189 190 return true; 191} 192 193static bool fscrypt_supported_v2_policy(const struct fscrypt_policy_v2 *policy, 194 const struct inode *inode) 195{ 196 int count = 0; 197 |
| 190 if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode, | 198 if (!fscrypt_valid_enc_modes_v2(policy->contents_encryption_mode, |
| 191 policy->filenames_encryption_mode)) { 192 fscrypt_warn(inode, 193 "Unsupported encryption modes (contents %d, filenames %d)", 194 policy->contents_encryption_mode, 195 policy->filenames_encryption_mode); 196 return false; 197 } 198 199 if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK | 200 FSCRYPT_POLICY_FLAG_DIRECT_KEY | 201 FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 | 202 FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) { 203 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", 204 policy->flags); 205 return false; 206 } 207 208 count += !!(policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY); 209 count += !!(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64); 210 count += !!(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32); 211 if (count > 1) { 212 fscrypt_warn(inode, "Mutually exclusive encryption flags (0x%02x)", 213 policy->flags); 214 return false; 215 } 216 217 if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) && 218 !supported_direct_key_modes(inode, policy->contents_encryption_mode, 219 policy->filenames_encryption_mode)) 220 return false; 221 222 if ((policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) && 223 !supported_iv_ino_lblk_policy(policy, inode, "IV_INO_LBLK_64", 224 32, 32)) 225 return false; 226 227 /* 228 * IV_INO_LBLK_32 hashes the inode number, so in principle it can 229 * support any ino_bits. However, currently the inode number is gotten 230 * from inode::i_ino which is 'unsigned long'. So for now the 231 * implementation limit is 32 bits. 232 */ 233 if ((policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) && 234 !supported_iv_ino_lblk_policy(policy, inode, "IV_INO_LBLK_32", 235 32, 32)) 236 return false; 237 238 if (memchr_inv(policy->__reserved, 0, sizeof(policy->__reserved))) { 239 fscrypt_warn(inode, "Reserved bits set in encryption policy"); 240 return false; 241 } 242 243 return true; 244} 245 246/** 247 * fscrypt_supported_policy() - check whether an encryption policy is supported 248 * @policy_u: the encryption policy 249 * @inode: the inode on which the policy will be used 250 * 251 * Given an encryption policy, check whether all its encryption modes and other 252 * settings are supported by this kernel on the given inode. (But we don't 253 * currently don't check for crypto API support here, so attempting to use an 254 * algorithm not configured into the crypto API will still fail later.) 255 * 256 * Return: %true if supported, else %false 257 */ 258bool fscrypt_supported_policy(const union fscrypt_policy *policy_u, 259 const struct inode *inode) 260{ 261 switch (policy_u->version) { 262 case FSCRYPT_POLICY_V1: 263 return fscrypt_supported_v1_policy(&policy_u->v1, inode); 264 case FSCRYPT_POLICY_V2: 265 return fscrypt_supported_v2_policy(&policy_u->v2, inode); 266 } 267 return false; 268} 269 270/** 271 * fscrypt_new_context() - create a new fscrypt_context 272 * @ctx_u: output context 273 * @policy_u: input policy 274 * @nonce: nonce to use 275 * 276 * Create an fscrypt_context for an inode that is being assigned the given 277 * encryption policy. @nonce must be a new random nonce. 278 * 279 * Return: the size of the new context in bytes. 280 */ 281static int fscrypt_new_context(union fscrypt_context *ctx_u, 282 const union fscrypt_policy *policy_u, 283 const u8 nonce[FSCRYPT_FILE_NONCE_SIZE]) 284{ 285 memset(ctx_u, 0, sizeof(*ctx_u)); 286 287 switch (policy_u->version) { 288 case FSCRYPT_POLICY_V1: { 289 const struct fscrypt_policy_v1 *policy = &policy_u->v1; 290 struct fscrypt_context_v1 *ctx = &ctx_u->v1; 291 292 ctx->version = FSCRYPT_CONTEXT_V1; 293 ctx->contents_encryption_mode = 294 policy->contents_encryption_mode; 295 ctx->filenames_encryption_mode = 296 policy->filenames_encryption_mode; 297 ctx->flags = policy->flags; 298 memcpy(ctx->master_key_descriptor, 299 policy->master_key_descriptor, 300 sizeof(ctx->master_key_descriptor)); 301 memcpy(ctx->nonce, nonce, FSCRYPT_FILE_NONCE_SIZE); 302 return sizeof(*ctx); 303 } 304 case FSCRYPT_POLICY_V2: { 305 const struct fscrypt_policy_v2 *policy = &policy_u->v2; 306 struct fscrypt_context_v2 *ctx = &ctx_u->v2; 307 308 ctx->version = FSCRYPT_CONTEXT_V2; 309 ctx->contents_encryption_mode = 310 policy->contents_encryption_mode; 311 ctx->filenames_encryption_mode = 312 policy->filenames_encryption_mode; 313 ctx->flags = policy->flags; 314 memcpy(ctx->master_key_identifier, 315 policy->master_key_identifier, 316 sizeof(ctx->master_key_identifier)); 317 memcpy(ctx->nonce, nonce, FSCRYPT_FILE_NONCE_SIZE); 318 return sizeof(*ctx); 319 } 320 } 321 BUG(); 322} 323 324/** 325 * fscrypt_policy_from_context() - convert an fscrypt_context to 326 * an fscrypt_policy 327 * @policy_u: output policy 328 * @ctx_u: input context 329 * @ctx_size: size of input context in bytes 330 * 331 * Given an fscrypt_context, build the corresponding fscrypt_policy. 332 * 333 * Return: 0 on success, or -EINVAL if the fscrypt_context has an unrecognized 334 * version number or size. 335 * 336 * This does *not* validate the settings within the policy itself, e.g. the 337 * modes, flags, and reserved bits. Use fscrypt_supported_policy() for that. 338 */ 339int fscrypt_policy_from_context(union fscrypt_policy *policy_u, 340 const union fscrypt_context *ctx_u, 341 int ctx_size) 342{ 343 memset(policy_u, 0, sizeof(*policy_u)); 344 345 if (!fscrypt_context_is_valid(ctx_u, ctx_size)) 346 return -EINVAL; 347 348 switch (ctx_u->version) { 349 case FSCRYPT_CONTEXT_V1: { 350 const struct fscrypt_context_v1 *ctx = &ctx_u->v1; 351 struct fscrypt_policy_v1 *policy = &policy_u->v1; 352 353 policy->version = FSCRYPT_POLICY_V1; 354 policy->contents_encryption_mode = 355 ctx->contents_encryption_mode; 356 policy->filenames_encryption_mode = 357 ctx->filenames_encryption_mode; 358 policy->flags = ctx->flags; 359 memcpy(policy->master_key_descriptor, 360 ctx->master_key_descriptor, 361 sizeof(policy->master_key_descriptor)); 362 return 0; 363 } 364 case FSCRYPT_CONTEXT_V2: { 365 const struct fscrypt_context_v2 *ctx = &ctx_u->v2; 366 struct fscrypt_policy_v2 *policy = &policy_u->v2; 367 368 policy->version = FSCRYPT_POLICY_V2; 369 policy->contents_encryption_mode = 370 ctx->contents_encryption_mode; 371 policy->filenames_encryption_mode = 372 ctx->filenames_encryption_mode; 373 policy->flags = ctx->flags; 374 memcpy(policy->__reserved, ctx->__reserved, 375 sizeof(policy->__reserved)); 376 memcpy(policy->master_key_identifier, 377 ctx->master_key_identifier, 378 sizeof(policy->master_key_identifier)); 379 return 0; 380 } 381 } 382 /* unreachable */ 383 return -EINVAL; 384} 385 386/* Retrieve an inode's encryption policy */ 387static int fscrypt_get_policy(struct inode *inode, union fscrypt_policy *policy) 388{ 389 const struct fscrypt_info *ci; 390 union fscrypt_context ctx; 391 int ret; 392 393 ci = fscrypt_get_info(inode); 394 if (ci) { 395 /* key available, use the cached policy */ 396 *policy = ci->ci_policy; 397 return 0; 398 } 399 400 if (!IS_ENCRYPTED(inode)) 401 return -ENODATA; 402 403 ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); 404 if (ret < 0) 405 return (ret == -ERANGE) ? -EINVAL : ret; 406 407 return fscrypt_policy_from_context(policy, &ctx, ret); 408} 409 410static int set_encryption_policy(struct inode *inode, 411 const union fscrypt_policy *policy) 412{ 413 u8 nonce[FSCRYPT_FILE_NONCE_SIZE]; 414 union fscrypt_context ctx; 415 int ctxsize; 416 int err; 417 418 if (!fscrypt_supported_policy(policy, inode)) 419 return -EINVAL; 420 421 switch (policy->version) { 422 case FSCRYPT_POLICY_V1: 423 /* 424 * The original encryption policy version provided no way of 425 * verifying that the correct master key was supplied, which was 426 * insecure in scenarios where multiple users have access to the 427 * same encrypted files (even just read-only access). The new 428 * encryption policy version fixes this and also implies use of 429 * an improved key derivation function and allows non-root users 430 * to securely remove keys. So as long as compatibility with 431 * old kernels isn't required, it is recommended to use the new 432 * policy version for all new encrypted directories. 433 */ 434 pr_warn_once("%s (pid %d) is setting deprecated v1 encryption policy; recommend upgrading to v2.\n", 435 current->comm, current->pid); 436 break; 437 case FSCRYPT_POLICY_V2: 438 err = fscrypt_verify_key_added(inode->i_sb, 439 policy->v2.master_key_identifier); 440 if (err) 441 return err; 442 if (policy->v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) 443 pr_warn_once("%s (pid %d) is setting an IV_INO_LBLK_32 encryption policy. This should only be used if there are certain hardware limitations.\n", 444 current->comm, current->pid); 445 break; 446 default: 447 WARN_ON(1); 448 return -EINVAL; 449 } 450 451 get_random_bytes(nonce, FSCRYPT_FILE_NONCE_SIZE); 452 ctxsize = fscrypt_new_context(&ctx, policy, nonce); 453 454 return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, NULL); 455} 456 457int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg) 458{ 459 union fscrypt_policy policy; 460 union fscrypt_policy existing_policy; 461 struct inode *inode = file_inode(filp); 462 u8 version; 463 int size; 464 int ret; 465 466 if (get_user(policy.version, (const u8 __user *)arg)) 467 return -EFAULT; 468 469 size = fscrypt_policy_size(&policy); 470 if (size <= 0) 471 return -EINVAL; 472 473 /* 474 * We should just copy the remaining 'size - 1' bytes here, but a 475 * bizarre bug in gcc 7 and earlier (fixed by gcc r255731) causes gcc to 476 * think that size can be 0 here (despite the check above!) *and* that 477 * it's a compile-time constant. Thus it would think copy_from_user() 478 * is passed compile-time constant ULONG_MAX, causing the compile-time 479 * buffer overflow check to fail, breaking the build. This only occurred 480 * when building an i386 kernel with -Os and branch profiling enabled. 481 * 482 * Work around it by just copying the first byte again... 483 */ 484 version = policy.version; 485 if (copy_from_user(&policy, arg, size)) 486 return -EFAULT; 487 policy.version = version; 488 489 if (!inode_owner_or_capable(&init_user_ns, inode)) 490 return -EACCES; 491 492 ret = mnt_want_write_file(filp); 493 if (ret) 494 return ret; 495 496 inode_lock(inode); 497 498 ret = fscrypt_get_policy(inode, &existing_policy); 499 if (ret == -ENODATA) { 500 if (!S_ISDIR(inode->i_mode)) 501 ret = -ENOTDIR; 502 else if (IS_DEADDIR(inode)) 503 ret = -ENOENT; 504 else if (!inode->i_sb->s_cop->empty_dir(inode)) 505 ret = -ENOTEMPTY; 506 else 507 ret = set_encryption_policy(inode, &policy); 508 } else if (ret == -EINVAL || 509 (ret == 0 && !fscrypt_policies_equal(&policy, 510 &existing_policy))) { 511 /* The file already uses a different encryption policy. */ 512 ret = -EEXIST; 513 } 514 515 inode_unlock(inode); 516 517 mnt_drop_write_file(filp); 518 return ret; 519} 520EXPORT_SYMBOL(fscrypt_ioctl_set_policy); 521 522/* Original ioctl version; can only get the original policy version */ 523int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg) 524{ 525 union fscrypt_policy policy; 526 int err; 527 528 err = fscrypt_get_policy(file_inode(filp), &policy); 529 if (err) 530 return err; 531 532 if (policy.version != FSCRYPT_POLICY_V1) 533 return -EINVAL; 534 535 if (copy_to_user(arg, &policy, sizeof(policy.v1))) 536 return -EFAULT; 537 return 0; 538} 539EXPORT_SYMBOL(fscrypt_ioctl_get_policy); 540 541/* Extended ioctl version; can get policies of any version */ 542int fscrypt_ioctl_get_policy_ex(struct file *filp, void __user *uarg) 543{ 544 struct fscrypt_get_policy_ex_arg arg; 545 union fscrypt_policy *policy = (union fscrypt_policy *)&arg.policy; 546 size_t policy_size; 547 int err; 548 549 /* arg is policy_size, then policy */ 550 BUILD_BUG_ON(offsetof(typeof(arg), policy_size) != 0); 551 BUILD_BUG_ON(offsetofend(typeof(arg), policy_size) != 552 offsetof(typeof(arg), policy)); 553 BUILD_BUG_ON(sizeof(arg.policy) != sizeof(*policy)); 554 555 err = fscrypt_get_policy(file_inode(filp), policy); 556 if (err) 557 return err; 558 policy_size = fscrypt_policy_size(policy); 559 560 if (copy_from_user(&arg, uarg, sizeof(arg.policy_size))) 561 return -EFAULT; 562 563 if (policy_size > arg.policy_size) 564 return -EOVERFLOW; 565 arg.policy_size = policy_size; 566 567 if (copy_to_user(uarg, &arg, sizeof(arg.policy_size) + policy_size)) 568 return -EFAULT; 569 return 0; 570} 571EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_policy_ex); 572 573/* FS_IOC_GET_ENCRYPTION_NONCE: retrieve file's encryption nonce for testing */ 574int fscrypt_ioctl_get_nonce(struct file *filp, void __user *arg) 575{ 576 struct inode *inode = file_inode(filp); 577 union fscrypt_context ctx; 578 int ret; 579 580 ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); 581 if (ret < 0) 582 return ret; 583 if (!fscrypt_context_is_valid(&ctx, ret)) 584 return -EINVAL; 585 if (copy_to_user(arg, fscrypt_context_nonce(&ctx), 586 FSCRYPT_FILE_NONCE_SIZE)) 587 return -EFAULT; 588 return 0; 589} 590EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_nonce); 591 592/** 593 * fscrypt_has_permitted_context() - is a file's encryption policy permitted 594 * within its directory? 595 * 596 * @parent: inode for parent directory 597 * @child: inode for file being looked up, opened, or linked into @parent 598 * 599 * Filesystems must call this before permitting access to an inode in a 600 * situation where the parent directory is encrypted (either before allowing 601 * ->lookup() to succeed, or for a regular file before allowing it to be opened) 602 * and before any operation that involves linking an inode into an encrypted 603 * directory, including link, rename, and cross rename. It enforces the 604 * constraint that within a given encrypted directory tree, all files use the 605 * same encryption policy. The pre-access check is needed to detect potentially 606 * malicious offline violations of this constraint, while the link and rename 607 * checks are needed to prevent online violations of this constraint. 608 * 609 * Return: 1 if permitted, 0 if forbidden. 610 */ 611int fscrypt_has_permitted_context(struct inode *parent, struct inode *child) 612{ 613 union fscrypt_policy parent_policy, child_policy; 614 int err, err1, err2; 615 616 /* No restrictions on file types which are never encrypted */ 617 if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) && 618 !S_ISLNK(child->i_mode)) 619 return 1; 620 621 /* No restrictions if the parent directory is unencrypted */ 622 if (!IS_ENCRYPTED(parent)) 623 return 1; 624 625 /* Encrypted directories must not contain unencrypted files */ 626 if (!IS_ENCRYPTED(child)) 627 return 0; 628 629 /* 630 * Both parent and child are encrypted, so verify they use the same 631 * encryption policy. Compare the fscrypt_info structs if the keys are 632 * available, otherwise retrieve and compare the fscrypt_contexts. 633 * 634 * Note that the fscrypt_context retrieval will be required frequently 635 * when accessing an encrypted directory tree without the key. 636 * Performance-wise this is not a big deal because we already don't 637 * really optimize for file access without the key (to the extent that 638 * such access is even possible), given that any attempted access 639 * already causes a fscrypt_context retrieval and keyring search. 640 * 641 * In any case, if an unexpected error occurs, fall back to "forbidden". 642 */ 643 644 err = fscrypt_get_encryption_info(parent, true); 645 if (err) 646 return 0; 647 err = fscrypt_get_encryption_info(child, true); 648 if (err) 649 return 0; 650 651 err1 = fscrypt_get_policy(parent, &parent_policy); 652 err2 = fscrypt_get_policy(child, &child_policy); 653 654 /* 655 * Allow the case where the parent and child both have an unrecognized 656 * encryption policy, so that files with an unrecognized encryption 657 * policy can be deleted. 658 */ 659 if (err1 == -EINVAL && err2 == -EINVAL) 660 return 1; 661 662 if (err1 || err2) 663 return 0; 664 665 return fscrypt_policies_equal(&parent_policy, &child_policy); 666} 667EXPORT_SYMBOL(fscrypt_has_permitted_context); 668 669/* 670 * Return the encryption policy that new files in the directory will inherit, or 671 * NULL if none, or an ERR_PTR() on error. If the directory is encrypted, also 672 * ensure that its key is set up, so that the new filename can be encrypted. 673 */ 674const union fscrypt_policy *fscrypt_policy_to_inherit(struct inode *dir) 675{ 676 int err; 677 678 if (IS_ENCRYPTED(dir)) { 679 err = fscrypt_require_key(dir); 680 if (err) 681 return ERR_PTR(err); 682 return &dir->i_crypt_info->ci_policy; 683 } 684 685 return fscrypt_get_dummy_policy(dir->i_sb); 686} 687 688/** 689 * fscrypt_set_context() - Set the fscrypt context of a new inode 690 * @inode: a new inode 691 * @fs_data: private data given by FS and passed to ->set_context() 692 * 693 * This should be called after fscrypt_prepare_new_inode(), generally during a 694 * filesystem transaction. Everything here must be %GFP_NOFS-safe. 695 * 696 * Return: 0 on success, -errno on failure 697 */ 698int fscrypt_set_context(struct inode *inode, void *fs_data) 699{ 700 struct fscrypt_info *ci = inode->i_crypt_info; 701 union fscrypt_context ctx; 702 int ctxsize; 703 704 /* fscrypt_prepare_new_inode() should have set up the key already. */ 705 if (WARN_ON_ONCE(!ci)) 706 return -ENOKEY; 707 708 BUILD_BUG_ON(sizeof(ctx) != FSCRYPT_SET_CONTEXT_MAX_SIZE); 709 ctxsize = fscrypt_new_context(&ctx, &ci->ci_policy, ci->ci_nonce); 710 711 /* 712 * This may be the first time the inode number is available, so do any 713 * delayed key setup that requires the inode number. 714 */ 715 if (ci->ci_policy.version == FSCRYPT_POLICY_V2 && 716 (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) { 717 const struct fscrypt_master_key *mk = 718 ci->ci_master_key->payload.data[0]; 719 720 fscrypt_hash_inode_number(ci, mk); 721 } 722 723 return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, fs_data); 724} 725EXPORT_SYMBOL_GPL(fscrypt_set_context); 726 727/** 728 * fscrypt_parse_test_dummy_encryption() - parse the test_dummy_encryption mount option 729 * @param: the mount option 730 * @dummy_policy: (input/output) the place to write the dummy policy that will 731 * result from parsing the option. Zero-initialize this. If a policy is 732 * already set here (due to test_dummy_encryption being given multiple 733 * times), then this function will verify that the policies are the same. 734 * 735 * Return: 0 on success; -EINVAL if the argument is invalid; -EEXIST if the 736 * argument conflicts with one already specified; or -ENOMEM. 737 */ 738int fscrypt_parse_test_dummy_encryption(const struct fs_parameter *param, 739 struct fscrypt_dummy_policy *dummy_policy) 740{ 741 const char *arg = "v2"; 742 union fscrypt_policy *policy; 743 int err; 744 745 if (param->type == fs_value_is_string && *param->string) 746 arg = param->string; 747 748 policy = kzalloc(sizeof(*policy), GFP_KERNEL); 749 if (!policy) 750 return -ENOMEM; 751 752 if (!strcmp(arg, "v1")) { 753 policy->version = FSCRYPT_POLICY_V1; 754 policy->v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; 755 policy->v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; 756 memset(policy->v1.master_key_descriptor, 0x42, 757 FSCRYPT_KEY_DESCRIPTOR_SIZE); 758 } else if (!strcmp(arg, "v2")) { 759 policy->version = FSCRYPT_POLICY_V2; 760 policy->v2.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; 761 policy->v2.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; 762 err = fscrypt_get_test_dummy_key_identifier( 763 policy->v2.master_key_identifier); 764 if (err) 765 goto out; 766 } else { 767 err = -EINVAL; 768 goto out; 769 } 770 771 if (dummy_policy->policy) { 772 if (fscrypt_policies_equal(policy, dummy_policy->policy)) 773 err = 0; 774 else 775 err = -EEXIST; 776 goto out; 777 } 778 dummy_policy->policy = policy; 779 policy = NULL; 780 err = 0; 781out: 782 kfree(policy); 783 return err; 784} 785EXPORT_SYMBOL_GPL(fscrypt_parse_test_dummy_encryption); 786 787/** 788 * fscrypt_dummy_policies_equal() - check whether two dummy policies are equal 789 * @p1: the first test dummy policy (may be unset) 790 * @p2: the second test dummy policy (may be unset) 791 * 792 * Return: %true if the dummy policies are both set and equal, or both unset. 793 */ 794bool fscrypt_dummy_policies_equal(const struct fscrypt_dummy_policy *p1, 795 const struct fscrypt_dummy_policy *p2) 796{ 797 if (!p1->policy && !p2->policy) 798 return true; 799 if (!p1->policy || !p2->policy) 800 return false; 801 return fscrypt_policies_equal(p1->policy, p2->policy); 802} 803EXPORT_SYMBOL_GPL(fscrypt_dummy_policies_equal); 804 805/* Deprecated, do not use */ 806int fscrypt_set_test_dummy_encryption(struct super_block *sb, const char *arg, 807 struct fscrypt_dummy_policy *dummy_policy) 808{ 809 struct fs_parameter param = { 810 .type = fs_value_is_string, 811 .string = arg ? (char *)arg : "", 812 }; 813 return fscrypt_parse_test_dummy_encryption(¶m, dummy_policy) ?: 814 fscrypt_add_test_dummy_key(sb, dummy_policy); 815} 816EXPORT_SYMBOL_GPL(fscrypt_set_test_dummy_encryption); 817 818/** 819 * fscrypt_show_test_dummy_encryption() - show '-o test_dummy_encryption' 820 * @seq: the seq_file to print the option to 821 * @sep: the separator character to use 822 * @sb: the filesystem whose options are being shown 823 * 824 * Show the test_dummy_encryption mount option, if it was specified. 825 * This is mainly used for /proc/mounts. 826 */ 827void fscrypt_show_test_dummy_encryption(struct seq_file *seq, char sep, 828 struct super_block *sb) 829{ 830 const union fscrypt_policy *policy = fscrypt_get_dummy_policy(sb); 831 int vers; 832 833 if (!policy) 834 return; 835 836 vers = policy->version; 837 if (vers == FSCRYPT_POLICY_V1) /* Handle numbering quirk */ 838 vers = 1; 839 840 seq_printf(seq, "%ctest_dummy_encryption=v%d", sep, vers); 841} 842EXPORT_SYMBOL_GPL(fscrypt_show_test_dummy_encryption); | 199 policy->filenames_encryption_mode)) { 200 fscrypt_warn(inode, 201 "Unsupported encryption modes (contents %d, filenames %d)", 202 policy->contents_encryption_mode, 203 policy->filenames_encryption_mode); 204 return false; 205 } 206 207 if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK | 208 FSCRYPT_POLICY_FLAG_DIRECT_KEY | 209 FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 | 210 FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) { 211 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", 212 policy->flags); 213 return false; 214 } 215 216 count += !!(policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY); 217 count += !!(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64); 218 count += !!(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32); 219 if (count > 1) { 220 fscrypt_warn(inode, "Mutually exclusive encryption flags (0x%02x)", 221 policy->flags); 222 return false; 223 } 224 225 if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) && 226 !supported_direct_key_modes(inode, policy->contents_encryption_mode, 227 policy->filenames_encryption_mode)) 228 return false; 229 230 if ((policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) && 231 !supported_iv_ino_lblk_policy(policy, inode, "IV_INO_LBLK_64", 232 32, 32)) 233 return false; 234 235 /* 236 * IV_INO_LBLK_32 hashes the inode number, so in principle it can 237 * support any ino_bits. However, currently the inode number is gotten 238 * from inode::i_ino which is 'unsigned long'. So for now the 239 * implementation limit is 32 bits. 240 */ 241 if ((policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) && 242 !supported_iv_ino_lblk_policy(policy, inode, "IV_INO_LBLK_32", 243 32, 32)) 244 return false; 245 246 if (memchr_inv(policy->__reserved, 0, sizeof(policy->__reserved))) { 247 fscrypt_warn(inode, "Reserved bits set in encryption policy"); 248 return false; 249 } 250 251 return true; 252} 253 254/** 255 * fscrypt_supported_policy() - check whether an encryption policy is supported 256 * @policy_u: the encryption policy 257 * @inode: the inode on which the policy will be used 258 * 259 * Given an encryption policy, check whether all its encryption modes and other 260 * settings are supported by this kernel on the given inode. (But we don't 261 * currently don't check for crypto API support here, so attempting to use an 262 * algorithm not configured into the crypto API will still fail later.) 263 * 264 * Return: %true if supported, else %false 265 */ 266bool fscrypt_supported_policy(const union fscrypt_policy *policy_u, 267 const struct inode *inode) 268{ 269 switch (policy_u->version) { 270 case FSCRYPT_POLICY_V1: 271 return fscrypt_supported_v1_policy(&policy_u->v1, inode); 272 case FSCRYPT_POLICY_V2: 273 return fscrypt_supported_v2_policy(&policy_u->v2, inode); 274 } 275 return false; 276} 277 278/** 279 * fscrypt_new_context() - create a new fscrypt_context 280 * @ctx_u: output context 281 * @policy_u: input policy 282 * @nonce: nonce to use 283 * 284 * Create an fscrypt_context for an inode that is being assigned the given 285 * encryption policy. @nonce must be a new random nonce. 286 * 287 * Return: the size of the new context in bytes. 288 */ 289static int fscrypt_new_context(union fscrypt_context *ctx_u, 290 const union fscrypt_policy *policy_u, 291 const u8 nonce[FSCRYPT_FILE_NONCE_SIZE]) 292{ 293 memset(ctx_u, 0, sizeof(*ctx_u)); 294 295 switch (policy_u->version) { 296 case FSCRYPT_POLICY_V1: { 297 const struct fscrypt_policy_v1 *policy = &policy_u->v1; 298 struct fscrypt_context_v1 *ctx = &ctx_u->v1; 299 300 ctx->version = FSCRYPT_CONTEXT_V1; 301 ctx->contents_encryption_mode = 302 policy->contents_encryption_mode; 303 ctx->filenames_encryption_mode = 304 policy->filenames_encryption_mode; 305 ctx->flags = policy->flags; 306 memcpy(ctx->master_key_descriptor, 307 policy->master_key_descriptor, 308 sizeof(ctx->master_key_descriptor)); 309 memcpy(ctx->nonce, nonce, FSCRYPT_FILE_NONCE_SIZE); 310 return sizeof(*ctx); 311 } 312 case FSCRYPT_POLICY_V2: { 313 const struct fscrypt_policy_v2 *policy = &policy_u->v2; 314 struct fscrypt_context_v2 *ctx = &ctx_u->v2; 315 316 ctx->version = FSCRYPT_CONTEXT_V2; 317 ctx->contents_encryption_mode = 318 policy->contents_encryption_mode; 319 ctx->filenames_encryption_mode = 320 policy->filenames_encryption_mode; 321 ctx->flags = policy->flags; 322 memcpy(ctx->master_key_identifier, 323 policy->master_key_identifier, 324 sizeof(ctx->master_key_identifier)); 325 memcpy(ctx->nonce, nonce, FSCRYPT_FILE_NONCE_SIZE); 326 return sizeof(*ctx); 327 } 328 } 329 BUG(); 330} 331 332/** 333 * fscrypt_policy_from_context() - convert an fscrypt_context to 334 * an fscrypt_policy 335 * @policy_u: output policy 336 * @ctx_u: input context 337 * @ctx_size: size of input context in bytes 338 * 339 * Given an fscrypt_context, build the corresponding fscrypt_policy. 340 * 341 * Return: 0 on success, or -EINVAL if the fscrypt_context has an unrecognized 342 * version number or size. 343 * 344 * This does *not* validate the settings within the policy itself, e.g. the 345 * modes, flags, and reserved bits. Use fscrypt_supported_policy() for that. 346 */ 347int fscrypt_policy_from_context(union fscrypt_policy *policy_u, 348 const union fscrypt_context *ctx_u, 349 int ctx_size) 350{ 351 memset(policy_u, 0, sizeof(*policy_u)); 352 353 if (!fscrypt_context_is_valid(ctx_u, ctx_size)) 354 return -EINVAL; 355 356 switch (ctx_u->version) { 357 case FSCRYPT_CONTEXT_V1: { 358 const struct fscrypt_context_v1 *ctx = &ctx_u->v1; 359 struct fscrypt_policy_v1 *policy = &policy_u->v1; 360 361 policy->version = FSCRYPT_POLICY_V1; 362 policy->contents_encryption_mode = 363 ctx->contents_encryption_mode; 364 policy->filenames_encryption_mode = 365 ctx->filenames_encryption_mode; 366 policy->flags = ctx->flags; 367 memcpy(policy->master_key_descriptor, 368 ctx->master_key_descriptor, 369 sizeof(policy->master_key_descriptor)); 370 return 0; 371 } 372 case FSCRYPT_CONTEXT_V2: { 373 const struct fscrypt_context_v2 *ctx = &ctx_u->v2; 374 struct fscrypt_policy_v2 *policy = &policy_u->v2; 375 376 policy->version = FSCRYPT_POLICY_V2; 377 policy->contents_encryption_mode = 378 ctx->contents_encryption_mode; 379 policy->filenames_encryption_mode = 380 ctx->filenames_encryption_mode; 381 policy->flags = ctx->flags; 382 memcpy(policy->__reserved, ctx->__reserved, 383 sizeof(policy->__reserved)); 384 memcpy(policy->master_key_identifier, 385 ctx->master_key_identifier, 386 sizeof(policy->master_key_identifier)); 387 return 0; 388 } 389 } 390 /* unreachable */ 391 return -EINVAL; 392} 393 394/* Retrieve an inode's encryption policy */ 395static int fscrypt_get_policy(struct inode *inode, union fscrypt_policy *policy) 396{ 397 const struct fscrypt_info *ci; 398 union fscrypt_context ctx; 399 int ret; 400 401 ci = fscrypt_get_info(inode); 402 if (ci) { 403 /* key available, use the cached policy */ 404 *policy = ci->ci_policy; 405 return 0; 406 } 407 408 if (!IS_ENCRYPTED(inode)) 409 return -ENODATA; 410 411 ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); 412 if (ret < 0) 413 return (ret == -ERANGE) ? -EINVAL : ret; 414 415 return fscrypt_policy_from_context(policy, &ctx, ret); 416} 417 418static int set_encryption_policy(struct inode *inode, 419 const union fscrypt_policy *policy) 420{ 421 u8 nonce[FSCRYPT_FILE_NONCE_SIZE]; 422 union fscrypt_context ctx; 423 int ctxsize; 424 int err; 425 426 if (!fscrypt_supported_policy(policy, inode)) 427 return -EINVAL; 428 429 switch (policy->version) { 430 case FSCRYPT_POLICY_V1: 431 /* 432 * The original encryption policy version provided no way of 433 * verifying that the correct master key was supplied, which was 434 * insecure in scenarios where multiple users have access to the 435 * same encrypted files (even just read-only access). The new 436 * encryption policy version fixes this and also implies use of 437 * an improved key derivation function and allows non-root users 438 * to securely remove keys. So as long as compatibility with 439 * old kernels isn't required, it is recommended to use the new 440 * policy version for all new encrypted directories. 441 */ 442 pr_warn_once("%s (pid %d) is setting deprecated v1 encryption policy; recommend upgrading to v2.\n", 443 current->comm, current->pid); 444 break; 445 case FSCRYPT_POLICY_V2: 446 err = fscrypt_verify_key_added(inode->i_sb, 447 policy->v2.master_key_identifier); 448 if (err) 449 return err; 450 if (policy->v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) 451 pr_warn_once("%s (pid %d) is setting an IV_INO_LBLK_32 encryption policy. This should only be used if there are certain hardware limitations.\n", 452 current->comm, current->pid); 453 break; 454 default: 455 WARN_ON(1); 456 return -EINVAL; 457 } 458 459 get_random_bytes(nonce, FSCRYPT_FILE_NONCE_SIZE); 460 ctxsize = fscrypt_new_context(&ctx, policy, nonce); 461 462 return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, NULL); 463} 464 465int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg) 466{ 467 union fscrypt_policy policy; 468 union fscrypt_policy existing_policy; 469 struct inode *inode = file_inode(filp); 470 u8 version; 471 int size; 472 int ret; 473 474 if (get_user(policy.version, (const u8 __user *)arg)) 475 return -EFAULT; 476 477 size = fscrypt_policy_size(&policy); 478 if (size <= 0) 479 return -EINVAL; 480 481 /* 482 * We should just copy the remaining 'size - 1' bytes here, but a 483 * bizarre bug in gcc 7 and earlier (fixed by gcc r255731) causes gcc to 484 * think that size can be 0 here (despite the check above!) *and* that 485 * it's a compile-time constant. Thus it would think copy_from_user() 486 * is passed compile-time constant ULONG_MAX, causing the compile-time 487 * buffer overflow check to fail, breaking the build. This only occurred 488 * when building an i386 kernel with -Os and branch profiling enabled. 489 * 490 * Work around it by just copying the first byte again... 491 */ 492 version = policy.version; 493 if (copy_from_user(&policy, arg, size)) 494 return -EFAULT; 495 policy.version = version; 496 497 if (!inode_owner_or_capable(&init_user_ns, inode)) 498 return -EACCES; 499 500 ret = mnt_want_write_file(filp); 501 if (ret) 502 return ret; 503 504 inode_lock(inode); 505 506 ret = fscrypt_get_policy(inode, &existing_policy); 507 if (ret == -ENODATA) { 508 if (!S_ISDIR(inode->i_mode)) 509 ret = -ENOTDIR; 510 else if (IS_DEADDIR(inode)) 511 ret = -ENOENT; 512 else if (!inode->i_sb->s_cop->empty_dir(inode)) 513 ret = -ENOTEMPTY; 514 else 515 ret = set_encryption_policy(inode, &policy); 516 } else if (ret == -EINVAL || 517 (ret == 0 && !fscrypt_policies_equal(&policy, 518 &existing_policy))) { 519 /* The file already uses a different encryption policy. */ 520 ret = -EEXIST; 521 } 522 523 inode_unlock(inode); 524 525 mnt_drop_write_file(filp); 526 return ret; 527} 528EXPORT_SYMBOL(fscrypt_ioctl_set_policy); 529 530/* Original ioctl version; can only get the original policy version */ 531int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg) 532{ 533 union fscrypt_policy policy; 534 int err; 535 536 err = fscrypt_get_policy(file_inode(filp), &policy); 537 if (err) 538 return err; 539 540 if (policy.version != FSCRYPT_POLICY_V1) 541 return -EINVAL; 542 543 if (copy_to_user(arg, &policy, sizeof(policy.v1))) 544 return -EFAULT; 545 return 0; 546} 547EXPORT_SYMBOL(fscrypt_ioctl_get_policy); 548 549/* Extended ioctl version; can get policies of any version */ 550int fscrypt_ioctl_get_policy_ex(struct file *filp, void __user *uarg) 551{ 552 struct fscrypt_get_policy_ex_arg arg; 553 union fscrypt_policy *policy = (union fscrypt_policy *)&arg.policy; 554 size_t policy_size; 555 int err; 556 557 /* arg is policy_size, then policy */ 558 BUILD_BUG_ON(offsetof(typeof(arg), policy_size) != 0); 559 BUILD_BUG_ON(offsetofend(typeof(arg), policy_size) != 560 offsetof(typeof(arg), policy)); 561 BUILD_BUG_ON(sizeof(arg.policy) != sizeof(*policy)); 562 563 err = fscrypt_get_policy(file_inode(filp), policy); 564 if (err) 565 return err; 566 policy_size = fscrypt_policy_size(policy); 567 568 if (copy_from_user(&arg, uarg, sizeof(arg.policy_size))) 569 return -EFAULT; 570 571 if (policy_size > arg.policy_size) 572 return -EOVERFLOW; 573 arg.policy_size = policy_size; 574 575 if (copy_to_user(uarg, &arg, sizeof(arg.policy_size) + policy_size)) 576 return -EFAULT; 577 return 0; 578} 579EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_policy_ex); 580 581/* FS_IOC_GET_ENCRYPTION_NONCE: retrieve file's encryption nonce for testing */ 582int fscrypt_ioctl_get_nonce(struct file *filp, void __user *arg) 583{ 584 struct inode *inode = file_inode(filp); 585 union fscrypt_context ctx; 586 int ret; 587 588 ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); 589 if (ret < 0) 590 return ret; 591 if (!fscrypt_context_is_valid(&ctx, ret)) 592 return -EINVAL; 593 if (copy_to_user(arg, fscrypt_context_nonce(&ctx), 594 FSCRYPT_FILE_NONCE_SIZE)) 595 return -EFAULT; 596 return 0; 597} 598EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_nonce); 599 600/** 601 * fscrypt_has_permitted_context() - is a file's encryption policy permitted 602 * within its directory? 603 * 604 * @parent: inode for parent directory 605 * @child: inode for file being looked up, opened, or linked into @parent 606 * 607 * Filesystems must call this before permitting access to an inode in a 608 * situation where the parent directory is encrypted (either before allowing 609 * ->lookup() to succeed, or for a regular file before allowing it to be opened) 610 * and before any operation that involves linking an inode into an encrypted 611 * directory, including link, rename, and cross rename. It enforces the 612 * constraint that within a given encrypted directory tree, all files use the 613 * same encryption policy. The pre-access check is needed to detect potentially 614 * malicious offline violations of this constraint, while the link and rename 615 * checks are needed to prevent online violations of this constraint. 616 * 617 * Return: 1 if permitted, 0 if forbidden. 618 */ 619int fscrypt_has_permitted_context(struct inode *parent, struct inode *child) 620{ 621 union fscrypt_policy parent_policy, child_policy; 622 int err, err1, err2; 623 624 /* No restrictions on file types which are never encrypted */ 625 if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) && 626 !S_ISLNK(child->i_mode)) 627 return 1; 628 629 /* No restrictions if the parent directory is unencrypted */ 630 if (!IS_ENCRYPTED(parent)) 631 return 1; 632 633 /* Encrypted directories must not contain unencrypted files */ 634 if (!IS_ENCRYPTED(child)) 635 return 0; 636 637 /* 638 * Both parent and child are encrypted, so verify they use the same 639 * encryption policy. Compare the fscrypt_info structs if the keys are 640 * available, otherwise retrieve and compare the fscrypt_contexts. 641 * 642 * Note that the fscrypt_context retrieval will be required frequently 643 * when accessing an encrypted directory tree without the key. 644 * Performance-wise this is not a big deal because we already don't 645 * really optimize for file access without the key (to the extent that 646 * such access is even possible), given that any attempted access 647 * already causes a fscrypt_context retrieval and keyring search. 648 * 649 * In any case, if an unexpected error occurs, fall back to "forbidden". 650 */ 651 652 err = fscrypt_get_encryption_info(parent, true); 653 if (err) 654 return 0; 655 err = fscrypt_get_encryption_info(child, true); 656 if (err) 657 return 0; 658 659 err1 = fscrypt_get_policy(parent, &parent_policy); 660 err2 = fscrypt_get_policy(child, &child_policy); 661 662 /* 663 * Allow the case where the parent and child both have an unrecognized 664 * encryption policy, so that files with an unrecognized encryption 665 * policy can be deleted. 666 */ 667 if (err1 == -EINVAL && err2 == -EINVAL) 668 return 1; 669 670 if (err1 || err2) 671 return 0; 672 673 return fscrypt_policies_equal(&parent_policy, &child_policy); 674} 675EXPORT_SYMBOL(fscrypt_has_permitted_context); 676 677/* 678 * Return the encryption policy that new files in the directory will inherit, or 679 * NULL if none, or an ERR_PTR() on error. If the directory is encrypted, also 680 * ensure that its key is set up, so that the new filename can be encrypted. 681 */ 682const union fscrypt_policy *fscrypt_policy_to_inherit(struct inode *dir) 683{ 684 int err; 685 686 if (IS_ENCRYPTED(dir)) { 687 err = fscrypt_require_key(dir); 688 if (err) 689 return ERR_PTR(err); 690 return &dir->i_crypt_info->ci_policy; 691 } 692 693 return fscrypt_get_dummy_policy(dir->i_sb); 694} 695 696/** 697 * fscrypt_set_context() - Set the fscrypt context of a new inode 698 * @inode: a new inode 699 * @fs_data: private data given by FS and passed to ->set_context() 700 * 701 * This should be called after fscrypt_prepare_new_inode(), generally during a 702 * filesystem transaction. Everything here must be %GFP_NOFS-safe. 703 * 704 * Return: 0 on success, -errno on failure 705 */ 706int fscrypt_set_context(struct inode *inode, void *fs_data) 707{ 708 struct fscrypt_info *ci = inode->i_crypt_info; 709 union fscrypt_context ctx; 710 int ctxsize; 711 712 /* fscrypt_prepare_new_inode() should have set up the key already. */ 713 if (WARN_ON_ONCE(!ci)) 714 return -ENOKEY; 715 716 BUILD_BUG_ON(sizeof(ctx) != FSCRYPT_SET_CONTEXT_MAX_SIZE); 717 ctxsize = fscrypt_new_context(&ctx, &ci->ci_policy, ci->ci_nonce); 718 719 /* 720 * This may be the first time the inode number is available, so do any 721 * delayed key setup that requires the inode number. 722 */ 723 if (ci->ci_policy.version == FSCRYPT_POLICY_V2 && 724 (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) { 725 const struct fscrypt_master_key *mk = 726 ci->ci_master_key->payload.data[0]; 727 728 fscrypt_hash_inode_number(ci, mk); 729 } 730 731 return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, fs_data); 732} 733EXPORT_SYMBOL_GPL(fscrypt_set_context); 734 735/** 736 * fscrypt_parse_test_dummy_encryption() - parse the test_dummy_encryption mount option 737 * @param: the mount option 738 * @dummy_policy: (input/output) the place to write the dummy policy that will 739 * result from parsing the option. Zero-initialize this. If a policy is 740 * already set here (due to test_dummy_encryption being given multiple 741 * times), then this function will verify that the policies are the same. 742 * 743 * Return: 0 on success; -EINVAL if the argument is invalid; -EEXIST if the 744 * argument conflicts with one already specified; or -ENOMEM. 745 */ 746int fscrypt_parse_test_dummy_encryption(const struct fs_parameter *param, 747 struct fscrypt_dummy_policy *dummy_policy) 748{ 749 const char *arg = "v2"; 750 union fscrypt_policy *policy; 751 int err; 752 753 if (param->type == fs_value_is_string && *param->string) 754 arg = param->string; 755 756 policy = kzalloc(sizeof(*policy), GFP_KERNEL); 757 if (!policy) 758 return -ENOMEM; 759 760 if (!strcmp(arg, "v1")) { 761 policy->version = FSCRYPT_POLICY_V1; 762 policy->v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; 763 policy->v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; 764 memset(policy->v1.master_key_descriptor, 0x42, 765 FSCRYPT_KEY_DESCRIPTOR_SIZE); 766 } else if (!strcmp(arg, "v2")) { 767 policy->version = FSCRYPT_POLICY_V2; 768 policy->v2.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; 769 policy->v2.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; 770 err = fscrypt_get_test_dummy_key_identifier( 771 policy->v2.master_key_identifier); 772 if (err) 773 goto out; 774 } else { 775 err = -EINVAL; 776 goto out; 777 } 778 779 if (dummy_policy->policy) { 780 if (fscrypt_policies_equal(policy, dummy_policy->policy)) 781 err = 0; 782 else 783 err = -EEXIST; 784 goto out; 785 } 786 dummy_policy->policy = policy; 787 policy = NULL; 788 err = 0; 789out: 790 kfree(policy); 791 return err; 792} 793EXPORT_SYMBOL_GPL(fscrypt_parse_test_dummy_encryption); 794 795/** 796 * fscrypt_dummy_policies_equal() - check whether two dummy policies are equal 797 * @p1: the first test dummy policy (may be unset) 798 * @p2: the second test dummy policy (may be unset) 799 * 800 * Return: %true if the dummy policies are both set and equal, or both unset. 801 */ 802bool fscrypt_dummy_policies_equal(const struct fscrypt_dummy_policy *p1, 803 const struct fscrypt_dummy_policy *p2) 804{ 805 if (!p1->policy && !p2->policy) 806 return true; 807 if (!p1->policy || !p2->policy) 808 return false; 809 return fscrypt_policies_equal(p1->policy, p2->policy); 810} 811EXPORT_SYMBOL_GPL(fscrypt_dummy_policies_equal); 812 813/* Deprecated, do not use */ 814int fscrypt_set_test_dummy_encryption(struct super_block *sb, const char *arg, 815 struct fscrypt_dummy_policy *dummy_policy) 816{ 817 struct fs_parameter param = { 818 .type = fs_value_is_string, 819 .string = arg ? (char *)arg : "", 820 }; 821 return fscrypt_parse_test_dummy_encryption(¶m, dummy_policy) ?: 822 fscrypt_add_test_dummy_key(sb, dummy_policy); 823} 824EXPORT_SYMBOL_GPL(fscrypt_set_test_dummy_encryption); 825 826/** 827 * fscrypt_show_test_dummy_encryption() - show '-o test_dummy_encryption' 828 * @seq: the seq_file to print the option to 829 * @sep: the separator character to use 830 * @sb: the filesystem whose options are being shown 831 * 832 * Show the test_dummy_encryption mount option, if it was specified. 833 * This is mainly used for /proc/mounts. 834 */ 835void fscrypt_show_test_dummy_encryption(struct seq_file *seq, char sep, 836 struct super_block *sb) 837{ 838 const union fscrypt_policy *policy = fscrypt_get_dummy_policy(sb); 839 int vers; 840 841 if (!policy) 842 return; 843 844 vers = policy->version; 845 if (vers == FSCRYPT_POLICY_V1) /* Handle numbering quirk */ 846 vers = 1; 847 848 seq_printf(seq, "%ctest_dummy_encryption=v%d", sep, vers); 849} 850EXPORT_SYMBOL_GPL(fscrypt_show_test_dummy_encryption); |