1 // SPDX-License-Identifier: GPL-2.0-only
5  * Encryption hooks for higher-level filesystem operations.
13  * fscrypt_file_open() - prepare to open a possibly-encrypted regular file
15  * @filp: the struct file being set up
17  * Currently, an encrypted regular file can only be opened if its encryption key
19  * Therefore, we first set up the inode's encryption key (if not already done)
30  * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
46 	 * encryption policy comparison, but it's expensive on multi-core  in fscrypt_file_open()
48 	 * with a lightweight RCU-mode check for the parent directory being  in fscrypt_file_open()
54 	dentry_parent = READ_ONCE(dentry->d_parent);  in fscrypt_file_open()
66 			     d_inode(dentry_parent)->i_ino);  in fscrypt_file_open()
67 		err = -EPERM;  in fscrypt_file_open()
78 		return -ENOKEY;  in __fscrypt_prepare_link()
80 	 * We don't need to separately check that the directory inode's key is  in __fscrypt_prepare_link()
81 	 * available, as it's implied by the dentry not being a no-key name.  in __fscrypt_prepare_link()
85 		return -EXDEV;  in __fscrypt_prepare_link()
97 		return -ENOKEY;  in __fscrypt_prepare_rename()
100 	 * available, as it's implied by the dentries not being no-key names.  in __fscrypt_prepare_rename()
107 			return -EXDEV;  in __fscrypt_prepare_rename()
113 			return -EXDEV;  in __fscrypt_prepare_rename()
122 	int err = fscrypt_setup_filename(dir, &dentry->d_name, 1, fname);  in __fscrypt_prepare_lookup()
124 	if (err && err != -ENOENT)  in __fscrypt_prepare_lookup()
127 	fscrypt_prepare_dentry(dentry, fname->is_nokey_name);  in __fscrypt_prepare_lookup()
134  * fscrypt_prepare_lookup_partial() - prepare lookup without filename setup
136  * @dentry: the dentry being looked up in @dir
138  * This function should be used by the ->lookup and ->atomic_open methods of
139  * filesystems that handle filename encryption and no-key name encoding
141  * fscrypt_prepare_lookup(), this will try to set up the directory's encryption
142  * key and will set DCACHE_NOKEY_NAME on the dentry if the key is unavailable.
143  * However, this function doesn't set up a struct fscrypt_name for the filename.
145  * Return: 0 on success; -errno on error.  Note that the encryption key being
148  *	   like the key being unavailable, so that files can still be deleted.
169 	if (attr->ia_valid & ATTR_SIZE)  in __fscrypt_prepare_setattr()
176  * fscrypt_prepare_setflags() - prepare to change flags with FS_IOC_SETFLAGS
183  * Return: 0 on success; -errno if the flags change isn't allowed or if
195 	 * derive the secret key needed for the dirhash.  This is only possible  in fscrypt_prepare_setflags()
203 		if (ci->ci_policy.version != FSCRYPT_POLICY_V2)  in fscrypt_prepare_setflags()
204 			return -EINVAL;  in fscrypt_prepare_setflags()
205 		mk = ci->ci_master_key;  in fscrypt_prepare_setflags()
206 		down_read(&mk->mk_sem);  in fscrypt_prepare_setflags()
207 		if (mk->mk_present)  in fscrypt_prepare_setflags()
210 			err = -ENOKEY;  in fscrypt_prepare_setflags()
211 		up_read(&mk->mk_sem);  in fscrypt_prepare_setflags()
218  * fscrypt_prepare_symlink() - prepare to create a possibly-encrypted symlink
223  * @disk_link: (out) the on-disk symlink target being prepared
225  * This function computes the size the symlink target will require on-disk,
226  * stores it in @disk_link->len, and validates it against @max_len.  An
229  * Additionally, @disk_link->name is set to @target if the symlink will be
232  * on-disk target later.  (The reason for the two-step process is that some
236  * Return: 0 on success, -ENAMETOOLONG if the symlink target is too long,
237  * -ENOKEY if the encryption key is missing, or another -errno code if a problem
238  * occurred while setting up the encryption key.
254 		disk_link->name = (unsigned char *)target;  in fscrypt_prepare_symlink()
255 		disk_link->len = len + 1;  in fscrypt_prepare_symlink()
256 		if (disk_link->len > max_len)  in fscrypt_prepare_symlink()
257 			return -ENAMETOOLONG;  in fscrypt_prepare_symlink()
275 					    max_len - sizeof(struct fscrypt_symlink_data) - 1,  in fscrypt_prepare_symlink()
276 					    &disk_link->len))  in fscrypt_prepare_symlink()
277 		return -ENAMETOOLONG;  in fscrypt_prepare_symlink()
278 	disk_link->len += sizeof(struct fscrypt_symlink_data) + 1;  in fscrypt_prepare_symlink()
280 	disk_link->name = NULL;  in fscrypt_prepare_symlink()
294 	 * fscrypt_prepare_new_inode() should have already set up the new  in __fscrypt_encrypt_symlink()
295 	 * symlink inode's encryption key.  We don't wait until now to do it,  in __fscrypt_encrypt_symlink()
299 		return -ENOKEY;  in __fscrypt_encrypt_symlink()
301 	if (disk_link->name) {  in __fscrypt_encrypt_symlink()
302 		/* filesystem-provided buffer */  in __fscrypt_encrypt_symlink()
303 		sd = (struct fscrypt_symlink_data *)disk_link->name;  in __fscrypt_encrypt_symlink()
305 		sd = kmalloc(disk_link->len, GFP_NOFS);  in __fscrypt_encrypt_symlink()
307 			return -ENOMEM;  in __fscrypt_encrypt_symlink()
309 	ciphertext_len = disk_link->len - sizeof(*sd) - 1;  in __fscrypt_encrypt_symlink()
310 	sd->len = cpu_to_le16(ciphertext_len);  in __fscrypt_encrypt_symlink()
312 	err = fscrypt_fname_encrypt(inode, &iname, sd->encrypted_path,  in __fscrypt_encrypt_symlink()
318 	 * Null-terminating the ciphertext doesn't make sense, but we still  in __fscrypt_encrypt_symlink()
322 	sd->encrypted_path[ciphertext_len] = '\0';  in __fscrypt_encrypt_symlink()
325 	err = -ENOMEM;  in __fscrypt_encrypt_symlink()
326 	inode->i_link = kmemdup(target, len + 1, GFP_NOFS);  in __fscrypt_encrypt_symlink()
327 	if (!inode->i_link)  in __fscrypt_encrypt_symlink()
330 	if (!disk_link->name)  in __fscrypt_encrypt_symlink()
331 		disk_link->name = (unsigned char *)sd;  in __fscrypt_encrypt_symlink()
335 	if (!disk_link->name)  in __fscrypt_encrypt_symlink()
342  * fscrypt_get_symlink() - get the target of an encrypted symlink
344  * @caddr: the on-disk contents of the symlink
346  * @done: if successful, will be set up to free the returned target if needed
348  * If the symlink's encryption key is available, we decrypt its target.
366 		return ERR_PTR(-EINVAL);  in fscrypt_get_symlink()
369 	pstr.name = READ_ONCE(inode->i_link);  in fscrypt_get_symlink()
374 	 * Try to set up the symlink's encryption key, but we can continue  in fscrypt_get_symlink()
375 	 * regardless of whether the key is available or not.  in fscrypt_get_symlink()
388 		return ERR_PTR(-EUCLEAN);  in fscrypt_get_symlink()
390 	cstr.name = (unsigned char *)sd->encrypted_path;  in fscrypt_get_symlink()
391 	cstr.len = le16_to_cpu(sd->len);  in fscrypt_get_symlink()
394 		return ERR_PTR(-EUCLEAN);  in fscrypt_get_symlink()
397 		return ERR_PTR(-EUCLEAN);  in fscrypt_get_symlink()
407 	err = -EUCLEAN;  in fscrypt_get_symlink()
415 	 * symlink targets encoded without the key, since those become outdated  in fscrypt_get_symlink()
416 	 * once the key is added.  This pairs with the READ_ONCE() above and in  in fscrypt_get_symlink()
420 	    cmpxchg_release(&inode->i_link, NULL, pstr.name) != NULL)  in fscrypt_get_symlink()
432  * fscrypt_symlink_getattr() - set the correct st_size for encrypted symlinks
437  * symlink target (or the no-key encoded symlink target, if the key is
442  * This requires reading the symlink target from disk if needed, setting up the
443  * inode's encryption key if possible, and then decrypting or encoding the
445  * case.  However, decrypted symlink targets will be cached in ->i_link, so
449  * Return: 0 on success, -errno on failure
453 	struct dentry *dentry = path->dentry;  in fscrypt_symlink_getattr()
460 	 * decrypted target or the no-key encoded target), we can just get it in  in fscrypt_symlink_getattr()
463 	link = READ_ONCE(inode->i_link);  in fscrypt_symlink_getattr()
465 		link = inode->i_op->get_link(dentry, inode, &done);  in fscrypt_symlink_getattr()
469 	stat->size = strlen(link);  in fscrypt_symlink_getattr()