1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * eCryptfs: Linux filesystem encryption layer
4 *
5 * Copyright (C) 1997-2003 Erez Zadok
6 * Copyright (C) 2001-2003 Stony Brook University
7 * Copyright (C) 2004-2007 International Business Machines Corp.
8 * Author(s): Michael A. Halcrow <mahalcro@us.ibm.com>
9 * Michael C. Thompson <mcthomps@us.ibm.com>
10 * Tyler Hicks <code@tyhicks.com>
11 */
12
13 #include <linux/dcache.h>
14 #include <linux/file.h>
15 #include <linux/module.h>
16 #include <linux/namei.h>
17 #include <linux/skbuff.h>
18 #include <linux/pagemap.h>
19 #include <linux/key.h>
20 #include <linux/fs_context.h>
21 #include <linux/fs_parser.h>
22 #include <linux/fs_stack.h>
23 #include <linux/sysfs.h>
24 #include <linux/slab.h>
25 #include <linux/magic.h>
26 #include "ecryptfs_kernel.h"
27
28 /*
29 * Module parameter that defines the ecryptfs_verbosity level.
30 */
31 int ecryptfs_verbosity = 0;
32
33 module_param(ecryptfs_verbosity, int, 0);
34 MODULE_PARM_DESC(ecryptfs_verbosity,
35 "Initial verbosity level (0 or 1; defaults to "
36 "0, which is Quiet)");
37
38 /*
39 * Module parameter that defines the number of message buffer elements
40 */
41 unsigned int ecryptfs_message_buf_len = ECRYPTFS_DEFAULT_MSG_CTX_ELEMS;
42
43 module_param(ecryptfs_message_buf_len, uint, 0);
44 MODULE_PARM_DESC(ecryptfs_message_buf_len,
45 "Number of message buffer elements");
46
47 /*
48 * Module parameter that defines the maximum guaranteed amount of time to wait
49 * for a response from ecryptfsd. The actual sleep time will be, more than
50 * likely, a small amount greater than this specified value, but only less if
51 * the message successfully arrives.
52 */
53 signed long ecryptfs_message_wait_timeout = ECRYPTFS_MAX_MSG_CTX_TTL / HZ;
54
55 module_param(ecryptfs_message_wait_timeout, long, 0);
56 MODULE_PARM_DESC(ecryptfs_message_wait_timeout,
57 "Maximum number of seconds that an operation will "
58 "sleep while waiting for a message response from "
59 "userspace");
60
61 /*
62 * Module parameter that is an estimate of the maximum number of users
63 * that will be concurrently using eCryptfs. Set this to the right
64 * value to balance performance and memory use.
65 */
66 unsigned int ecryptfs_number_of_users = ECRYPTFS_DEFAULT_NUM_USERS;
67
68 module_param(ecryptfs_number_of_users, uint, 0);
69 MODULE_PARM_DESC(ecryptfs_number_of_users, "An estimate of the number of "
70 "concurrent users of eCryptfs");
71
__ecryptfs_printk(const char * fmt,...)72 void __ecryptfs_printk(const char *fmt, ...)
73 {
74 va_list args;
75 va_start(args, fmt);
76 if (fmt[1] == '7') { /* KERN_DEBUG */
77 if (ecryptfs_verbosity >= 1)
78 vprintk(fmt, args);
79 } else
80 vprintk(fmt, args);
81 va_end(args);
82 }
83
84 /*
85 * ecryptfs_init_lower_file
86 * @ecryptfs_dentry: Fully initialized eCryptfs dentry object, with
87 * the lower dentry and the lower mount set
88 *
89 * eCryptfs only ever keeps a single open file for every lower
90 * inode. All I/O operations to the lower inode occur through that
91 * file. When the first eCryptfs dentry that interposes with the first
92 * lower dentry for that inode is created, this function creates the
93 * lower file struct and associates it with the eCryptfs
94 * inode. When all eCryptfs files associated with the inode are released, the
95 * file is closed.
96 *
97 * The lower file will be opened with read/write permissions, if
98 * possible. Otherwise, it is opened read-only.
99 *
100 * This function does nothing if a lower file is already
101 * associated with the eCryptfs inode.
102 *
103 * Returns zero on success; non-zero otherwise
104 */
ecryptfs_init_lower_file(struct dentry * dentry,struct file ** lower_file)105 static int ecryptfs_init_lower_file(struct dentry *dentry,
106 struct file **lower_file)
107 {
108 const struct cred *cred = current_cred();
109 struct path path = ecryptfs_lower_path(dentry);
110 int rc;
111
112 rc = ecryptfs_privileged_open(lower_file, path.dentry, path.mnt, cred);
113 if (rc) {
114 printk(KERN_ERR "Error opening lower file "
115 "for lower_dentry [0x%p] and lower_mnt [0x%p]; "
116 "rc = [%d]\n", path.dentry, path.mnt, rc);
117 (*lower_file) = NULL;
118 }
119 return rc;
120 }
121
ecryptfs_get_lower_file(struct dentry * dentry,struct inode * inode)122 int ecryptfs_get_lower_file(struct dentry *dentry, struct inode *inode)
123 {
124 struct ecryptfs_inode_info *inode_info;
125 int count, rc = 0;
126
127 inode_info = ecryptfs_inode_to_private(inode);
128 mutex_lock(&inode_info->lower_file_mutex);
129 count = atomic_inc_return(&inode_info->lower_file_count);
130 if (WARN_ON_ONCE(count < 1))
131 rc = -EINVAL;
132 else if (count == 1) {
133 rc = ecryptfs_init_lower_file(dentry,
134 &inode_info->lower_file);
135 if (rc)
136 atomic_set(&inode_info->lower_file_count, 0);
137 }
138 mutex_unlock(&inode_info->lower_file_mutex);
139 return rc;
140 }
141
ecryptfs_put_lower_file(struct inode * inode)142 void ecryptfs_put_lower_file(struct inode *inode)
143 {
144 struct ecryptfs_inode_info *inode_info;
145
146 inode_info = ecryptfs_inode_to_private(inode);
147 if (atomic_dec_and_mutex_lock(&inode_info->lower_file_count,
148 &inode_info->lower_file_mutex)) {
149 filemap_write_and_wait(inode->i_mapping);
150 fput(inode_info->lower_file);
151 inode_info->lower_file = NULL;
152 mutex_unlock(&inode_info->lower_file_mutex);
153 }
154 }
155
156 enum {
157 Opt_sig, Opt_ecryptfs_sig, Opt_cipher, Opt_ecryptfs_cipher,
158 Opt_ecryptfs_key_bytes, Opt_passthrough, Opt_xattr_metadata,
159 Opt_encrypted_view, Opt_fnek_sig, Opt_fn_cipher,
160 Opt_fn_cipher_key_bytes, Opt_unlink_sigs, Opt_mount_auth_tok_only,
161 Opt_check_dev_ruid
162 };
163
164 static const struct fs_parameter_spec ecryptfs_fs_param_spec[] = {
165 fsparam_string ("sig", Opt_sig),
166 fsparam_string ("ecryptfs_sig", Opt_ecryptfs_sig),
167 fsparam_string ("cipher", Opt_cipher),
168 fsparam_string ("ecryptfs_cipher", Opt_ecryptfs_cipher),
169 fsparam_u32 ("ecryptfs_key_bytes", Opt_ecryptfs_key_bytes),
170 fsparam_flag ("ecryptfs_passthrough", Opt_passthrough),
171 fsparam_flag ("ecryptfs_xattr_metadata", Opt_xattr_metadata),
172 fsparam_flag ("ecryptfs_encrypted_view", Opt_encrypted_view),
173 fsparam_string ("ecryptfs_fnek_sig", Opt_fnek_sig),
174 fsparam_string ("ecryptfs_fn_cipher", Opt_fn_cipher),
175 fsparam_u32 ("ecryptfs_fn_key_bytes", Opt_fn_cipher_key_bytes),
176 fsparam_flag ("ecryptfs_unlink_sigs", Opt_unlink_sigs),
177 fsparam_flag ("ecryptfs_mount_auth_tok_only", Opt_mount_auth_tok_only),
178 fsparam_flag ("ecryptfs_check_dev_ruid", Opt_check_dev_ruid),
179 {}
180 };
181
ecryptfs_init_global_auth_toks(struct ecryptfs_mount_crypt_stat * mount_crypt_stat)182 static int ecryptfs_init_global_auth_toks(
183 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
184 {
185 struct ecryptfs_global_auth_tok *global_auth_tok;
186 struct ecryptfs_auth_tok *auth_tok;
187 int rc = 0;
188
189 list_for_each_entry(global_auth_tok,
190 &mount_crypt_stat->global_auth_tok_list,
191 mount_crypt_stat_list) {
192 rc = ecryptfs_keyring_auth_tok_for_sig(
193 &global_auth_tok->global_auth_tok_key, &auth_tok,
194 global_auth_tok->sig);
195 if (rc) {
196 printk(KERN_ERR "Could not find valid key in user "
197 "session keyring for sig specified in mount "
198 "option: [%s]\n", global_auth_tok->sig);
199 global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID;
200 goto out;
201 } else {
202 global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID;
203 up_write(&(global_auth_tok->global_auth_tok_key)->sem);
204 }
205 }
206 out:
207 return rc;
208 }
209
ecryptfs_init_mount_crypt_stat(struct ecryptfs_mount_crypt_stat * mount_crypt_stat)210 static void ecryptfs_init_mount_crypt_stat(
211 struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
212 {
213 memset((void *)mount_crypt_stat, 0,
214 sizeof(struct ecryptfs_mount_crypt_stat));
215 INIT_LIST_HEAD(&mount_crypt_stat->global_auth_tok_list);
216 mutex_init(&mount_crypt_stat->global_auth_tok_list_mutex);
217 mount_crypt_stat->flags |= ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED;
218 }
219
220 struct ecryptfs_fs_context {
221 /* Mount option status trackers */
222 bool check_ruid;
223 bool sig_set;
224 bool cipher_name_set;
225 bool cipher_key_bytes_set;
226 bool fn_cipher_name_set;
227 bool fn_cipher_key_bytes_set;
228 };
229
230 /**
231 * ecryptfs_parse_param
232 * @fc: The ecryptfs filesystem context
233 * @param: The mount parameter to parse
234 *
235 * The signature of the key to use must be the description of a key
236 * already in the keyring. Mounting will fail if the key can not be
237 * found.
238 *
239 * Returns zero on success; non-zero on error
240 */
ecryptfs_parse_param(struct fs_context * fc,struct fs_parameter * param)241 static int ecryptfs_parse_param(
242 struct fs_context *fc,
243 struct fs_parameter *param)
244 {
245 int rc;
246 int opt;
247 struct fs_parse_result result;
248 struct ecryptfs_fs_context *ctx = fc->fs_private;
249 struct ecryptfs_sb_info *sbi = fc->s_fs_info;
250 struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
251 &sbi->mount_crypt_stat;
252
253 opt = fs_parse(fc, ecryptfs_fs_param_spec, param, &result);
254 if (opt < 0)
255 return opt;
256
257 switch (opt) {
258 case Opt_sig:
259 case Opt_ecryptfs_sig:
260 rc = ecryptfs_add_global_auth_tok(mount_crypt_stat,
261 param->string, 0);
262 if (rc) {
263 printk(KERN_ERR "Error attempting to register "
264 "global sig; rc = [%d]\n", rc);
265 return rc;
266 }
267 ctx->sig_set = 1;
268 break;
269 case Opt_cipher:
270 case Opt_ecryptfs_cipher:
271 strscpy(mount_crypt_stat->global_default_cipher_name,
272 param->string);
273 ctx->cipher_name_set = 1;
274 break;
275 case Opt_ecryptfs_key_bytes:
276 mount_crypt_stat->global_default_cipher_key_size =
277 result.uint_32;
278 ctx->cipher_key_bytes_set = 1;
279 break;
280 case Opt_passthrough:
281 mount_crypt_stat->flags |=
282 ECRYPTFS_PLAINTEXT_PASSTHROUGH_ENABLED;
283 break;
284 case Opt_xattr_metadata:
285 mount_crypt_stat->flags |= ECRYPTFS_XATTR_METADATA_ENABLED;
286 break;
287 case Opt_encrypted_view:
288 mount_crypt_stat->flags |= ECRYPTFS_XATTR_METADATA_ENABLED;
289 mount_crypt_stat->flags |= ECRYPTFS_ENCRYPTED_VIEW_ENABLED;
290 break;
291 case Opt_fnek_sig:
292 strscpy(mount_crypt_stat->global_default_fnek_sig,
293 param->string);
294 rc = ecryptfs_add_global_auth_tok(
295 mount_crypt_stat,
296 mount_crypt_stat->global_default_fnek_sig,
297 ECRYPTFS_AUTH_TOK_FNEK);
298 if (rc) {
299 printk(KERN_ERR "Error attempting to register "
300 "global fnek sig [%s]; rc = [%d]\n",
301 mount_crypt_stat->global_default_fnek_sig, rc);
302 return rc;
303 }
304 mount_crypt_stat->flags |=
305 (ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES
306 | ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK);
307 break;
308 case Opt_fn_cipher:
309 strscpy(mount_crypt_stat->global_default_fn_cipher_name,
310 param->string);
311 ctx->fn_cipher_name_set = 1;
312 break;
313 case Opt_fn_cipher_key_bytes:
314 mount_crypt_stat->global_default_fn_cipher_key_bytes =
315 result.uint_32;
316 ctx->fn_cipher_key_bytes_set = 1;
317 break;
318 case Opt_unlink_sigs:
319 mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS;
320 break;
321 case Opt_mount_auth_tok_only:
322 mount_crypt_stat->flags |= ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY;
323 break;
324 case Opt_check_dev_ruid:
325 ctx->check_ruid = 1;
326 break;
327 default:
328 return -EINVAL;
329 }
330
331 return 0;
332 }
333
ecryptfs_validate_options(struct fs_context * fc)334 static int ecryptfs_validate_options(struct fs_context *fc)
335 {
336 int rc = 0;
337 u8 cipher_code;
338 struct ecryptfs_fs_context *ctx = fc->fs_private;
339 struct ecryptfs_sb_info *sbi = fc->s_fs_info;
340 struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
341
342
343 mount_crypt_stat = &sbi->mount_crypt_stat;
344
345 if (!ctx->sig_set) {
346 rc = -EINVAL;
347 ecryptfs_printk(KERN_ERR, "You must supply at least one valid "
348 "auth tok signature as a mount "
349 "parameter; see the eCryptfs README\n");
350 goto out;
351 }
352 if (!ctx->cipher_name_set) {
353 int cipher_name_len = strlen(ECRYPTFS_DEFAULT_CIPHER);
354
355 BUG_ON(cipher_name_len > ECRYPTFS_MAX_CIPHER_NAME_SIZE);
356 strcpy(mount_crypt_stat->global_default_cipher_name,
357 ECRYPTFS_DEFAULT_CIPHER);
358 }
359 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
360 && !ctx->fn_cipher_name_set)
361 strcpy(mount_crypt_stat->global_default_fn_cipher_name,
362 mount_crypt_stat->global_default_cipher_name);
363 if (!ctx->cipher_key_bytes_set)
364 mount_crypt_stat->global_default_cipher_key_size = 0;
365 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
366 && !ctx->fn_cipher_key_bytes_set)
367 mount_crypt_stat->global_default_fn_cipher_key_bytes =
368 mount_crypt_stat->global_default_cipher_key_size;
369
370 cipher_code = ecryptfs_code_for_cipher_string(
371 mount_crypt_stat->global_default_cipher_name,
372 mount_crypt_stat->global_default_cipher_key_size);
373 if (!cipher_code) {
374 ecryptfs_printk(KERN_ERR,
375 "eCryptfs doesn't support cipher: %s\n",
376 mount_crypt_stat->global_default_cipher_name);
377 rc = -EINVAL;
378 goto out;
379 }
380
381 mutex_lock(&key_tfm_list_mutex);
382 if (!ecryptfs_tfm_exists(mount_crypt_stat->global_default_cipher_name,
383 NULL)) {
384 rc = ecryptfs_add_new_key_tfm(
385 NULL, mount_crypt_stat->global_default_cipher_name,
386 mount_crypt_stat->global_default_cipher_key_size);
387 if (rc) {
388 printk(KERN_ERR "Error attempting to initialize "
389 "cipher with name = [%s] and key size = [%td]; "
390 "rc = [%d]\n",
391 mount_crypt_stat->global_default_cipher_name,
392 mount_crypt_stat->global_default_cipher_key_size,
393 rc);
394 rc = -EINVAL;
395 mutex_unlock(&key_tfm_list_mutex);
396 goto out;
397 }
398 }
399 if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
400 && !ecryptfs_tfm_exists(
401 mount_crypt_stat->global_default_fn_cipher_name, NULL)) {
402 rc = ecryptfs_add_new_key_tfm(
403 NULL, mount_crypt_stat->global_default_fn_cipher_name,
404 mount_crypt_stat->global_default_fn_cipher_key_bytes);
405 if (rc) {
406 printk(KERN_ERR "Error attempting to initialize "
407 "cipher with name = [%s] and key size = [%td]; "
408 "rc = [%d]\n",
409 mount_crypt_stat->global_default_fn_cipher_name,
410 mount_crypt_stat->global_default_fn_cipher_key_bytes,
411 rc);
412 rc = -EINVAL;
413 mutex_unlock(&key_tfm_list_mutex);
414 goto out;
415 }
416 }
417 mutex_unlock(&key_tfm_list_mutex);
418 rc = ecryptfs_init_global_auth_toks(mount_crypt_stat);
419 if (rc)
420 printk(KERN_WARNING "One or more global auth toks could not "
421 "properly register; rc = [%d]\n", rc);
422 out:
423 return rc;
424 }
425
426 struct kmem_cache *ecryptfs_sb_info_cache;
427 static struct file_system_type ecryptfs_fs_type;
428
429 /*
430 * ecryptfs_get_tree
431 * @fc: The filesystem context
432 */
ecryptfs_get_tree(struct fs_context * fc)433 static int ecryptfs_get_tree(struct fs_context *fc)
434 {
435 struct super_block *s;
436 struct ecryptfs_fs_context *ctx = fc->fs_private;
437 struct ecryptfs_sb_info *sbi = fc->s_fs_info;
438 struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
439 const char *err = "Getting sb failed";
440 struct inode *inode;
441 struct path path;
442 int rc;
443
444 if (!fc->source) {
445 rc = -EINVAL;
446 err = "Device name cannot be null";
447 goto out;
448 }
449
450 mount_crypt_stat = &sbi->mount_crypt_stat;
451 rc = ecryptfs_validate_options(fc);
452 if (rc) {
453 err = "Error validating options";
454 goto out;
455 }
456
457 s = sget_fc(fc, NULL, set_anon_super_fc);
458 if (IS_ERR(s)) {
459 rc = PTR_ERR(s);
460 goto out;
461 }
462
463 rc = super_setup_bdi(s);
464 if (rc)
465 goto out1;
466
467 ecryptfs_set_superblock_private(s, sbi);
468
469 /* ->kill_sb() will take care of sbi after that point */
470 sbi = NULL;
471 s->s_op = &ecryptfs_sops;
472 s->s_xattr = ecryptfs_xattr_handlers;
473 set_default_d_op(s, &ecryptfs_dops);
474
475 err = "Reading sb failed";
476 rc = kern_path(fc->source, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path);
477 if (rc) {
478 ecryptfs_printk(KERN_WARNING, "kern_path() failed\n");
479 goto out1;
480 }
481 if (path.dentry->d_sb->s_type == &ecryptfs_fs_type) {
482 rc = -EINVAL;
483 printk(KERN_ERR "Mount on filesystem of type "
484 "eCryptfs explicitly disallowed due to "
485 "known incompatibilities\n");
486 goto out_free;
487 }
488
489 if (is_idmapped_mnt(path.mnt)) {
490 rc = -EINVAL;
491 printk(KERN_ERR "Mounting on idmapped mounts currently disallowed\n");
492 goto out_free;
493 }
494
495 if (ctx->check_ruid &&
496 !uid_eq(d_inode(path.dentry)->i_uid, current_uid())) {
497 rc = -EPERM;
498 printk(KERN_ERR "Mount of device (uid: %d) not owned by "
499 "requested user (uid: %d)\n",
500 i_uid_read(d_inode(path.dentry)),
501 from_kuid(&init_user_ns, current_uid()));
502 goto out_free;
503 }
504
505 ecryptfs_set_superblock_lower(s, path.dentry->d_sb);
506
507 /**
508 * Set the POSIX ACL flag based on whether they're enabled in the lower
509 * mount.
510 */
511 s->s_flags = fc->sb_flags & ~SB_POSIXACL;
512 s->s_flags |= path.dentry->d_sb->s_flags & SB_POSIXACL;
513
514 /**
515 * Force a read-only eCryptfs mount when:
516 * 1) The lower mount is ro
517 * 2) The ecryptfs_encrypted_view mount option is specified
518 */
519 if (sb_rdonly(path.dentry->d_sb) || mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
520 s->s_flags |= SB_RDONLY;
521
522 s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
523 s->s_blocksize = path.dentry->d_sb->s_blocksize;
524 s->s_magic = ECRYPTFS_SUPER_MAGIC;
525 s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
526
527 rc = -EINVAL;
528 if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
529 pr_err("eCryptfs: maximum fs stacking depth exceeded\n");
530 goto out_free;
531 }
532
533 inode = ecryptfs_get_inode(d_inode(path.dentry), s);
534 rc = PTR_ERR(inode);
535 if (IS_ERR(inode))
536 goto out_free;
537
538 s->s_root = d_make_root(inode);
539 if (!s->s_root) {
540 rc = -ENOMEM;
541 goto out_free;
542 }
543
544 ecryptfs_set_dentry_lower(s->s_root, path.dentry);
545 ecryptfs_superblock_to_private(s)->lower_mnt = path.mnt;
546
547 s->s_flags |= SB_ACTIVE;
548 fc->root = dget(s->s_root);
549 return 0;
550
551 out_free:
552 path_put(&path);
553 out1:
554 deactivate_locked_super(s);
555 out:
556 if (sbi)
557 ecryptfs_destroy_mount_crypt_stat(&sbi->mount_crypt_stat);
558
559 printk(KERN_ERR "%s; rc = [%d]\n", err, rc);
560 return rc;
561 }
562
563 /**
564 * ecryptfs_kill_block_super
565 * @sb: The ecryptfs super block
566 *
567 * Used to bring the superblock down and free the private data.
568 */
ecryptfs_kill_block_super(struct super_block * sb)569 static void ecryptfs_kill_block_super(struct super_block *sb)
570 {
571 struct ecryptfs_sb_info *sb_info = ecryptfs_superblock_to_private(sb);
572 kill_anon_super(sb);
573 if (!sb_info)
574 return;
575 mntput(sb_info->lower_mnt);
576 ecryptfs_destroy_mount_crypt_stat(&sb_info->mount_crypt_stat);
577 kmem_cache_free(ecryptfs_sb_info_cache, sb_info);
578 }
579
ecryptfs_free_fc(struct fs_context * fc)580 static void ecryptfs_free_fc(struct fs_context *fc)
581 {
582 struct ecryptfs_fs_context *ctx = fc->fs_private;
583 struct ecryptfs_sb_info *sbi = fc->s_fs_info;
584
585 kfree(ctx);
586
587 if (sbi) {
588 ecryptfs_destroy_mount_crypt_stat(&sbi->mount_crypt_stat);
589 kmem_cache_free(ecryptfs_sb_info_cache, sbi);
590 }
591 }
592
593 static const struct fs_context_operations ecryptfs_context_ops = {
594 .free = ecryptfs_free_fc,
595 .parse_param = ecryptfs_parse_param,
596 .get_tree = ecryptfs_get_tree,
597 .reconfigure = NULL,
598 };
599
ecryptfs_init_fs_context(struct fs_context * fc)600 static int ecryptfs_init_fs_context(struct fs_context *fc)
601 {
602 struct ecryptfs_fs_context *ctx;
603 struct ecryptfs_sb_info *sbi = NULL;
604
605 ctx = kzalloc(sizeof(struct ecryptfs_fs_context), GFP_KERNEL);
606 if (!ctx)
607 return -ENOMEM;
608 sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL);
609 if (!sbi) {
610 kfree(ctx);
611 ctx = NULL;
612 return -ENOMEM;
613 }
614
615 ecryptfs_init_mount_crypt_stat(&sbi->mount_crypt_stat);
616
617 fc->fs_private = ctx;
618 fc->s_fs_info = sbi;
619 fc->ops = &ecryptfs_context_ops;
620 return 0;
621 }
622
623 static struct file_system_type ecryptfs_fs_type = {
624 .owner = THIS_MODULE,
625 .name = "ecryptfs",
626 .init_fs_context = ecryptfs_init_fs_context,
627 .parameters = ecryptfs_fs_param_spec,
628 .kill_sb = ecryptfs_kill_block_super,
629 .fs_flags = 0
630 };
631 MODULE_ALIAS_FS("ecryptfs");
632
633 /*
634 * inode_info_init_once
635 *
636 * Initializes the ecryptfs_inode_info_cache when it is created
637 */
638 static void
inode_info_init_once(void * vptr)639 inode_info_init_once(void *vptr)
640 {
641 struct ecryptfs_inode_info *ei = (struct ecryptfs_inode_info *)vptr;
642
643 inode_init_once(&ei->vfs_inode);
644 }
645
646 static struct ecryptfs_cache_info {
647 struct kmem_cache **cache;
648 const char *name;
649 size_t size;
650 slab_flags_t flags;
651 void (*ctor)(void *obj);
652 } ecryptfs_cache_infos[] = {
653 {
654 .cache = &ecryptfs_auth_tok_list_item_cache,
655 .name = "ecryptfs_auth_tok_list_item",
656 .size = sizeof(struct ecryptfs_auth_tok_list_item),
657 },
658 {
659 .cache = &ecryptfs_file_info_cache,
660 .name = "ecryptfs_file_cache",
661 .size = sizeof(struct ecryptfs_file_info),
662 },
663 {
664 .cache = &ecryptfs_inode_info_cache,
665 .name = "ecryptfs_inode_cache",
666 .size = sizeof(struct ecryptfs_inode_info),
667 .flags = SLAB_ACCOUNT,
668 .ctor = inode_info_init_once,
669 },
670 {
671 .cache = &ecryptfs_sb_info_cache,
672 .name = "ecryptfs_sb_cache",
673 .size = sizeof(struct ecryptfs_sb_info),
674 },
675 {
676 .cache = &ecryptfs_header_cache,
677 .name = "ecryptfs_headers",
678 .size = PAGE_SIZE,
679 },
680 {
681 .cache = &ecryptfs_xattr_cache,
682 .name = "ecryptfs_xattr_cache",
683 .size = PAGE_SIZE,
684 },
685 {
686 .cache = &ecryptfs_key_record_cache,
687 .name = "ecryptfs_key_record_cache",
688 .size = sizeof(struct ecryptfs_key_record),
689 },
690 {
691 .cache = &ecryptfs_key_sig_cache,
692 .name = "ecryptfs_key_sig_cache",
693 .size = sizeof(struct ecryptfs_key_sig),
694 },
695 {
696 .cache = &ecryptfs_global_auth_tok_cache,
697 .name = "ecryptfs_global_auth_tok_cache",
698 .size = sizeof(struct ecryptfs_global_auth_tok),
699 },
700 {
701 .cache = &ecryptfs_key_tfm_cache,
702 .name = "ecryptfs_key_tfm_cache",
703 .size = sizeof(struct ecryptfs_key_tfm),
704 },
705 };
706
ecryptfs_free_kmem_caches(void)707 static void ecryptfs_free_kmem_caches(void)
708 {
709 int i;
710
711 /*
712 * Make sure all delayed rcu free inodes are flushed before we
713 * destroy cache.
714 */
715 rcu_barrier();
716
717 for (i = 0; i < ARRAY_SIZE(ecryptfs_cache_infos); i++) {
718 struct ecryptfs_cache_info *info;
719
720 info = &ecryptfs_cache_infos[i];
721 kmem_cache_destroy(*(info->cache));
722 }
723 }
724
725 /**
726 * ecryptfs_init_kmem_caches
727 *
728 * Returns zero on success; non-zero otherwise
729 */
ecryptfs_init_kmem_caches(void)730 static int ecryptfs_init_kmem_caches(void)
731 {
732 int i;
733
734 for (i = 0; i < ARRAY_SIZE(ecryptfs_cache_infos); i++) {
735 struct ecryptfs_cache_info *info;
736
737 info = &ecryptfs_cache_infos[i];
738 *(info->cache) = kmem_cache_create(info->name, info->size, 0,
739 SLAB_HWCACHE_ALIGN | info->flags, info->ctor);
740 if (!*(info->cache)) {
741 ecryptfs_free_kmem_caches();
742 ecryptfs_printk(KERN_WARNING, "%s: "
743 "kmem_cache_create failed\n",
744 info->name);
745 return -ENOMEM;
746 }
747 }
748 return 0;
749 }
750
751 static struct kobject *ecryptfs_kobj;
752
version_show(struct kobject * kobj,struct kobj_attribute * attr,char * buff)753 static ssize_t version_show(struct kobject *kobj,
754 struct kobj_attribute *attr, char *buff)
755 {
756 return sysfs_emit(buff, "%d\n", ECRYPTFS_VERSIONING_MASK);
757 }
758
759 static struct kobj_attribute version_attr = __ATTR_RO(version);
760
761 static struct attribute *attributes[] = {
762 &version_attr.attr,
763 NULL,
764 };
765
766 static const struct attribute_group attr_group = {
767 .attrs = attributes,
768 };
769
do_sysfs_registration(void)770 static int do_sysfs_registration(void)
771 {
772 int rc;
773
774 ecryptfs_kobj = kobject_create_and_add("ecryptfs", fs_kobj);
775 if (!ecryptfs_kobj) {
776 printk(KERN_ERR "Unable to create ecryptfs kset\n");
777 rc = -ENOMEM;
778 goto out;
779 }
780 rc = sysfs_create_group(ecryptfs_kobj, &attr_group);
781 if (rc) {
782 printk(KERN_ERR
783 "Unable to create ecryptfs version attributes\n");
784 kobject_put(ecryptfs_kobj);
785 }
786 out:
787 return rc;
788 }
789
do_sysfs_unregistration(void)790 static void do_sysfs_unregistration(void)
791 {
792 sysfs_remove_group(ecryptfs_kobj, &attr_group);
793 kobject_put(ecryptfs_kobj);
794 }
795
ecryptfs_init(void)796 static int __init ecryptfs_init(void)
797 {
798 int rc;
799
800 if (ECRYPTFS_DEFAULT_EXTENT_SIZE > PAGE_SIZE) {
801 rc = -EINVAL;
802 ecryptfs_printk(KERN_ERR, "The eCryptfs extent size is "
803 "larger than the host's page size, and so "
804 "eCryptfs cannot run on this system. The "
805 "default eCryptfs extent size is [%u] bytes; "
806 "the page size is [%lu] bytes.\n",
807 ECRYPTFS_DEFAULT_EXTENT_SIZE,
808 (unsigned long)PAGE_SIZE);
809 goto out;
810 }
811 rc = ecryptfs_init_kmem_caches();
812 if (rc) {
813 printk(KERN_ERR
814 "Failed to allocate one or more kmem_cache objects\n");
815 goto out;
816 }
817 rc = do_sysfs_registration();
818 if (rc) {
819 printk(KERN_ERR "sysfs registration failed\n");
820 goto out_free_kmem_caches;
821 }
822 rc = ecryptfs_init_kthread();
823 if (rc) {
824 printk(KERN_ERR "%s: kthread initialization failed; "
825 "rc = [%d]\n", __func__, rc);
826 goto out_do_sysfs_unregistration;
827 }
828 rc = ecryptfs_init_messaging();
829 if (rc) {
830 printk(KERN_ERR "Failure occurred while attempting to "
831 "initialize the communications channel to "
832 "ecryptfsd\n");
833 goto out_destroy_kthread;
834 }
835 rc = ecryptfs_init_crypto();
836 if (rc) {
837 printk(KERN_ERR "Failure whilst attempting to init crypto; "
838 "rc = [%d]\n", rc);
839 goto out_release_messaging;
840 }
841 rc = register_filesystem(&ecryptfs_fs_type);
842 if (rc) {
843 printk(KERN_ERR "Failed to register filesystem\n");
844 goto out_destroy_crypto;
845 }
846 if (ecryptfs_verbosity > 0)
847 printk(KERN_CRIT "eCryptfs verbosity set to %d. Secret values "
848 "will be written to the syslog!\n", ecryptfs_verbosity);
849
850 goto out;
851 out_destroy_crypto:
852 ecryptfs_destroy_crypto();
853 out_release_messaging:
854 ecryptfs_release_messaging();
855 out_destroy_kthread:
856 ecryptfs_destroy_kthread();
857 out_do_sysfs_unregistration:
858 do_sysfs_unregistration();
859 out_free_kmem_caches:
860 ecryptfs_free_kmem_caches();
861 out:
862 return rc;
863 }
864
ecryptfs_exit(void)865 static void __exit ecryptfs_exit(void)
866 {
867 int rc;
868
869 rc = ecryptfs_destroy_crypto();
870 if (rc)
871 printk(KERN_ERR "Failure whilst attempting to destroy crypto; "
872 "rc = [%d]\n", rc);
873 ecryptfs_release_messaging();
874 ecryptfs_destroy_kthread();
875 do_sysfs_unregistration();
876 unregister_filesystem(&ecryptfs_fs_type);
877 ecryptfs_free_kmem_caches();
878 }
879
880 MODULE_AUTHOR("Michael A. Halcrow <mhalcrow@us.ibm.com>");
881 MODULE_DESCRIPTION("eCryptfs");
882
883 MODULE_LICENSE("GPL");
884
885 module_init(ecryptfs_init)
886 module_exit(ecryptfs_exit)
887