xref: /linux/fs/crypto/hooks.c (revision 24bce201d79807b668bf9d9e0aca801c5c0d5f78)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * fs/crypto/hooks.c
4  *
5  * Encryption hooks for higher-level filesystem operations.
6  */
7 
8 #include <linux/key.h>
9 
10 #include "fscrypt_private.h"
11 
12 /**
13  * fscrypt_file_open() - prepare to open a possibly-encrypted regular file
14  * @inode: the inode being opened
15  * @filp: the struct file being set up
16  *
17  * Currently, an encrypted regular file can only be opened if its encryption key
18  * is available; access to the raw encrypted contents is not supported.
19  * Therefore, we first set up the inode's encryption key (if not already done)
20  * and return an error if it's unavailable.
21  *
22  * We also verify that if the parent directory (from the path via which the file
23  * is being opened) is encrypted, then the inode being opened uses the same
24  * encryption policy.  This is needed as part of the enforcement that all files
25  * in an encrypted directory tree use the same encryption policy, as a
26  * protection against certain types of offline attacks.  Note that this check is
27  * needed even when opening an *unencrypted* file, since it's forbidden to have
28  * an unencrypted file in an encrypted directory.
29  *
30  * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
31  */
32 int fscrypt_file_open(struct inode *inode, struct file *filp)
33 {
34 	int err;
35 	struct dentry *dir;
36 
37 	err = fscrypt_require_key(inode);
38 	if (err)
39 		return err;
40 
41 	dir = dget_parent(file_dentry(filp));
42 	if (IS_ENCRYPTED(d_inode(dir)) &&
43 	    !fscrypt_has_permitted_context(d_inode(dir), inode)) {
44 		fscrypt_warn(inode,
45 			     "Inconsistent encryption context (parent directory: %lu)",
46 			     d_inode(dir)->i_ino);
47 		err = -EPERM;
48 	}
49 	dput(dir);
50 	return err;
51 }
52 EXPORT_SYMBOL_GPL(fscrypt_file_open);
53 
54 int __fscrypt_prepare_link(struct inode *inode, struct inode *dir,
55 			   struct dentry *dentry)
56 {
57 	if (fscrypt_is_nokey_name(dentry))
58 		return -ENOKEY;
59 	/*
60 	 * We don't need to separately check that the directory inode's key is
61 	 * available, as it's implied by the dentry not being a no-key name.
62 	 */
63 
64 	if (!fscrypt_has_permitted_context(dir, inode))
65 		return -EXDEV;
66 
67 	return 0;
68 }
69 EXPORT_SYMBOL_GPL(__fscrypt_prepare_link);
70 
71 int __fscrypt_prepare_rename(struct inode *old_dir, struct dentry *old_dentry,
72 			     struct inode *new_dir, struct dentry *new_dentry,
73 			     unsigned int flags)
74 {
75 	if (fscrypt_is_nokey_name(old_dentry) ||
76 	    fscrypt_is_nokey_name(new_dentry))
77 		return -ENOKEY;
78 	/*
79 	 * We don't need to separately check that the directory inodes' keys are
80 	 * available, as it's implied by the dentries not being no-key names.
81 	 */
82 
83 	if (old_dir != new_dir) {
84 		if (IS_ENCRYPTED(new_dir) &&
85 		    !fscrypt_has_permitted_context(new_dir,
86 						   d_inode(old_dentry)))
87 			return -EXDEV;
88 
89 		if ((flags & RENAME_EXCHANGE) &&
90 		    IS_ENCRYPTED(old_dir) &&
91 		    !fscrypt_has_permitted_context(old_dir,
92 						   d_inode(new_dentry)))
93 			return -EXDEV;
94 	}
95 	return 0;
96 }
97 EXPORT_SYMBOL_GPL(__fscrypt_prepare_rename);
98 
99 int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry,
100 			     struct fscrypt_name *fname)
101 {
102 	int err = fscrypt_setup_filename(dir, &dentry->d_name, 1, fname);
103 
104 	if (err && err != -ENOENT)
105 		return err;
106 
107 	if (fname->is_nokey_name) {
108 		spin_lock(&dentry->d_lock);
109 		dentry->d_flags |= DCACHE_NOKEY_NAME;
110 		spin_unlock(&dentry->d_lock);
111 	}
112 	return err;
113 }
114 EXPORT_SYMBOL_GPL(__fscrypt_prepare_lookup);
115 
116 int __fscrypt_prepare_readdir(struct inode *dir)
117 {
118 	return fscrypt_get_encryption_info(dir, true);
119 }
120 EXPORT_SYMBOL_GPL(__fscrypt_prepare_readdir);
121 
122 int __fscrypt_prepare_setattr(struct dentry *dentry, struct iattr *attr)
123 {
124 	if (attr->ia_valid & ATTR_SIZE)
125 		return fscrypt_require_key(d_inode(dentry));
126 	return 0;
127 }
128 EXPORT_SYMBOL_GPL(__fscrypt_prepare_setattr);
129 
130 /**
131  * fscrypt_prepare_setflags() - prepare to change flags with FS_IOC_SETFLAGS
132  * @inode: the inode on which flags are being changed
133  * @oldflags: the old flags
134  * @flags: the new flags
135  *
136  * The caller should be holding i_rwsem for write.
137  *
138  * Return: 0 on success; -errno if the flags change isn't allowed or if
139  *	   another error occurs.
140  */
141 int fscrypt_prepare_setflags(struct inode *inode,
142 			     unsigned int oldflags, unsigned int flags)
143 {
144 	struct fscrypt_info *ci;
145 	struct key *key;
146 	struct fscrypt_master_key *mk;
147 	int err;
148 
149 	/*
150 	 * When the CASEFOLD flag is set on an encrypted directory, we must
151 	 * derive the secret key needed for the dirhash.  This is only possible
152 	 * if the directory uses a v2 encryption policy.
153 	 */
154 	if (IS_ENCRYPTED(inode) && (flags & ~oldflags & FS_CASEFOLD_FL)) {
155 		err = fscrypt_require_key(inode);
156 		if (err)
157 			return err;
158 		ci = inode->i_crypt_info;
159 		if (ci->ci_policy.version != FSCRYPT_POLICY_V2)
160 			return -EINVAL;
161 		key = ci->ci_master_key;
162 		mk = key->payload.data[0];
163 		down_read(&key->sem);
164 		if (is_master_key_secret_present(&mk->mk_secret))
165 			err = fscrypt_derive_dirhash_key(ci, mk);
166 		else
167 			err = -ENOKEY;
168 		up_read(&key->sem);
169 		return err;
170 	}
171 	return 0;
172 }
173 
174 /**
175  * fscrypt_prepare_symlink() - prepare to create a possibly-encrypted symlink
176  * @dir: directory in which the symlink is being created
177  * @target: plaintext symlink target
178  * @len: length of @target excluding null terminator
179  * @max_len: space the filesystem has available to store the symlink target
180  * @disk_link: (out) the on-disk symlink target being prepared
181  *
182  * This function computes the size the symlink target will require on-disk,
183  * stores it in @disk_link->len, and validates it against @max_len.  An
184  * encrypted symlink may be longer than the original.
185  *
186  * Additionally, @disk_link->name is set to @target if the symlink will be
187  * unencrypted, but left NULL if the symlink will be encrypted.  For encrypted
188  * symlinks, the filesystem must call fscrypt_encrypt_symlink() to create the
189  * on-disk target later.  (The reason for the two-step process is that some
190  * filesystems need to know the size of the symlink target before creating the
191  * inode, e.g. to determine whether it will be a "fast" or "slow" symlink.)
192  *
193  * Return: 0 on success, -ENAMETOOLONG if the symlink target is too long,
194  * -ENOKEY if the encryption key is missing, or another -errno code if a problem
195  * occurred while setting up the encryption key.
196  */
197 int fscrypt_prepare_symlink(struct inode *dir, const char *target,
198 			    unsigned int len, unsigned int max_len,
199 			    struct fscrypt_str *disk_link)
200 {
201 	const union fscrypt_policy *policy;
202 
203 	/*
204 	 * To calculate the size of the encrypted symlink target we need to know
205 	 * the amount of NUL padding, which is determined by the flags set in
206 	 * the encryption policy which will be inherited from the directory.
207 	 */
208 	policy = fscrypt_policy_to_inherit(dir);
209 	if (policy == NULL) {
210 		/* Not encrypted */
211 		disk_link->name = (unsigned char *)target;
212 		disk_link->len = len + 1;
213 		if (disk_link->len > max_len)
214 			return -ENAMETOOLONG;
215 		return 0;
216 	}
217 	if (IS_ERR(policy))
218 		return PTR_ERR(policy);
219 
220 	/*
221 	 * Calculate the size of the encrypted symlink and verify it won't
222 	 * exceed max_len.  Note that for historical reasons, encrypted symlink
223 	 * targets are prefixed with the ciphertext length, despite this
224 	 * actually being redundant with i_size.  This decreases by 2 bytes the
225 	 * longest symlink target we can accept.
226 	 *
227 	 * We could recover 1 byte by not counting a null terminator, but
228 	 * counting it (even though it is meaningless for ciphertext) is simpler
229 	 * for now since filesystems will assume it is there and subtract it.
230 	 */
231 	if (!fscrypt_fname_encrypted_size(policy, len,
232 					  max_len - sizeof(struct fscrypt_symlink_data),
233 					  &disk_link->len))
234 		return -ENAMETOOLONG;
235 	disk_link->len += sizeof(struct fscrypt_symlink_data);
236 
237 	disk_link->name = NULL;
238 	return 0;
239 }
240 EXPORT_SYMBOL_GPL(fscrypt_prepare_symlink);
241 
242 int __fscrypt_encrypt_symlink(struct inode *inode, const char *target,
243 			      unsigned int len, struct fscrypt_str *disk_link)
244 {
245 	int err;
246 	struct qstr iname = QSTR_INIT(target, len);
247 	struct fscrypt_symlink_data *sd;
248 	unsigned int ciphertext_len;
249 
250 	/*
251 	 * fscrypt_prepare_new_inode() should have already set up the new
252 	 * symlink inode's encryption key.  We don't wait until now to do it,
253 	 * since we may be in a filesystem transaction now.
254 	 */
255 	if (WARN_ON_ONCE(!fscrypt_has_encryption_key(inode)))
256 		return -ENOKEY;
257 
258 	if (disk_link->name) {
259 		/* filesystem-provided buffer */
260 		sd = (struct fscrypt_symlink_data *)disk_link->name;
261 	} else {
262 		sd = kmalloc(disk_link->len, GFP_NOFS);
263 		if (!sd)
264 			return -ENOMEM;
265 	}
266 	ciphertext_len = disk_link->len - sizeof(*sd);
267 	sd->len = cpu_to_le16(ciphertext_len);
268 
269 	err = fscrypt_fname_encrypt(inode, &iname, sd->encrypted_path,
270 				    ciphertext_len);
271 	if (err)
272 		goto err_free_sd;
273 
274 	/*
275 	 * Null-terminating the ciphertext doesn't make sense, but we still
276 	 * count the null terminator in the length, so we might as well
277 	 * initialize it just in case the filesystem writes it out.
278 	 */
279 	sd->encrypted_path[ciphertext_len] = '\0';
280 
281 	/* Cache the plaintext symlink target for later use by get_link() */
282 	err = -ENOMEM;
283 	inode->i_link = kmemdup(target, len + 1, GFP_NOFS);
284 	if (!inode->i_link)
285 		goto err_free_sd;
286 
287 	if (!disk_link->name)
288 		disk_link->name = (unsigned char *)sd;
289 	return 0;
290 
291 err_free_sd:
292 	if (!disk_link->name)
293 		kfree(sd);
294 	return err;
295 }
296 EXPORT_SYMBOL_GPL(__fscrypt_encrypt_symlink);
297 
298 /**
299  * fscrypt_get_symlink() - get the target of an encrypted symlink
300  * @inode: the symlink inode
301  * @caddr: the on-disk contents of the symlink
302  * @max_size: size of @caddr buffer
303  * @done: if successful, will be set up to free the returned target if needed
304  *
305  * If the symlink's encryption key is available, we decrypt its target.
306  * Otherwise, we encode its target for presentation.
307  *
308  * This may sleep, so the filesystem must have dropped out of RCU mode already.
309  *
310  * Return: the presentable symlink target or an ERR_PTR()
311  */
312 const char *fscrypt_get_symlink(struct inode *inode, const void *caddr,
313 				unsigned int max_size,
314 				struct delayed_call *done)
315 {
316 	const struct fscrypt_symlink_data *sd;
317 	struct fscrypt_str cstr, pstr;
318 	bool has_key;
319 	int err;
320 
321 	/* This is for encrypted symlinks only */
322 	if (WARN_ON(!IS_ENCRYPTED(inode)))
323 		return ERR_PTR(-EINVAL);
324 
325 	/* If the decrypted target is already cached, just return it. */
326 	pstr.name = READ_ONCE(inode->i_link);
327 	if (pstr.name)
328 		return pstr.name;
329 
330 	/*
331 	 * Try to set up the symlink's encryption key, but we can continue
332 	 * regardless of whether the key is available or not.
333 	 */
334 	err = fscrypt_get_encryption_info(inode, false);
335 	if (err)
336 		return ERR_PTR(err);
337 	has_key = fscrypt_has_encryption_key(inode);
338 
339 	/*
340 	 * For historical reasons, encrypted symlink targets are prefixed with
341 	 * the ciphertext length, even though this is redundant with i_size.
342 	 */
343 
344 	if (max_size < sizeof(*sd))
345 		return ERR_PTR(-EUCLEAN);
346 	sd = caddr;
347 	cstr.name = (unsigned char *)sd->encrypted_path;
348 	cstr.len = le16_to_cpu(sd->len);
349 
350 	if (cstr.len == 0)
351 		return ERR_PTR(-EUCLEAN);
352 
353 	if (cstr.len + sizeof(*sd) - 1 > max_size)
354 		return ERR_PTR(-EUCLEAN);
355 
356 	err = fscrypt_fname_alloc_buffer(cstr.len, &pstr);
357 	if (err)
358 		return ERR_PTR(err);
359 
360 	err = fscrypt_fname_disk_to_usr(inode, 0, 0, &cstr, &pstr);
361 	if (err)
362 		goto err_kfree;
363 
364 	err = -EUCLEAN;
365 	if (pstr.name[0] == '\0')
366 		goto err_kfree;
367 
368 	pstr.name[pstr.len] = '\0';
369 
370 	/*
371 	 * Cache decrypted symlink targets in i_link for later use.  Don't cache
372 	 * symlink targets encoded without the key, since those become outdated
373 	 * once the key is added.  This pairs with the READ_ONCE() above and in
374 	 * the VFS path lookup code.
375 	 */
376 	if (!has_key ||
377 	    cmpxchg_release(&inode->i_link, NULL, pstr.name) != NULL)
378 		set_delayed_call(done, kfree_link, pstr.name);
379 
380 	return pstr.name;
381 
382 err_kfree:
383 	kfree(pstr.name);
384 	return ERR_PTR(err);
385 }
386 EXPORT_SYMBOL_GPL(fscrypt_get_symlink);
387 
388 /**
389  * fscrypt_symlink_getattr() - set the correct st_size for encrypted symlinks
390  * @path: the path for the encrypted symlink being queried
391  * @stat: the struct being filled with the symlink's attributes
392  *
393  * Override st_size of encrypted symlinks to be the length of the decrypted
394  * symlink target (or the no-key encoded symlink target, if the key is
395  * unavailable) rather than the length of the encrypted symlink target.  This is
396  * necessary for st_size to match the symlink target that userspace actually
397  * sees.  POSIX requires this, and some userspace programs depend on it.
398  *
399  * This requires reading the symlink target from disk if needed, setting up the
400  * inode's encryption key if possible, and then decrypting or encoding the
401  * symlink target.  This makes lstat() more heavyweight than is normally the
402  * case.  However, decrypted symlink targets will be cached in ->i_link, so
403  * usually the symlink won't have to be read and decrypted again later if/when
404  * it is actually followed, readlink() is called, or lstat() is called again.
405  *
406  * Return: 0 on success, -errno on failure
407  */
408 int fscrypt_symlink_getattr(const struct path *path, struct kstat *stat)
409 {
410 	struct dentry *dentry = path->dentry;
411 	struct inode *inode = d_inode(dentry);
412 	const char *link;
413 	DEFINE_DELAYED_CALL(done);
414 
415 	/*
416 	 * To get the symlink target that userspace will see (whether it's the
417 	 * decrypted target or the no-key encoded target), we can just get it in
418 	 * the same way the VFS does during path resolution and readlink().
419 	 */
420 	link = READ_ONCE(inode->i_link);
421 	if (!link) {
422 		link = inode->i_op->get_link(dentry, inode, &done);
423 		if (IS_ERR(link))
424 			return PTR_ERR(link);
425 	}
426 	stat->size = strlen(link);
427 	do_delayed_call(&done);
428 	return 0;
429 }
430 EXPORT_SYMBOL_GPL(fscrypt_symlink_getattr);
431