1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Encryption policy functions for per-file encryption support. 4 * 5 * Copyright (C) 2015, Google, Inc. 6 * Copyright (C) 2015, Motorola Mobility. 7 * 8 * Originally written by Michael Halcrow, 2015. 9 * Modified by Jaegeuk Kim, 2015. 10 * Modified by Eric Biggers, 2019 for v2 policy support. 11 */ 12 13 #include <linux/export.h> 14 #include <linux/fs_context.h> 15 #include <linux/mount.h> 16 #include <linux/random.h> 17 #include <linux/seq_file.h> 18 #include <linux/string.h> 19 20 #include "fscrypt_private.h" 21 22 /** 23 * fscrypt_policies_equal() - check whether two encryption policies are the same 24 * @policy1: the first policy 25 * @policy2: the second policy 26 * 27 * Return: %true if equal, else %false 28 */ 29 bool fscrypt_policies_equal(const union fscrypt_policy *policy1, 30 const union fscrypt_policy *policy2) 31 { 32 if (policy1->version != policy2->version) 33 return false; 34 35 return !memcmp(policy1, policy2, fscrypt_policy_size(policy1)); 36 } 37 38 int fscrypt_policy_to_key_spec(const union fscrypt_policy *policy, 39 struct fscrypt_key_specifier *key_spec) 40 { 41 switch (policy->version) { 42 case FSCRYPT_POLICY_V1: 43 key_spec->type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR; 44 memcpy(key_spec->u.descriptor, policy->v1.master_key_descriptor, 45 FSCRYPT_KEY_DESCRIPTOR_SIZE); 46 return 0; 47 case FSCRYPT_POLICY_V2: 48 key_spec->type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER; 49 memcpy(key_spec->u.identifier, policy->v2.master_key_identifier, 50 FSCRYPT_KEY_IDENTIFIER_SIZE); 51 return 0; 52 default: 53 WARN_ON_ONCE(1); 54 return -EINVAL; 55 } 56 } 57 58 const union fscrypt_policy *fscrypt_get_dummy_policy(struct super_block *sb) 59 { 60 if (!sb->s_cop->get_dummy_policy) 61 return NULL; 62 return sb->s_cop->get_dummy_policy(sb); 63 } 64 65 /* 66 * Return %true if the given combination of encryption modes is supported for v1 67 * (and later) encryption policies. 68 * 69 * Do *not* add anything new here, since v1 encryption policies are deprecated. 70 * New combinations of modes should go in fscrypt_valid_enc_modes_v2() only. 71 */ 72 static bool fscrypt_valid_enc_modes_v1(u32 contents_mode, u32 filenames_mode) 73 { 74 if (contents_mode == FSCRYPT_MODE_AES_256_XTS && 75 filenames_mode == FSCRYPT_MODE_AES_256_CTS) 76 return true; 77 78 if (contents_mode == FSCRYPT_MODE_AES_128_CBC && 79 filenames_mode == FSCRYPT_MODE_AES_128_CTS) 80 return true; 81 82 if (contents_mode == FSCRYPT_MODE_ADIANTUM && 83 filenames_mode == FSCRYPT_MODE_ADIANTUM) 84 return true; 85 86 return false; 87 } 88 89 static bool fscrypt_valid_enc_modes_v2(u32 contents_mode, u32 filenames_mode) 90 { 91 if (contents_mode == FSCRYPT_MODE_AES_256_XTS && 92 filenames_mode == FSCRYPT_MODE_AES_256_HCTR2) 93 return true; 94 95 if (contents_mode == FSCRYPT_MODE_SM4_XTS && 96 filenames_mode == FSCRYPT_MODE_SM4_CTS) 97 return true; 98 99 return fscrypt_valid_enc_modes_v1(contents_mode, filenames_mode); 100 } 101 102 static bool supported_direct_key_modes(const struct inode *inode, 103 u32 contents_mode, u32 filenames_mode) 104 { 105 const struct fscrypt_mode *mode; 106 107 if (contents_mode != filenames_mode) { 108 fscrypt_warn(inode, 109 "Direct key flag not allowed with different contents and filenames modes"); 110 return false; 111 } 112 mode = &fscrypt_modes[contents_mode]; 113 114 if (mode->ivsize < offsetofend(union fscrypt_iv, nonce)) { 115 fscrypt_warn(inode, "Direct key flag not allowed with %s", 116 mode->friendly_name); 117 return false; 118 } 119 return true; 120 } 121 122 static bool supported_iv_ino_lblk_policy(const struct fscrypt_policy_v2 *policy, 123 const struct inode *inode) 124 { 125 const char *type = (policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) 126 ? "IV_INO_LBLK_64" : "IV_INO_LBLK_32"; 127 struct super_block *sb = inode->i_sb; 128 129 /* 130 * IV_INO_LBLK_* exist only because of hardware limitations, and 131 * currently the only known use case for them involves AES-256-XTS. 132 * That's also all we test currently. For these reasons, for now only 133 * allow AES-256-XTS here. This can be relaxed later if a use case for 134 * IV_INO_LBLK_* with other encryption modes arises. 135 */ 136 if (policy->contents_encryption_mode != FSCRYPT_MODE_AES_256_XTS) { 137 fscrypt_warn(inode, 138 "Can't use %s policy with contents mode other than AES-256-XTS", 139 type); 140 return false; 141 } 142 143 /* 144 * It's unsafe to include inode numbers in the IVs if the filesystem can 145 * potentially renumber inodes, e.g. via filesystem shrinking. 146 */ 147 if (!sb->s_cop->has_stable_inodes || 148 !sb->s_cop->has_stable_inodes(sb)) { 149 fscrypt_warn(inode, 150 "Can't use %s policy on filesystem '%s' because it doesn't have stable inode numbers", 151 type, sb->s_id); 152 return false; 153 } 154 155 /* 156 * IV_INO_LBLK_64 and IV_INO_LBLK_32 both require that inode numbers fit 157 * in 32 bits. In principle, IV_INO_LBLK_32 could support longer inode 158 * numbers because it hashes the inode number; however, currently the 159 * inode number is gotten from inode::i_ino which is 'unsigned long'. 160 * So for now the implementation limit is 32 bits. 161 */ 162 if (!sb->s_cop->has_32bit_inodes) { 163 fscrypt_warn(inode, 164 "Can't use %s policy on filesystem '%s' because its inode numbers are too long", 165 type, sb->s_id); 166 return false; 167 } 168 169 /* 170 * IV_INO_LBLK_64 and IV_INO_LBLK_32 both require that file data unit 171 * indices fit in 32 bits. 172 */ 173 if (fscrypt_max_file_dun_bits(sb, 174 fscrypt_policy_v2_du_bits(policy, inode)) > 32) { 175 fscrypt_warn(inode, 176 "Can't use %s policy on filesystem '%s' because its maximum file size is too large", 177 type, sb->s_id); 178 return false; 179 } 180 return true; 181 } 182 183 static bool fscrypt_supported_v1_policy(const struct fscrypt_policy_v1 *policy, 184 const struct inode *inode) 185 { 186 if (!fscrypt_valid_enc_modes_v1(policy->contents_encryption_mode, 187 policy->filenames_encryption_mode)) { 188 fscrypt_warn(inode, 189 "Unsupported encryption modes (contents %d, filenames %d)", 190 policy->contents_encryption_mode, 191 policy->filenames_encryption_mode); 192 return false; 193 } 194 195 if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK | 196 FSCRYPT_POLICY_FLAG_DIRECT_KEY)) { 197 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", 198 policy->flags); 199 return false; 200 } 201 202 if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) && 203 !supported_direct_key_modes(inode, policy->contents_encryption_mode, 204 policy->filenames_encryption_mode)) 205 return false; 206 207 if (IS_CASEFOLDED(inode)) { 208 /* With v1, there's no way to derive dirhash keys. */ 209 fscrypt_warn(inode, 210 "v1 policies can't be used on casefolded directories"); 211 return false; 212 } 213 214 return true; 215 } 216 217 static bool fscrypt_supported_v2_policy(const struct fscrypt_policy_v2 *policy, 218 const struct inode *inode) 219 { 220 int count = 0; 221 222 if (!fscrypt_valid_enc_modes_v2(policy->contents_encryption_mode, 223 policy->filenames_encryption_mode)) { 224 fscrypt_warn(inode, 225 "Unsupported encryption modes (contents %d, filenames %d)", 226 policy->contents_encryption_mode, 227 policy->filenames_encryption_mode); 228 return false; 229 } 230 231 if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK | 232 FSCRYPT_POLICY_FLAG_DIRECT_KEY | 233 FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 | 234 FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) { 235 fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", 236 policy->flags); 237 return false; 238 } 239 240 count += !!(policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY); 241 count += !!(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64); 242 count += !!(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32); 243 if (count > 1) { 244 fscrypt_warn(inode, "Mutually exclusive encryption flags (0x%02x)", 245 policy->flags); 246 return false; 247 } 248 249 if (policy->log2_data_unit_size) { 250 if (!inode->i_sb->s_cop->supports_subblock_data_units) { 251 fscrypt_warn(inode, 252 "Filesystem does not support configuring crypto data unit size"); 253 return false; 254 } 255 if (policy->log2_data_unit_size > inode->i_blkbits || 256 policy->log2_data_unit_size < SECTOR_SHIFT /* 9 */) { 257 fscrypt_warn(inode, 258 "Unsupported log2_data_unit_size in encryption policy: %d", 259 policy->log2_data_unit_size); 260 return false; 261 } 262 if (policy->log2_data_unit_size != inode->i_blkbits && 263 (policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) { 264 /* 265 * Not safe to enable yet, as we need to ensure that DUN 266 * wraparound can only occur on a FS block boundary. 267 */ 268 fscrypt_warn(inode, 269 "Sub-block data units not yet supported with IV_INO_LBLK_32"); 270 return false; 271 } 272 } 273 274 if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) && 275 !supported_direct_key_modes(inode, policy->contents_encryption_mode, 276 policy->filenames_encryption_mode)) 277 return false; 278 279 if ((policy->flags & (FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 | 280 FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) && 281 !supported_iv_ino_lblk_policy(policy, inode)) 282 return false; 283 284 if (memchr_inv(policy->__reserved, 0, sizeof(policy->__reserved))) { 285 fscrypt_warn(inode, "Reserved bits set in encryption policy"); 286 return false; 287 } 288 289 return true; 290 } 291 292 /** 293 * fscrypt_supported_policy() - check whether an encryption policy is supported 294 * @policy_u: the encryption policy 295 * @inode: the inode on which the policy will be used 296 * 297 * Given an encryption policy, check whether all its encryption modes and other 298 * settings are supported by this kernel on the given inode. (But we don't 299 * currently don't check for crypto API support here, so attempting to use an 300 * algorithm not configured into the crypto API will still fail later.) 301 * 302 * Return: %true if supported, else %false 303 */ 304 bool fscrypt_supported_policy(const union fscrypt_policy *policy_u, 305 const struct inode *inode) 306 { 307 switch (policy_u->version) { 308 case FSCRYPT_POLICY_V1: 309 return fscrypt_supported_v1_policy(&policy_u->v1, inode); 310 case FSCRYPT_POLICY_V2: 311 return fscrypt_supported_v2_policy(&policy_u->v2, inode); 312 } 313 return false; 314 } 315 316 /** 317 * fscrypt_new_context() - create a new fscrypt_context 318 * @ctx_u: output context 319 * @policy_u: input policy 320 * @nonce: nonce to use 321 * 322 * Create an fscrypt_context for an inode that is being assigned the given 323 * encryption policy. @nonce must be a new random nonce. 324 * 325 * Return: the size of the new context in bytes. 326 */ 327 static int fscrypt_new_context(union fscrypt_context *ctx_u, 328 const union fscrypt_policy *policy_u, 329 const u8 nonce[FSCRYPT_FILE_NONCE_SIZE]) 330 { 331 memset(ctx_u, 0, sizeof(*ctx_u)); 332 333 switch (policy_u->version) { 334 case FSCRYPT_POLICY_V1: { 335 const struct fscrypt_policy_v1 *policy = &policy_u->v1; 336 struct fscrypt_context_v1 *ctx = &ctx_u->v1; 337 338 ctx->version = FSCRYPT_CONTEXT_V1; 339 ctx->contents_encryption_mode = 340 policy->contents_encryption_mode; 341 ctx->filenames_encryption_mode = 342 policy->filenames_encryption_mode; 343 ctx->flags = policy->flags; 344 memcpy(ctx->master_key_descriptor, 345 policy->master_key_descriptor, 346 sizeof(ctx->master_key_descriptor)); 347 memcpy(ctx->nonce, nonce, FSCRYPT_FILE_NONCE_SIZE); 348 return sizeof(*ctx); 349 } 350 case FSCRYPT_POLICY_V2: { 351 const struct fscrypt_policy_v2 *policy = &policy_u->v2; 352 struct fscrypt_context_v2 *ctx = &ctx_u->v2; 353 354 ctx->version = FSCRYPT_CONTEXT_V2; 355 ctx->contents_encryption_mode = 356 policy->contents_encryption_mode; 357 ctx->filenames_encryption_mode = 358 policy->filenames_encryption_mode; 359 ctx->flags = policy->flags; 360 ctx->log2_data_unit_size = policy->log2_data_unit_size; 361 memcpy(ctx->master_key_identifier, 362 policy->master_key_identifier, 363 sizeof(ctx->master_key_identifier)); 364 memcpy(ctx->nonce, nonce, FSCRYPT_FILE_NONCE_SIZE); 365 return sizeof(*ctx); 366 } 367 } 368 BUG(); 369 } 370 371 /** 372 * fscrypt_policy_from_context() - convert an fscrypt_context to 373 * an fscrypt_policy 374 * @policy_u: output policy 375 * @ctx_u: input context 376 * @ctx_size: size of input context in bytes 377 * 378 * Given an fscrypt_context, build the corresponding fscrypt_policy. 379 * 380 * Return: 0 on success, or -EINVAL if the fscrypt_context has an unrecognized 381 * version number or size. 382 * 383 * This does *not* validate the settings within the policy itself, e.g. the 384 * modes, flags, and reserved bits. Use fscrypt_supported_policy() for that. 385 */ 386 int fscrypt_policy_from_context(union fscrypt_policy *policy_u, 387 const union fscrypt_context *ctx_u, 388 int ctx_size) 389 { 390 memset(policy_u, 0, sizeof(*policy_u)); 391 392 if (!fscrypt_context_is_valid(ctx_u, ctx_size)) 393 return -EINVAL; 394 395 switch (ctx_u->version) { 396 case FSCRYPT_CONTEXT_V1: { 397 const struct fscrypt_context_v1 *ctx = &ctx_u->v1; 398 struct fscrypt_policy_v1 *policy = &policy_u->v1; 399 400 policy->version = FSCRYPT_POLICY_V1; 401 policy->contents_encryption_mode = 402 ctx->contents_encryption_mode; 403 policy->filenames_encryption_mode = 404 ctx->filenames_encryption_mode; 405 policy->flags = ctx->flags; 406 memcpy(policy->master_key_descriptor, 407 ctx->master_key_descriptor, 408 sizeof(policy->master_key_descriptor)); 409 return 0; 410 } 411 case FSCRYPT_CONTEXT_V2: { 412 const struct fscrypt_context_v2 *ctx = &ctx_u->v2; 413 struct fscrypt_policy_v2 *policy = &policy_u->v2; 414 415 policy->version = FSCRYPT_POLICY_V2; 416 policy->contents_encryption_mode = 417 ctx->contents_encryption_mode; 418 policy->filenames_encryption_mode = 419 ctx->filenames_encryption_mode; 420 policy->flags = ctx->flags; 421 policy->log2_data_unit_size = ctx->log2_data_unit_size; 422 memcpy(policy->__reserved, ctx->__reserved, 423 sizeof(policy->__reserved)); 424 memcpy(policy->master_key_identifier, 425 ctx->master_key_identifier, 426 sizeof(policy->master_key_identifier)); 427 return 0; 428 } 429 } 430 /* unreachable */ 431 return -EINVAL; 432 } 433 434 /* Retrieve an inode's encryption policy */ 435 static int fscrypt_get_policy(struct inode *inode, union fscrypt_policy *policy) 436 { 437 const struct fscrypt_inode_info *ci; 438 union fscrypt_context ctx; 439 int ret; 440 441 ci = fscrypt_get_inode_info(inode); 442 if (ci) { 443 /* key available, use the cached policy */ 444 *policy = ci->ci_policy; 445 return 0; 446 } 447 448 if (!IS_ENCRYPTED(inode)) 449 return -ENODATA; 450 451 ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); 452 if (ret < 0) 453 return (ret == -ERANGE) ? -EINVAL : ret; 454 455 return fscrypt_policy_from_context(policy, &ctx, ret); 456 } 457 458 static int set_encryption_policy(struct inode *inode, 459 const union fscrypt_policy *policy) 460 { 461 u8 nonce[FSCRYPT_FILE_NONCE_SIZE]; 462 union fscrypt_context ctx; 463 int ctxsize; 464 int err; 465 466 if (!fscrypt_supported_policy(policy, inode)) 467 return -EINVAL; 468 469 switch (policy->version) { 470 case FSCRYPT_POLICY_V1: 471 /* 472 * The original encryption policy version provided no way of 473 * verifying that the correct master key was supplied, which was 474 * insecure in scenarios where multiple users have access to the 475 * same encrypted files (even just read-only access). The new 476 * encryption policy version fixes this and also implies use of 477 * an improved key derivation function and allows non-root users 478 * to securely remove keys. So as long as compatibility with 479 * old kernels isn't required, it is recommended to use the new 480 * policy version for all new encrypted directories. 481 */ 482 pr_warn_once("%s (pid %d) is setting deprecated v1 encryption policy; recommend upgrading to v2.\n", 483 current->comm, current->pid); 484 break; 485 case FSCRYPT_POLICY_V2: 486 err = fscrypt_verify_key_added(inode->i_sb, 487 policy->v2.master_key_identifier); 488 if (err) 489 return err; 490 if (policy->v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) 491 pr_warn_once("%s (pid %d) is setting an IV_INO_LBLK_32 encryption policy. This should only be used if there are certain hardware limitations.\n", 492 current->comm, current->pid); 493 break; 494 default: 495 WARN_ON_ONCE(1); 496 return -EINVAL; 497 } 498 499 get_random_bytes(nonce, FSCRYPT_FILE_NONCE_SIZE); 500 ctxsize = fscrypt_new_context(&ctx, policy, nonce); 501 502 return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, NULL); 503 } 504 505 int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg) 506 { 507 union fscrypt_policy policy; 508 union fscrypt_policy existing_policy; 509 struct inode *inode = file_inode(filp); 510 u8 version; 511 int size; 512 int ret; 513 514 if (get_user(policy.version, (const u8 __user *)arg)) 515 return -EFAULT; 516 517 size = fscrypt_policy_size(&policy); 518 if (size <= 0) 519 return -EINVAL; 520 521 /* 522 * We should just copy the remaining 'size - 1' bytes here, but a 523 * bizarre bug in gcc 7 and earlier (fixed by gcc r255731) causes gcc to 524 * think that size can be 0 here (despite the check above!) *and* that 525 * it's a compile-time constant. Thus it would think copy_from_user() 526 * is passed compile-time constant ULONG_MAX, causing the compile-time 527 * buffer overflow check to fail, breaking the build. This only occurred 528 * when building an i386 kernel with -Os and branch profiling enabled. 529 * 530 * Work around it by just copying the first byte again... 531 */ 532 version = policy.version; 533 if (copy_from_user(&policy, arg, size)) 534 return -EFAULT; 535 policy.version = version; 536 537 if (!inode_owner_or_capable(&nop_mnt_idmap, inode)) 538 return -EACCES; 539 540 ret = mnt_want_write_file(filp); 541 if (ret) 542 return ret; 543 544 inode_lock(inode); 545 546 ret = fscrypt_get_policy(inode, &existing_policy); 547 if (ret == -ENODATA) { 548 if (!S_ISDIR(inode->i_mode)) 549 ret = -ENOTDIR; 550 else if (IS_DEADDIR(inode)) 551 ret = -ENOENT; 552 else if (!inode->i_sb->s_cop->empty_dir(inode)) 553 ret = -ENOTEMPTY; 554 else 555 ret = set_encryption_policy(inode, &policy); 556 } else if (ret == -EINVAL || 557 (ret == 0 && !fscrypt_policies_equal(&policy, 558 &existing_policy))) { 559 /* The file already uses a different encryption policy. */ 560 ret = -EEXIST; 561 } 562 563 inode_unlock(inode); 564 565 mnt_drop_write_file(filp); 566 return ret; 567 } 568 EXPORT_SYMBOL(fscrypt_ioctl_set_policy); 569 570 /* Original ioctl version; can only get the original policy version */ 571 int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg) 572 { 573 union fscrypt_policy policy; 574 int err; 575 576 err = fscrypt_get_policy(file_inode(filp), &policy); 577 if (err) 578 return err; 579 580 if (policy.version != FSCRYPT_POLICY_V1) 581 return -EINVAL; 582 583 if (copy_to_user(arg, &policy, sizeof(policy.v1))) 584 return -EFAULT; 585 return 0; 586 } 587 EXPORT_SYMBOL(fscrypt_ioctl_get_policy); 588 589 /* Extended ioctl version; can get policies of any version */ 590 int fscrypt_ioctl_get_policy_ex(struct file *filp, void __user *uarg) 591 { 592 struct fscrypt_get_policy_ex_arg arg; 593 union fscrypt_policy *policy = (union fscrypt_policy *)&arg.policy; 594 size_t policy_size; 595 int err; 596 597 /* arg is policy_size, then policy */ 598 BUILD_BUG_ON(offsetof(typeof(arg), policy_size) != 0); 599 BUILD_BUG_ON(offsetofend(typeof(arg), policy_size) != 600 offsetof(typeof(arg), policy)); 601 BUILD_BUG_ON(sizeof(arg.policy) != sizeof(*policy)); 602 603 err = fscrypt_get_policy(file_inode(filp), policy); 604 if (err) 605 return err; 606 policy_size = fscrypt_policy_size(policy); 607 608 if (copy_from_user(&arg, uarg, sizeof(arg.policy_size))) 609 return -EFAULT; 610 611 if (policy_size > arg.policy_size) 612 return -EOVERFLOW; 613 arg.policy_size = policy_size; 614 615 if (copy_to_user(uarg, &arg, sizeof(arg.policy_size) + policy_size)) 616 return -EFAULT; 617 return 0; 618 } 619 EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_policy_ex); 620 621 /* FS_IOC_GET_ENCRYPTION_NONCE: retrieve file's encryption nonce for testing */ 622 int fscrypt_ioctl_get_nonce(struct file *filp, void __user *arg) 623 { 624 struct inode *inode = file_inode(filp); 625 union fscrypt_context ctx; 626 int ret; 627 628 ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); 629 if (ret < 0) 630 return ret; 631 if (!fscrypt_context_is_valid(&ctx, ret)) 632 return -EINVAL; 633 if (copy_to_user(arg, fscrypt_context_nonce(&ctx), 634 FSCRYPT_FILE_NONCE_SIZE)) 635 return -EFAULT; 636 return 0; 637 } 638 EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_nonce); 639 640 /** 641 * fscrypt_has_permitted_context() - is a file's encryption policy permitted 642 * within its directory? 643 * 644 * @parent: inode for parent directory 645 * @child: inode for file being looked up, opened, or linked into @parent 646 * 647 * Filesystems must call this before permitting access to an inode in a 648 * situation where the parent directory is encrypted (either before allowing 649 * ->lookup() to succeed, or for a regular file before allowing it to be opened) 650 * and before any operation that involves linking an inode into an encrypted 651 * directory, including link, rename, and cross rename. It enforces the 652 * constraint that within a given encrypted directory tree, all files use the 653 * same encryption policy. The pre-access check is needed to detect potentially 654 * malicious offline violations of this constraint, while the link and rename 655 * checks are needed to prevent online violations of this constraint. 656 * 657 * Return: 1 if permitted, 0 if forbidden. 658 */ 659 int fscrypt_has_permitted_context(struct inode *parent, struct inode *child) 660 { 661 union fscrypt_policy parent_policy, child_policy; 662 int err, err1, err2; 663 664 /* No restrictions on file types which are never encrypted */ 665 if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) && 666 !S_ISLNK(child->i_mode)) 667 return 1; 668 669 /* No restrictions if the parent directory is unencrypted */ 670 if (!IS_ENCRYPTED(parent)) 671 return 1; 672 673 /* Encrypted directories must not contain unencrypted files */ 674 if (!IS_ENCRYPTED(child)) 675 return 0; 676 677 /* 678 * Both parent and child are encrypted, so verify they use the same 679 * encryption policy. Compare the cached policies if the keys are 680 * available, otherwise retrieve and compare the fscrypt_contexts. 681 * 682 * Note that the fscrypt_context retrieval will be required frequently 683 * when accessing an encrypted directory tree without the key. 684 * Performance-wise this is not a big deal because we already don't 685 * really optimize for file access without the key (to the extent that 686 * such access is even possible), given that any attempted access 687 * already causes a fscrypt_context retrieval and keyring search. 688 * 689 * In any case, if an unexpected error occurs, fall back to "forbidden". 690 */ 691 692 err = fscrypt_get_encryption_info(parent, true); 693 if (err) 694 return 0; 695 err = fscrypt_get_encryption_info(child, true); 696 if (err) 697 return 0; 698 699 err1 = fscrypt_get_policy(parent, &parent_policy); 700 err2 = fscrypt_get_policy(child, &child_policy); 701 702 /* 703 * Allow the case where the parent and child both have an unrecognized 704 * encryption policy, so that files with an unrecognized encryption 705 * policy can be deleted. 706 */ 707 if (err1 == -EINVAL && err2 == -EINVAL) 708 return 1; 709 710 if (err1 || err2) 711 return 0; 712 713 return fscrypt_policies_equal(&parent_policy, &child_policy); 714 } 715 EXPORT_SYMBOL(fscrypt_has_permitted_context); 716 717 /* 718 * Return the encryption policy that new files in the directory will inherit, or 719 * NULL if none, or an ERR_PTR() on error. If the directory is encrypted, also 720 * ensure that its key is set up, so that the new filename can be encrypted. 721 */ 722 const union fscrypt_policy *fscrypt_policy_to_inherit(struct inode *dir) 723 { 724 int err; 725 726 if (IS_ENCRYPTED(dir)) { 727 err = fscrypt_require_key(dir); 728 if (err) 729 return ERR_PTR(err); 730 return &dir->i_crypt_info->ci_policy; 731 } 732 733 return fscrypt_get_dummy_policy(dir->i_sb); 734 } 735 736 /** 737 * fscrypt_context_for_new_inode() - create an encryption context for a new inode 738 * @ctx: where context should be written 739 * @inode: inode from which to fetch policy and nonce 740 * 741 * Given an in-core "prepared" (via fscrypt_prepare_new_inode) inode, 742 * generate a new context and write it to ctx. ctx _must_ be at least 743 * FSCRYPT_SET_CONTEXT_MAX_SIZE bytes. 744 * 745 * Return: size of the resulting context or a negative error code. 746 */ 747 int fscrypt_context_for_new_inode(void *ctx, struct inode *inode) 748 { 749 struct fscrypt_inode_info *ci = inode->i_crypt_info; 750 751 BUILD_BUG_ON(sizeof(union fscrypt_context) != 752 FSCRYPT_SET_CONTEXT_MAX_SIZE); 753 754 /* fscrypt_prepare_new_inode() should have set up the key already. */ 755 if (WARN_ON_ONCE(!ci)) 756 return -ENOKEY; 757 758 return fscrypt_new_context(ctx, &ci->ci_policy, ci->ci_nonce); 759 } 760 EXPORT_SYMBOL_GPL(fscrypt_context_for_new_inode); 761 762 /** 763 * fscrypt_set_context() - Set the fscrypt context of a new inode 764 * @inode: a new inode 765 * @fs_data: private data given by FS and passed to ->set_context() 766 * 767 * This should be called after fscrypt_prepare_new_inode(), generally during a 768 * filesystem transaction. Everything here must be %GFP_NOFS-safe. 769 * 770 * Return: 0 on success, -errno on failure 771 */ 772 int fscrypt_set_context(struct inode *inode, void *fs_data) 773 { 774 struct fscrypt_inode_info *ci = inode->i_crypt_info; 775 union fscrypt_context ctx; 776 int ctxsize; 777 778 ctxsize = fscrypt_context_for_new_inode(&ctx, inode); 779 if (ctxsize < 0) 780 return ctxsize; 781 782 /* 783 * This may be the first time the inode number is available, so do any 784 * delayed key setup that requires the inode number. 785 */ 786 if (ci->ci_policy.version == FSCRYPT_POLICY_V2 && 787 (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) 788 fscrypt_hash_inode_number(ci, ci->ci_master_key); 789 790 return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, fs_data); 791 } 792 EXPORT_SYMBOL_GPL(fscrypt_set_context); 793 794 /** 795 * fscrypt_parse_test_dummy_encryption() - parse the test_dummy_encryption mount option 796 * @param: the mount option 797 * @dummy_policy: (input/output) the place to write the dummy policy that will 798 * result from parsing the option. Zero-initialize this. If a policy is 799 * already set here (due to test_dummy_encryption being given multiple 800 * times), then this function will verify that the policies are the same. 801 * 802 * Return: 0 on success; -EINVAL if the argument is invalid; -EEXIST if the 803 * argument conflicts with one already specified; or -ENOMEM. 804 */ 805 int fscrypt_parse_test_dummy_encryption(const struct fs_parameter *param, 806 struct fscrypt_dummy_policy *dummy_policy) 807 { 808 const char *arg = "v2"; 809 union fscrypt_policy *policy; 810 int err; 811 812 if (param->type == fs_value_is_string && *param->string) 813 arg = param->string; 814 815 policy = kzalloc(sizeof(*policy), GFP_KERNEL); 816 if (!policy) 817 return -ENOMEM; 818 819 if (!strcmp(arg, "v1")) { 820 policy->version = FSCRYPT_POLICY_V1; 821 policy->v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; 822 policy->v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; 823 memset(policy->v1.master_key_descriptor, 0x42, 824 FSCRYPT_KEY_DESCRIPTOR_SIZE); 825 } else if (!strcmp(arg, "v2")) { 826 policy->version = FSCRYPT_POLICY_V2; 827 policy->v2.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; 828 policy->v2.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; 829 err = fscrypt_get_test_dummy_key_identifier( 830 policy->v2.master_key_identifier); 831 if (err) 832 goto out; 833 } else { 834 err = -EINVAL; 835 goto out; 836 } 837 838 if (dummy_policy->policy) { 839 if (fscrypt_policies_equal(policy, dummy_policy->policy)) 840 err = 0; 841 else 842 err = -EEXIST; 843 goto out; 844 } 845 dummy_policy->policy = policy; 846 policy = NULL; 847 err = 0; 848 out: 849 kfree(policy); 850 return err; 851 } 852 EXPORT_SYMBOL_GPL(fscrypt_parse_test_dummy_encryption); 853 854 /** 855 * fscrypt_dummy_policies_equal() - check whether two dummy policies are equal 856 * @p1: the first test dummy policy (may be unset) 857 * @p2: the second test dummy policy (may be unset) 858 * 859 * Return: %true if the dummy policies are both set and equal, or both unset. 860 */ 861 bool fscrypt_dummy_policies_equal(const struct fscrypt_dummy_policy *p1, 862 const struct fscrypt_dummy_policy *p2) 863 { 864 if (!p1->policy && !p2->policy) 865 return true; 866 if (!p1->policy || !p2->policy) 867 return false; 868 return fscrypt_policies_equal(p1->policy, p2->policy); 869 } 870 EXPORT_SYMBOL_GPL(fscrypt_dummy_policies_equal); 871 872 /** 873 * fscrypt_show_test_dummy_encryption() - show '-o test_dummy_encryption' 874 * @seq: the seq_file to print the option to 875 * @sep: the separator character to use 876 * @sb: the filesystem whose options are being shown 877 * 878 * Show the test_dummy_encryption mount option, if it was specified. 879 * This is mainly used for /proc/mounts. 880 */ 881 void fscrypt_show_test_dummy_encryption(struct seq_file *seq, char sep, 882 struct super_block *sb) 883 { 884 const union fscrypt_policy *policy = fscrypt_get_dummy_policy(sb); 885 int vers; 886 887 if (!policy) 888 return; 889 890 vers = policy->version; 891 if (vers == FSCRYPT_POLICY_V1) /* Handle numbering quirk */ 892 vers = 1; 893 894 seq_printf(seq, "%ctest_dummy_encryption=v%d", sep, vers); 895 } 896 EXPORT_SYMBOL_GPL(fscrypt_show_test_dummy_encryption); 897