1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * fs/crypto/hooks.c |
4 | * |
5 | * Encryption hooks for higher-level filesystem operations. |
6 | */ |
7 | |
8 | #include "fscrypt_private.h" |
9 | |
10 | /** |
11 | * fscrypt_file_open() - prepare to open a possibly-encrypted regular file |
12 | * @inode: the inode being opened |
13 | * @filp: the struct file being set up |
14 | * |
15 | * Currently, an encrypted regular file can only be opened if its encryption key |
16 | * is available; access to the raw encrypted contents is not supported. |
17 | * Therefore, we first set up the inode's encryption key (if not already done) |
18 | * and return an error if it's unavailable. |
19 | * |
20 | * We also verify that if the parent directory (from the path via which the file |
21 | * is being opened) is encrypted, then the inode being opened uses the same |
22 | * encryption policy. This is needed as part of the enforcement that all files |
23 | * in an encrypted directory tree use the same encryption policy, as a |
24 | * protection against certain types of offline attacks. Note that this check is |
25 | * needed even when opening an *unencrypted* file, since it's forbidden to have |
26 | * an unencrypted file in an encrypted directory. |
27 | * |
28 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code |
29 | */ |
30 | int fscrypt_file_open(struct inode *inode, struct file *filp) |
31 | { |
32 | int err; |
33 | struct dentry *dir; |
34 | |
35 | err = fscrypt_require_key(inode); |
36 | if (err) |
37 | return err; |
38 | |
39 | dir = dget_parent(dentry: file_dentry(file: filp)); |
40 | if (IS_ENCRYPTED(d_inode(dir)) && |
41 | !fscrypt_has_permitted_context(parent: d_inode(dentry: dir), child: inode)) { |
42 | fscrypt_warn(inode, |
43 | "Inconsistent encryption context (parent directory: %lu)" , |
44 | d_inode(dir)->i_ino); |
45 | err = -EPERM; |
46 | } |
47 | dput(dir); |
48 | return err; |
49 | } |
50 | EXPORT_SYMBOL_GPL(fscrypt_file_open); |
51 | |
52 | int __fscrypt_prepare_link(struct inode *inode, struct inode *dir, |
53 | struct dentry *dentry) |
54 | { |
55 | if (fscrypt_is_nokey_name(dentry)) |
56 | return -ENOKEY; |
57 | /* |
58 | * We don't need to separately check that the directory inode's key is |
59 | * available, as it's implied by the dentry not being a no-key name. |
60 | */ |
61 | |
62 | if (!fscrypt_has_permitted_context(parent: dir, child: inode)) |
63 | return -EXDEV; |
64 | |
65 | return 0; |
66 | } |
67 | EXPORT_SYMBOL_GPL(__fscrypt_prepare_link); |
68 | |
69 | int __fscrypt_prepare_rename(struct inode *old_dir, struct dentry *old_dentry, |
70 | struct inode *new_dir, struct dentry *new_dentry, |
71 | unsigned int flags) |
72 | { |
73 | if (fscrypt_is_nokey_name(dentry: old_dentry) || |
74 | fscrypt_is_nokey_name(dentry: new_dentry)) |
75 | return -ENOKEY; |
76 | /* |
77 | * We don't need to separately check that the directory inodes' keys are |
78 | * available, as it's implied by the dentries not being no-key names. |
79 | */ |
80 | |
81 | if (old_dir != new_dir) { |
82 | if (IS_ENCRYPTED(new_dir) && |
83 | !fscrypt_has_permitted_context(parent: new_dir, |
84 | child: d_inode(dentry: old_dentry))) |
85 | return -EXDEV; |
86 | |
87 | if ((flags & RENAME_EXCHANGE) && |
88 | IS_ENCRYPTED(old_dir) && |
89 | !fscrypt_has_permitted_context(parent: old_dir, |
90 | child: d_inode(dentry: new_dentry))) |
91 | return -EXDEV; |
92 | } |
93 | return 0; |
94 | } |
95 | EXPORT_SYMBOL_GPL(__fscrypt_prepare_rename); |
96 | |
97 | int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry, |
98 | struct fscrypt_name *fname) |
99 | { |
100 | int err = fscrypt_setup_filename(inode: dir, iname: &dentry->d_name, lookup: 1, fname); |
101 | |
102 | if (err && err != -ENOENT) |
103 | return err; |
104 | |
105 | fscrypt_prepare_dentry(dentry, is_nokey_name: fname->is_nokey_name); |
106 | |
107 | return err; |
108 | } |
109 | EXPORT_SYMBOL_GPL(__fscrypt_prepare_lookup); |
110 | |
111 | /** |
112 | * fscrypt_prepare_lookup_partial() - prepare lookup without filename setup |
113 | * @dir: the encrypted directory being searched |
114 | * @dentry: the dentry being looked up in @dir |
115 | * |
116 | * This function should be used by the ->lookup and ->atomic_open methods of |
117 | * filesystems that handle filename encryption and no-key name encoding |
118 | * themselves and thus can't use fscrypt_prepare_lookup(). Like |
119 | * fscrypt_prepare_lookup(), this will try to set up the directory's encryption |
120 | * key and will set DCACHE_NOKEY_NAME on the dentry if the key is unavailable. |
121 | * However, this function doesn't set up a struct fscrypt_name for the filename. |
122 | * |
123 | * Return: 0 on success; -errno on error. Note that the encryption key being |
124 | * unavailable is not considered an error. It is also not an error if |
125 | * the encryption policy is unsupported by this kernel; that is treated |
126 | * like the key being unavailable, so that files can still be deleted. |
127 | */ |
128 | int fscrypt_prepare_lookup_partial(struct inode *dir, struct dentry *dentry) |
129 | { |
130 | int err = fscrypt_get_encryption_info(inode: dir, allow_unsupported: true); |
131 | bool is_nokey_name = (!err && !fscrypt_has_encryption_key(inode: dir)); |
132 | |
133 | fscrypt_prepare_dentry(dentry, is_nokey_name); |
134 | |
135 | return err; |
136 | } |
137 | EXPORT_SYMBOL_GPL(fscrypt_prepare_lookup_partial); |
138 | |
139 | int __fscrypt_prepare_readdir(struct inode *dir) |
140 | { |
141 | return fscrypt_get_encryption_info(inode: dir, allow_unsupported: true); |
142 | } |
143 | EXPORT_SYMBOL_GPL(__fscrypt_prepare_readdir); |
144 | |
145 | int __fscrypt_prepare_setattr(struct dentry *dentry, struct iattr *attr) |
146 | { |
147 | if (attr->ia_valid & ATTR_SIZE) |
148 | return fscrypt_require_key(inode: d_inode(dentry)); |
149 | return 0; |
150 | } |
151 | EXPORT_SYMBOL_GPL(__fscrypt_prepare_setattr); |
152 | |
153 | /** |
154 | * fscrypt_prepare_setflags() - prepare to change flags with FS_IOC_SETFLAGS |
155 | * @inode: the inode on which flags are being changed |
156 | * @oldflags: the old flags |
157 | * @flags: the new flags |
158 | * |
159 | * The caller should be holding i_rwsem for write. |
160 | * |
161 | * Return: 0 on success; -errno if the flags change isn't allowed or if |
162 | * another error occurs. |
163 | */ |
164 | int fscrypt_prepare_setflags(struct inode *inode, |
165 | unsigned int oldflags, unsigned int flags) |
166 | { |
167 | struct fscrypt_inode_info *ci; |
168 | struct fscrypt_master_key *mk; |
169 | int err; |
170 | |
171 | /* |
172 | * When the CASEFOLD flag is set on an encrypted directory, we must |
173 | * derive the secret key needed for the dirhash. This is only possible |
174 | * if the directory uses a v2 encryption policy. |
175 | */ |
176 | if (IS_ENCRYPTED(inode) && (flags & ~oldflags & FS_CASEFOLD_FL)) { |
177 | err = fscrypt_require_key(inode); |
178 | if (err) |
179 | return err; |
180 | ci = inode->i_crypt_info; |
181 | if (ci->ci_policy.version != FSCRYPT_POLICY_V2) |
182 | return -EINVAL; |
183 | mk = ci->ci_master_key; |
184 | down_read(sem: &mk->mk_sem); |
185 | if (mk->mk_present) |
186 | err = fscrypt_derive_dirhash_key(ci, mk); |
187 | else |
188 | err = -ENOKEY; |
189 | up_read(sem: &mk->mk_sem); |
190 | return err; |
191 | } |
192 | return 0; |
193 | } |
194 | |
195 | /** |
196 | * fscrypt_prepare_symlink() - prepare to create a possibly-encrypted symlink |
197 | * @dir: directory in which the symlink is being created |
198 | * @target: plaintext symlink target |
199 | * @len: length of @target excluding null terminator |
200 | * @max_len: space the filesystem has available to store the symlink target |
201 | * @disk_link: (out) the on-disk symlink target being prepared |
202 | * |
203 | * This function computes the size the symlink target will require on-disk, |
204 | * stores it in @disk_link->len, and validates it against @max_len. An |
205 | * encrypted symlink may be longer than the original. |
206 | * |
207 | * Additionally, @disk_link->name is set to @target if the symlink will be |
208 | * unencrypted, but left NULL if the symlink will be encrypted. For encrypted |
209 | * symlinks, the filesystem must call fscrypt_encrypt_symlink() to create the |
210 | * on-disk target later. (The reason for the two-step process is that some |
211 | * filesystems need to know the size of the symlink target before creating the |
212 | * inode, e.g. to determine whether it will be a "fast" or "slow" symlink.) |
213 | * |
214 | * Return: 0 on success, -ENAMETOOLONG if the symlink target is too long, |
215 | * -ENOKEY if the encryption key is missing, or another -errno code if a problem |
216 | * occurred while setting up the encryption key. |
217 | */ |
218 | int fscrypt_prepare_symlink(struct inode *dir, const char *target, |
219 | unsigned int len, unsigned int max_len, |
220 | struct fscrypt_str *disk_link) |
221 | { |
222 | const union fscrypt_policy *policy; |
223 | |
224 | /* |
225 | * To calculate the size of the encrypted symlink target we need to know |
226 | * the amount of NUL padding, which is determined by the flags set in |
227 | * the encryption policy which will be inherited from the directory. |
228 | */ |
229 | policy = fscrypt_policy_to_inherit(dir); |
230 | if (policy == NULL) { |
231 | /* Not encrypted */ |
232 | disk_link->name = (unsigned char *)target; |
233 | disk_link->len = len + 1; |
234 | if (disk_link->len > max_len) |
235 | return -ENAMETOOLONG; |
236 | return 0; |
237 | } |
238 | if (IS_ERR(ptr: policy)) |
239 | return PTR_ERR(ptr: policy); |
240 | |
241 | /* |
242 | * Calculate the size of the encrypted symlink and verify it won't |
243 | * exceed max_len. Note that for historical reasons, encrypted symlink |
244 | * targets are prefixed with the ciphertext length, despite this |
245 | * actually being redundant with i_size. This decreases by 2 bytes the |
246 | * longest symlink target we can accept. |
247 | * |
248 | * We could recover 1 byte by not counting a null terminator, but |
249 | * counting it (even though it is meaningless for ciphertext) is simpler |
250 | * for now since filesystems will assume it is there and subtract it. |
251 | */ |
252 | if (!__fscrypt_fname_encrypted_size(policy, orig_len: len, |
253 | max_len: max_len - sizeof(struct fscrypt_symlink_data) - 1, |
254 | encrypted_len_ret: &disk_link->len)) |
255 | return -ENAMETOOLONG; |
256 | disk_link->len += sizeof(struct fscrypt_symlink_data) + 1; |
257 | |
258 | disk_link->name = NULL; |
259 | return 0; |
260 | } |
261 | EXPORT_SYMBOL_GPL(fscrypt_prepare_symlink); |
262 | |
263 | int __fscrypt_encrypt_symlink(struct inode *inode, const char *target, |
264 | unsigned int len, struct fscrypt_str *disk_link) |
265 | { |
266 | int err; |
267 | struct qstr iname = QSTR_INIT(target, len); |
268 | struct fscrypt_symlink_data *sd; |
269 | unsigned int ciphertext_len; |
270 | |
271 | /* |
272 | * fscrypt_prepare_new_inode() should have already set up the new |
273 | * symlink inode's encryption key. We don't wait until now to do it, |
274 | * since we may be in a filesystem transaction now. |
275 | */ |
276 | if (WARN_ON_ONCE(!fscrypt_has_encryption_key(inode))) |
277 | return -ENOKEY; |
278 | |
279 | if (disk_link->name) { |
280 | /* filesystem-provided buffer */ |
281 | sd = (struct fscrypt_symlink_data *)disk_link->name; |
282 | } else { |
283 | sd = kmalloc(size: disk_link->len, GFP_NOFS); |
284 | if (!sd) |
285 | return -ENOMEM; |
286 | } |
287 | ciphertext_len = disk_link->len - sizeof(*sd) - 1; |
288 | sd->len = cpu_to_le16(ciphertext_len); |
289 | |
290 | err = fscrypt_fname_encrypt(inode, iname: &iname, out: sd->encrypted_path, |
291 | olen: ciphertext_len); |
292 | if (err) |
293 | goto err_free_sd; |
294 | |
295 | /* |
296 | * Null-terminating the ciphertext doesn't make sense, but we still |
297 | * count the null terminator in the length, so we might as well |
298 | * initialize it just in case the filesystem writes it out. |
299 | */ |
300 | sd->encrypted_path[ciphertext_len] = '\0'; |
301 | |
302 | /* Cache the plaintext symlink target for later use by get_link() */ |
303 | err = -ENOMEM; |
304 | inode->i_link = kmemdup(p: target, size: len + 1, GFP_NOFS); |
305 | if (!inode->i_link) |
306 | goto err_free_sd; |
307 | |
308 | if (!disk_link->name) |
309 | disk_link->name = (unsigned char *)sd; |
310 | return 0; |
311 | |
312 | err_free_sd: |
313 | if (!disk_link->name) |
314 | kfree(objp: sd); |
315 | return err; |
316 | } |
317 | EXPORT_SYMBOL_GPL(__fscrypt_encrypt_symlink); |
318 | |
319 | /** |
320 | * fscrypt_get_symlink() - get the target of an encrypted symlink |
321 | * @inode: the symlink inode |
322 | * @caddr: the on-disk contents of the symlink |
323 | * @max_size: size of @caddr buffer |
324 | * @done: if successful, will be set up to free the returned target if needed |
325 | * |
326 | * If the symlink's encryption key is available, we decrypt its target. |
327 | * Otherwise, we encode its target for presentation. |
328 | * |
329 | * This may sleep, so the filesystem must have dropped out of RCU mode already. |
330 | * |
331 | * Return: the presentable symlink target or an ERR_PTR() |
332 | */ |
333 | const char *fscrypt_get_symlink(struct inode *inode, const void *caddr, |
334 | unsigned int max_size, |
335 | struct delayed_call *done) |
336 | { |
337 | const struct fscrypt_symlink_data *sd; |
338 | struct fscrypt_str cstr, pstr; |
339 | bool has_key; |
340 | int err; |
341 | |
342 | /* This is for encrypted symlinks only */ |
343 | if (WARN_ON_ONCE(!IS_ENCRYPTED(inode))) |
344 | return ERR_PTR(error: -EINVAL); |
345 | |
346 | /* If the decrypted target is already cached, just return it. */ |
347 | pstr.name = READ_ONCE(inode->i_link); |
348 | if (pstr.name) |
349 | return pstr.name; |
350 | |
351 | /* |
352 | * Try to set up the symlink's encryption key, but we can continue |
353 | * regardless of whether the key is available or not. |
354 | */ |
355 | err = fscrypt_get_encryption_info(inode, allow_unsupported: false); |
356 | if (err) |
357 | return ERR_PTR(error: err); |
358 | has_key = fscrypt_has_encryption_key(inode); |
359 | |
360 | /* |
361 | * For historical reasons, encrypted symlink targets are prefixed with |
362 | * the ciphertext length, even though this is redundant with i_size. |
363 | */ |
364 | |
365 | if (max_size < sizeof(*sd) + 1) |
366 | return ERR_PTR(error: -EUCLEAN); |
367 | sd = caddr; |
368 | cstr.name = (unsigned char *)sd->encrypted_path; |
369 | cstr.len = le16_to_cpu(sd->len); |
370 | |
371 | if (cstr.len == 0) |
372 | return ERR_PTR(error: -EUCLEAN); |
373 | |
374 | if (cstr.len + sizeof(*sd) > max_size) |
375 | return ERR_PTR(error: -EUCLEAN); |
376 | |
377 | err = fscrypt_fname_alloc_buffer(max_encrypted_len: cstr.len, crypto_str: &pstr); |
378 | if (err) |
379 | return ERR_PTR(error: err); |
380 | |
381 | err = fscrypt_fname_disk_to_usr(inode, hash: 0, minor_hash: 0, iname: &cstr, oname: &pstr); |
382 | if (err) |
383 | goto err_kfree; |
384 | |
385 | err = -EUCLEAN; |
386 | if (pstr.name[0] == '\0') |
387 | goto err_kfree; |
388 | |
389 | pstr.name[pstr.len] = '\0'; |
390 | |
391 | /* |
392 | * Cache decrypted symlink targets in i_link for later use. Don't cache |
393 | * symlink targets encoded without the key, since those become outdated |
394 | * once the key is added. This pairs with the READ_ONCE() above and in |
395 | * the VFS path lookup code. |
396 | */ |
397 | if (!has_key || |
398 | cmpxchg_release(&inode->i_link, NULL, pstr.name) != NULL) |
399 | set_delayed_call(call: done, fn: kfree_link, arg: pstr.name); |
400 | |
401 | return pstr.name; |
402 | |
403 | err_kfree: |
404 | kfree(objp: pstr.name); |
405 | return ERR_PTR(error: err); |
406 | } |
407 | EXPORT_SYMBOL_GPL(fscrypt_get_symlink); |
408 | |
409 | /** |
410 | * fscrypt_symlink_getattr() - set the correct st_size for encrypted symlinks |
411 | * @path: the path for the encrypted symlink being queried |
412 | * @stat: the struct being filled with the symlink's attributes |
413 | * |
414 | * Override st_size of encrypted symlinks to be the length of the decrypted |
415 | * symlink target (or the no-key encoded symlink target, if the key is |
416 | * unavailable) rather than the length of the encrypted symlink target. This is |
417 | * necessary for st_size to match the symlink target that userspace actually |
418 | * sees. POSIX requires this, and some userspace programs depend on it. |
419 | * |
420 | * This requires reading the symlink target from disk if needed, setting up the |
421 | * inode's encryption key if possible, and then decrypting or encoding the |
422 | * symlink target. This makes lstat() more heavyweight than is normally the |
423 | * case. However, decrypted symlink targets will be cached in ->i_link, so |
424 | * usually the symlink won't have to be read and decrypted again later if/when |
425 | * it is actually followed, readlink() is called, or lstat() is called again. |
426 | * |
427 | * Return: 0 on success, -errno on failure |
428 | */ |
429 | int fscrypt_symlink_getattr(const struct path *path, struct kstat *stat) |
430 | { |
431 | struct dentry *dentry = path->dentry; |
432 | struct inode *inode = d_inode(dentry); |
433 | const char *link; |
434 | DEFINE_DELAYED_CALL(done); |
435 | |
436 | /* |
437 | * To get the symlink target that userspace will see (whether it's the |
438 | * decrypted target or the no-key encoded target), we can just get it in |
439 | * the same way the VFS does during path resolution and readlink(). |
440 | */ |
441 | link = READ_ONCE(inode->i_link); |
442 | if (!link) { |
443 | link = inode->i_op->get_link(dentry, inode, &done); |
444 | if (IS_ERR(ptr: link)) |
445 | return PTR_ERR(ptr: link); |
446 | } |
447 | stat->size = strlen(link); |
448 | do_delayed_call(call: &done); |
449 | return 0; |
450 | } |
451 | EXPORT_SYMBOL_GPL(fscrypt_symlink_getattr); |
452 | |