1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* |
3 | * Encryption policy functions for per-file encryption support. |
4 | * |
5 | * Copyright (C) 2015, Google, Inc. |
6 | * Copyright (C) 2015, Motorola Mobility. |
7 | * |
8 | * Originally written by Michael Halcrow, 2015. |
9 | * Modified by Jaegeuk Kim, 2015. |
10 | * Modified by Eric Biggers, 2019 for v2 policy support. |
11 | */ |
12 | |
13 | #include <linux/fs_context.h> |
14 | #include <linux/random.h> |
15 | #include <linux/seq_file.h> |
16 | #include <linux/string.h> |
17 | #include <linux/mount.h> |
18 | #include "fscrypt_private.h" |
19 | |
20 | /** |
21 | * fscrypt_policies_equal() - check whether two encryption policies are the same |
22 | * @policy1: the first policy |
23 | * @policy2: the second policy |
24 | * |
25 | * Return: %true if equal, else %false |
26 | */ |
27 | bool fscrypt_policies_equal(const union fscrypt_policy *policy1, |
28 | const union fscrypt_policy *policy2) |
29 | { |
30 | if (policy1->version != policy2->version) |
31 | return false; |
32 | |
33 | return !memcmp(p: policy1, q: policy2, size: fscrypt_policy_size(policy: policy1)); |
34 | } |
35 | |
36 | int fscrypt_policy_to_key_spec(const union fscrypt_policy *policy, |
37 | struct fscrypt_key_specifier *key_spec) |
38 | { |
39 | switch (policy->version) { |
40 | case FSCRYPT_POLICY_V1: |
41 | key_spec->type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR; |
42 | memcpy(key_spec->u.descriptor, policy->v1.master_key_descriptor, |
43 | FSCRYPT_KEY_DESCRIPTOR_SIZE); |
44 | return 0; |
45 | case FSCRYPT_POLICY_V2: |
46 | key_spec->type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER; |
47 | memcpy(key_spec->u.identifier, policy->v2.master_key_identifier, |
48 | FSCRYPT_KEY_IDENTIFIER_SIZE); |
49 | return 0; |
50 | default: |
51 | WARN_ON_ONCE(1); |
52 | return -EINVAL; |
53 | } |
54 | } |
55 | |
56 | const union fscrypt_policy *fscrypt_get_dummy_policy(struct super_block *sb) |
57 | { |
58 | if (!sb->s_cop->get_dummy_policy) |
59 | return NULL; |
60 | return sb->s_cop->get_dummy_policy(sb); |
61 | } |
62 | |
63 | /* |
64 | * Return %true if the given combination of encryption modes is supported for v1 |
65 | * (and later) encryption policies. |
66 | * |
67 | * Do *not* add anything new here, since v1 encryption policies are deprecated. |
68 | * New combinations of modes should go in fscrypt_valid_enc_modes_v2() only. |
69 | */ |
70 | static bool fscrypt_valid_enc_modes_v1(u32 contents_mode, u32 filenames_mode) |
71 | { |
72 | if (contents_mode == FSCRYPT_MODE_AES_256_XTS && |
73 | filenames_mode == FSCRYPT_MODE_AES_256_CTS) |
74 | return true; |
75 | |
76 | if (contents_mode == FSCRYPT_MODE_AES_128_CBC && |
77 | filenames_mode == FSCRYPT_MODE_AES_128_CTS) |
78 | return true; |
79 | |
80 | if (contents_mode == FSCRYPT_MODE_ADIANTUM && |
81 | filenames_mode == FSCRYPT_MODE_ADIANTUM) |
82 | return true; |
83 | |
84 | return false; |
85 | } |
86 | |
87 | static bool fscrypt_valid_enc_modes_v2(u32 contents_mode, u32 filenames_mode) |
88 | { |
89 | if (contents_mode == FSCRYPT_MODE_AES_256_XTS && |
90 | filenames_mode == FSCRYPT_MODE_AES_256_HCTR2) |
91 | return true; |
92 | |
93 | if (contents_mode == FSCRYPT_MODE_SM4_XTS && |
94 | filenames_mode == FSCRYPT_MODE_SM4_CTS) |
95 | return true; |
96 | |
97 | return fscrypt_valid_enc_modes_v1(contents_mode, filenames_mode); |
98 | } |
99 | |
100 | static bool supported_direct_key_modes(const struct inode *inode, |
101 | u32 contents_mode, u32 filenames_mode) |
102 | { |
103 | const struct fscrypt_mode *mode; |
104 | |
105 | if (contents_mode != filenames_mode) { |
106 | fscrypt_warn(inode, |
107 | "Direct key flag not allowed with different contents and filenames modes" ); |
108 | return false; |
109 | } |
110 | mode = &fscrypt_modes[contents_mode]; |
111 | |
112 | if (mode->ivsize < offsetofend(union fscrypt_iv, nonce)) { |
113 | fscrypt_warn(inode, "Direct key flag not allowed with %s" , |
114 | mode->friendly_name); |
115 | return false; |
116 | } |
117 | return true; |
118 | } |
119 | |
120 | static bool supported_iv_ino_lblk_policy(const struct fscrypt_policy_v2 *policy, |
121 | const struct inode *inode) |
122 | { |
123 | const char *type = (policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) |
124 | ? "IV_INO_LBLK_64" : "IV_INO_LBLK_32" ; |
125 | struct super_block *sb = inode->i_sb; |
126 | |
127 | /* |
128 | * IV_INO_LBLK_* exist only because of hardware limitations, and |
129 | * currently the only known use case for them involves AES-256-XTS. |
130 | * That's also all we test currently. For these reasons, for now only |
131 | * allow AES-256-XTS here. This can be relaxed later if a use case for |
132 | * IV_INO_LBLK_* with other encryption modes arises. |
133 | */ |
134 | if (policy->contents_encryption_mode != FSCRYPT_MODE_AES_256_XTS) { |
135 | fscrypt_warn(inode, |
136 | "Can't use %s policy with contents mode other than AES-256-XTS" , |
137 | type); |
138 | return false; |
139 | } |
140 | |
141 | /* |
142 | * It's unsafe to include inode numbers in the IVs if the filesystem can |
143 | * potentially renumber inodes, e.g. via filesystem shrinking. |
144 | */ |
145 | if (!sb->s_cop->has_stable_inodes || |
146 | !sb->s_cop->has_stable_inodes(sb)) { |
147 | fscrypt_warn(inode, |
148 | "Can't use %s policy on filesystem '%s' because it doesn't have stable inode numbers" , |
149 | type, sb->s_id); |
150 | return false; |
151 | } |
152 | |
153 | /* |
154 | * IV_INO_LBLK_64 and IV_INO_LBLK_32 both require that inode numbers fit |
155 | * in 32 bits. In principle, IV_INO_LBLK_32 could support longer inode |
156 | * numbers because it hashes the inode number; however, currently the |
157 | * inode number is gotten from inode::i_ino which is 'unsigned long'. |
158 | * So for now the implementation limit is 32 bits. |
159 | */ |
160 | if (!sb->s_cop->has_32bit_inodes) { |
161 | fscrypt_warn(inode, |
162 | "Can't use %s policy on filesystem '%s' because its inode numbers are too long" , |
163 | type, sb->s_id); |
164 | return false; |
165 | } |
166 | |
167 | /* |
168 | * IV_INO_LBLK_64 and IV_INO_LBLK_32 both require that file data unit |
169 | * indices fit in 32 bits. |
170 | */ |
171 | if (fscrypt_max_file_dun_bits(sb, |
172 | du_bits: fscrypt_policy_v2_du_bits(policy, inode)) > 32) { |
173 | fscrypt_warn(inode, |
174 | "Can't use %s policy on filesystem '%s' because its maximum file size is too large" , |
175 | type, sb->s_id); |
176 | return false; |
177 | } |
178 | return true; |
179 | } |
180 | |
181 | static bool fscrypt_supported_v1_policy(const struct fscrypt_policy_v1 *policy, |
182 | const struct inode *inode) |
183 | { |
184 | if (!fscrypt_valid_enc_modes_v1(contents_mode: policy->contents_encryption_mode, |
185 | filenames_mode: policy->filenames_encryption_mode)) { |
186 | fscrypt_warn(inode, |
187 | "Unsupported encryption modes (contents %d, filenames %d)" , |
188 | policy->contents_encryption_mode, |
189 | policy->filenames_encryption_mode); |
190 | return false; |
191 | } |
192 | |
193 | if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK | |
194 | FSCRYPT_POLICY_FLAG_DIRECT_KEY)) { |
195 | fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)" , |
196 | policy->flags); |
197 | return false; |
198 | } |
199 | |
200 | if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) && |
201 | !supported_direct_key_modes(inode, contents_mode: policy->contents_encryption_mode, |
202 | filenames_mode: policy->filenames_encryption_mode)) |
203 | return false; |
204 | |
205 | if (IS_CASEFOLDED(inode)) { |
206 | /* With v1, there's no way to derive dirhash keys. */ |
207 | fscrypt_warn(inode, |
208 | "v1 policies can't be used on casefolded directories" ); |
209 | return false; |
210 | } |
211 | |
212 | return true; |
213 | } |
214 | |
215 | static bool fscrypt_supported_v2_policy(const struct fscrypt_policy_v2 *policy, |
216 | const struct inode *inode) |
217 | { |
218 | int count = 0; |
219 | |
220 | if (!fscrypt_valid_enc_modes_v2(contents_mode: policy->contents_encryption_mode, |
221 | filenames_mode: policy->filenames_encryption_mode)) { |
222 | fscrypt_warn(inode, |
223 | "Unsupported encryption modes (contents %d, filenames %d)" , |
224 | policy->contents_encryption_mode, |
225 | policy->filenames_encryption_mode); |
226 | return false; |
227 | } |
228 | |
229 | if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK | |
230 | FSCRYPT_POLICY_FLAG_DIRECT_KEY | |
231 | FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 | |
232 | FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) { |
233 | fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)" , |
234 | policy->flags); |
235 | return false; |
236 | } |
237 | |
238 | count += !!(policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY); |
239 | count += !!(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64); |
240 | count += !!(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32); |
241 | if (count > 1) { |
242 | fscrypt_warn(inode, "Mutually exclusive encryption flags (0x%02x)" , |
243 | policy->flags); |
244 | return false; |
245 | } |
246 | |
247 | if (policy->log2_data_unit_size) { |
248 | if (!inode->i_sb->s_cop->supports_subblock_data_units) { |
249 | fscrypt_warn(inode, |
250 | "Filesystem does not support configuring crypto data unit size" ); |
251 | return false; |
252 | } |
253 | if (policy->log2_data_unit_size > inode->i_blkbits || |
254 | policy->log2_data_unit_size < SECTOR_SHIFT /* 9 */) { |
255 | fscrypt_warn(inode, |
256 | "Unsupported log2_data_unit_size in encryption policy: %d" , |
257 | policy->log2_data_unit_size); |
258 | return false; |
259 | } |
260 | if (policy->log2_data_unit_size != inode->i_blkbits && |
261 | (policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) { |
262 | /* |
263 | * Not safe to enable yet, as we need to ensure that DUN |
264 | * wraparound can only occur on a FS block boundary. |
265 | */ |
266 | fscrypt_warn(inode, |
267 | "Sub-block data units not yet supported with IV_INO_LBLK_32" ); |
268 | return false; |
269 | } |
270 | } |
271 | |
272 | if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) && |
273 | !supported_direct_key_modes(inode, contents_mode: policy->contents_encryption_mode, |
274 | filenames_mode: policy->filenames_encryption_mode)) |
275 | return false; |
276 | |
277 | if ((policy->flags & (FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 | |
278 | FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) && |
279 | !supported_iv_ino_lblk_policy(policy, inode)) |
280 | return false; |
281 | |
282 | if (memchr_inv(p: policy->__reserved, c: 0, size: sizeof(policy->__reserved))) { |
283 | fscrypt_warn(inode, "Reserved bits set in encryption policy" ); |
284 | return false; |
285 | } |
286 | |
287 | return true; |
288 | } |
289 | |
290 | /** |
291 | * fscrypt_supported_policy() - check whether an encryption policy is supported |
292 | * @policy_u: the encryption policy |
293 | * @inode: the inode on which the policy will be used |
294 | * |
295 | * Given an encryption policy, check whether all its encryption modes and other |
296 | * settings are supported by this kernel on the given inode. (But we don't |
297 | * currently don't check for crypto API support here, so attempting to use an |
298 | * algorithm not configured into the crypto API will still fail later.) |
299 | * |
300 | * Return: %true if supported, else %false |
301 | */ |
302 | bool fscrypt_supported_policy(const union fscrypt_policy *policy_u, |
303 | const struct inode *inode) |
304 | { |
305 | switch (policy_u->version) { |
306 | case FSCRYPT_POLICY_V1: |
307 | return fscrypt_supported_v1_policy(policy: &policy_u->v1, inode); |
308 | case FSCRYPT_POLICY_V2: |
309 | return fscrypt_supported_v2_policy(policy: &policy_u->v2, inode); |
310 | } |
311 | return false; |
312 | } |
313 | |
314 | /** |
315 | * fscrypt_new_context() - create a new fscrypt_context |
316 | * @ctx_u: output context |
317 | * @policy_u: input policy |
318 | * @nonce: nonce to use |
319 | * |
320 | * Create an fscrypt_context for an inode that is being assigned the given |
321 | * encryption policy. @nonce must be a new random nonce. |
322 | * |
323 | * Return: the size of the new context in bytes. |
324 | */ |
325 | static int fscrypt_new_context(union fscrypt_context *ctx_u, |
326 | const union fscrypt_policy *policy_u, |
327 | const u8 nonce[FSCRYPT_FILE_NONCE_SIZE]) |
328 | { |
329 | memset(ctx_u, 0, sizeof(*ctx_u)); |
330 | |
331 | switch (policy_u->version) { |
332 | case FSCRYPT_POLICY_V1: { |
333 | const struct fscrypt_policy_v1 *policy = &policy_u->v1; |
334 | struct fscrypt_context_v1 *ctx = &ctx_u->v1; |
335 | |
336 | ctx->version = FSCRYPT_CONTEXT_V1; |
337 | ctx->contents_encryption_mode = |
338 | policy->contents_encryption_mode; |
339 | ctx->filenames_encryption_mode = |
340 | policy->filenames_encryption_mode; |
341 | ctx->flags = policy->flags; |
342 | memcpy(ctx->master_key_descriptor, |
343 | policy->master_key_descriptor, |
344 | sizeof(ctx->master_key_descriptor)); |
345 | memcpy(ctx->nonce, nonce, FSCRYPT_FILE_NONCE_SIZE); |
346 | return sizeof(*ctx); |
347 | } |
348 | case FSCRYPT_POLICY_V2: { |
349 | const struct fscrypt_policy_v2 *policy = &policy_u->v2; |
350 | struct fscrypt_context_v2 *ctx = &ctx_u->v2; |
351 | |
352 | ctx->version = FSCRYPT_CONTEXT_V2; |
353 | ctx->contents_encryption_mode = |
354 | policy->contents_encryption_mode; |
355 | ctx->filenames_encryption_mode = |
356 | policy->filenames_encryption_mode; |
357 | ctx->flags = policy->flags; |
358 | ctx->log2_data_unit_size = policy->log2_data_unit_size; |
359 | memcpy(ctx->master_key_identifier, |
360 | policy->master_key_identifier, |
361 | sizeof(ctx->master_key_identifier)); |
362 | memcpy(ctx->nonce, nonce, FSCRYPT_FILE_NONCE_SIZE); |
363 | return sizeof(*ctx); |
364 | } |
365 | } |
366 | BUG(); |
367 | } |
368 | |
369 | /** |
370 | * fscrypt_policy_from_context() - convert an fscrypt_context to |
371 | * an fscrypt_policy |
372 | * @policy_u: output policy |
373 | * @ctx_u: input context |
374 | * @ctx_size: size of input context in bytes |
375 | * |
376 | * Given an fscrypt_context, build the corresponding fscrypt_policy. |
377 | * |
378 | * Return: 0 on success, or -EINVAL if the fscrypt_context has an unrecognized |
379 | * version number or size. |
380 | * |
381 | * This does *not* validate the settings within the policy itself, e.g. the |
382 | * modes, flags, and reserved bits. Use fscrypt_supported_policy() for that. |
383 | */ |
384 | int fscrypt_policy_from_context(union fscrypt_policy *policy_u, |
385 | const union fscrypt_context *ctx_u, |
386 | int ctx_size) |
387 | { |
388 | memset(policy_u, 0, sizeof(*policy_u)); |
389 | |
390 | if (!fscrypt_context_is_valid(ctx: ctx_u, ctx_size)) |
391 | return -EINVAL; |
392 | |
393 | switch (ctx_u->version) { |
394 | case FSCRYPT_CONTEXT_V1: { |
395 | const struct fscrypt_context_v1 *ctx = &ctx_u->v1; |
396 | struct fscrypt_policy_v1 *policy = &policy_u->v1; |
397 | |
398 | policy->version = FSCRYPT_POLICY_V1; |
399 | policy->contents_encryption_mode = |
400 | ctx->contents_encryption_mode; |
401 | policy->filenames_encryption_mode = |
402 | ctx->filenames_encryption_mode; |
403 | policy->flags = ctx->flags; |
404 | memcpy(policy->master_key_descriptor, |
405 | ctx->master_key_descriptor, |
406 | sizeof(policy->master_key_descriptor)); |
407 | return 0; |
408 | } |
409 | case FSCRYPT_CONTEXT_V2: { |
410 | const struct fscrypt_context_v2 *ctx = &ctx_u->v2; |
411 | struct fscrypt_policy_v2 *policy = &policy_u->v2; |
412 | |
413 | policy->version = FSCRYPT_POLICY_V2; |
414 | policy->contents_encryption_mode = |
415 | ctx->contents_encryption_mode; |
416 | policy->filenames_encryption_mode = |
417 | ctx->filenames_encryption_mode; |
418 | policy->flags = ctx->flags; |
419 | policy->log2_data_unit_size = ctx->log2_data_unit_size; |
420 | memcpy(policy->__reserved, ctx->__reserved, |
421 | sizeof(policy->__reserved)); |
422 | memcpy(policy->master_key_identifier, |
423 | ctx->master_key_identifier, |
424 | sizeof(policy->master_key_identifier)); |
425 | return 0; |
426 | } |
427 | } |
428 | /* unreachable */ |
429 | return -EINVAL; |
430 | } |
431 | |
432 | /* Retrieve an inode's encryption policy */ |
433 | static int fscrypt_get_policy(struct inode *inode, union fscrypt_policy *policy) |
434 | { |
435 | const struct fscrypt_inode_info *ci; |
436 | union fscrypt_context ctx; |
437 | int ret; |
438 | |
439 | ci = fscrypt_get_inode_info(inode); |
440 | if (ci) { |
441 | /* key available, use the cached policy */ |
442 | *policy = ci->ci_policy; |
443 | return 0; |
444 | } |
445 | |
446 | if (!IS_ENCRYPTED(inode)) |
447 | return -ENODATA; |
448 | |
449 | ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); |
450 | if (ret < 0) |
451 | return (ret == -ERANGE) ? -EINVAL : ret; |
452 | |
453 | return fscrypt_policy_from_context(policy_u: policy, ctx_u: &ctx, ctx_size: ret); |
454 | } |
455 | |
456 | static int set_encryption_policy(struct inode *inode, |
457 | const union fscrypt_policy *policy) |
458 | { |
459 | u8 nonce[FSCRYPT_FILE_NONCE_SIZE]; |
460 | union fscrypt_context ctx; |
461 | int ctxsize; |
462 | int err; |
463 | |
464 | if (!fscrypt_supported_policy(policy_u: policy, inode)) |
465 | return -EINVAL; |
466 | |
467 | switch (policy->version) { |
468 | case FSCRYPT_POLICY_V1: |
469 | /* |
470 | * The original encryption policy version provided no way of |
471 | * verifying that the correct master key was supplied, which was |
472 | * insecure in scenarios where multiple users have access to the |
473 | * same encrypted files (even just read-only access). The new |
474 | * encryption policy version fixes this and also implies use of |
475 | * an improved key derivation function and allows non-root users |
476 | * to securely remove keys. So as long as compatibility with |
477 | * old kernels isn't required, it is recommended to use the new |
478 | * policy version for all new encrypted directories. |
479 | */ |
480 | pr_warn_once("%s (pid %d) is setting deprecated v1 encryption policy; recommend upgrading to v2.\n" , |
481 | current->comm, current->pid); |
482 | break; |
483 | case FSCRYPT_POLICY_V2: |
484 | err = fscrypt_verify_key_added(sb: inode->i_sb, |
485 | identifier: policy->v2.master_key_identifier); |
486 | if (err) |
487 | return err; |
488 | if (policy->v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) |
489 | pr_warn_once("%s (pid %d) is setting an IV_INO_LBLK_32 encryption policy. This should only be used if there are certain hardware limitations.\n" , |
490 | current->comm, current->pid); |
491 | break; |
492 | default: |
493 | WARN_ON_ONCE(1); |
494 | return -EINVAL; |
495 | } |
496 | |
497 | get_random_bytes(buf: nonce, FSCRYPT_FILE_NONCE_SIZE); |
498 | ctxsize = fscrypt_new_context(ctx_u: &ctx, policy_u: policy, nonce); |
499 | |
500 | return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, NULL); |
501 | } |
502 | |
503 | int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg) |
504 | { |
505 | union fscrypt_policy policy; |
506 | union fscrypt_policy existing_policy; |
507 | struct inode *inode = file_inode(f: filp); |
508 | u8 version; |
509 | int size; |
510 | int ret; |
511 | |
512 | if (get_user(policy.version, (const u8 __user *)arg)) |
513 | return -EFAULT; |
514 | |
515 | size = fscrypt_policy_size(policy: &policy); |
516 | if (size <= 0) |
517 | return -EINVAL; |
518 | |
519 | /* |
520 | * We should just copy the remaining 'size - 1' bytes here, but a |
521 | * bizarre bug in gcc 7 and earlier (fixed by gcc r255731) causes gcc to |
522 | * think that size can be 0 here (despite the check above!) *and* that |
523 | * it's a compile-time constant. Thus it would think copy_from_user() |
524 | * is passed compile-time constant ULONG_MAX, causing the compile-time |
525 | * buffer overflow check to fail, breaking the build. This only occurred |
526 | * when building an i386 kernel with -Os and branch profiling enabled. |
527 | * |
528 | * Work around it by just copying the first byte again... |
529 | */ |
530 | version = policy.version; |
531 | if (copy_from_user(to: &policy, from: arg, n: size)) |
532 | return -EFAULT; |
533 | policy.version = version; |
534 | |
535 | if (!inode_owner_or_capable(idmap: &nop_mnt_idmap, inode)) |
536 | return -EACCES; |
537 | |
538 | ret = mnt_want_write_file(file: filp); |
539 | if (ret) |
540 | return ret; |
541 | |
542 | inode_lock(inode); |
543 | |
544 | ret = fscrypt_get_policy(inode, policy: &existing_policy); |
545 | if (ret == -ENODATA) { |
546 | if (!S_ISDIR(inode->i_mode)) |
547 | ret = -ENOTDIR; |
548 | else if (IS_DEADDIR(inode)) |
549 | ret = -ENOENT; |
550 | else if (!inode->i_sb->s_cop->empty_dir(inode)) |
551 | ret = -ENOTEMPTY; |
552 | else |
553 | ret = set_encryption_policy(inode, policy: &policy); |
554 | } else if (ret == -EINVAL || |
555 | (ret == 0 && !fscrypt_policies_equal(policy1: &policy, |
556 | policy2: &existing_policy))) { |
557 | /* The file already uses a different encryption policy. */ |
558 | ret = -EEXIST; |
559 | } |
560 | |
561 | inode_unlock(inode); |
562 | |
563 | mnt_drop_write_file(file: filp); |
564 | return ret; |
565 | } |
566 | EXPORT_SYMBOL(fscrypt_ioctl_set_policy); |
567 | |
568 | /* Original ioctl version; can only get the original policy version */ |
569 | int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg) |
570 | { |
571 | union fscrypt_policy policy; |
572 | int err; |
573 | |
574 | err = fscrypt_get_policy(inode: file_inode(f: filp), policy: &policy); |
575 | if (err) |
576 | return err; |
577 | |
578 | if (policy.version != FSCRYPT_POLICY_V1) |
579 | return -EINVAL; |
580 | |
581 | if (copy_to_user(to: arg, from: &policy, n: sizeof(policy.v1))) |
582 | return -EFAULT; |
583 | return 0; |
584 | } |
585 | EXPORT_SYMBOL(fscrypt_ioctl_get_policy); |
586 | |
587 | /* Extended ioctl version; can get policies of any version */ |
588 | int fscrypt_ioctl_get_policy_ex(struct file *filp, void __user *uarg) |
589 | { |
590 | struct fscrypt_get_policy_ex_arg arg; |
591 | union fscrypt_policy *policy = (union fscrypt_policy *)&arg.policy; |
592 | size_t policy_size; |
593 | int err; |
594 | |
595 | /* arg is policy_size, then policy */ |
596 | BUILD_BUG_ON(offsetof(typeof(arg), policy_size) != 0); |
597 | BUILD_BUG_ON(offsetofend(typeof(arg), policy_size) != |
598 | offsetof(typeof(arg), policy)); |
599 | BUILD_BUG_ON(sizeof(arg.policy) != sizeof(*policy)); |
600 | |
601 | err = fscrypt_get_policy(inode: file_inode(f: filp), policy); |
602 | if (err) |
603 | return err; |
604 | policy_size = fscrypt_policy_size(policy); |
605 | |
606 | if (copy_from_user(to: &arg, from: uarg, n: sizeof(arg.policy_size))) |
607 | return -EFAULT; |
608 | |
609 | if (policy_size > arg.policy_size) |
610 | return -EOVERFLOW; |
611 | arg.policy_size = policy_size; |
612 | |
613 | if (copy_to_user(to: uarg, from: &arg, n: sizeof(arg.policy_size) + policy_size)) |
614 | return -EFAULT; |
615 | return 0; |
616 | } |
617 | EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_policy_ex); |
618 | |
619 | /* FS_IOC_GET_ENCRYPTION_NONCE: retrieve file's encryption nonce for testing */ |
620 | int fscrypt_ioctl_get_nonce(struct file *filp, void __user *arg) |
621 | { |
622 | struct inode *inode = file_inode(f: filp); |
623 | union fscrypt_context ctx; |
624 | int ret; |
625 | |
626 | ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); |
627 | if (ret < 0) |
628 | return ret; |
629 | if (!fscrypt_context_is_valid(ctx: &ctx, ctx_size: ret)) |
630 | return -EINVAL; |
631 | if (copy_to_user(to: arg, from: fscrypt_context_nonce(ctx: &ctx), |
632 | FSCRYPT_FILE_NONCE_SIZE)) |
633 | return -EFAULT; |
634 | return 0; |
635 | } |
636 | EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_nonce); |
637 | |
638 | /** |
639 | * fscrypt_has_permitted_context() - is a file's encryption policy permitted |
640 | * within its directory? |
641 | * |
642 | * @parent: inode for parent directory |
643 | * @child: inode for file being looked up, opened, or linked into @parent |
644 | * |
645 | * Filesystems must call this before permitting access to an inode in a |
646 | * situation where the parent directory is encrypted (either before allowing |
647 | * ->lookup() to succeed, or for a regular file before allowing it to be opened) |
648 | * and before any operation that involves linking an inode into an encrypted |
649 | * directory, including link, rename, and cross rename. It enforces the |
650 | * constraint that within a given encrypted directory tree, all files use the |
651 | * same encryption policy. The pre-access check is needed to detect potentially |
652 | * malicious offline violations of this constraint, while the link and rename |
653 | * checks are needed to prevent online violations of this constraint. |
654 | * |
655 | * Return: 1 if permitted, 0 if forbidden. |
656 | */ |
657 | int fscrypt_has_permitted_context(struct inode *parent, struct inode *child) |
658 | { |
659 | union fscrypt_policy parent_policy, child_policy; |
660 | int err, err1, err2; |
661 | |
662 | /* No restrictions on file types which are never encrypted */ |
663 | if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) && |
664 | !S_ISLNK(child->i_mode)) |
665 | return 1; |
666 | |
667 | /* No restrictions if the parent directory is unencrypted */ |
668 | if (!IS_ENCRYPTED(parent)) |
669 | return 1; |
670 | |
671 | /* Encrypted directories must not contain unencrypted files */ |
672 | if (!IS_ENCRYPTED(child)) |
673 | return 0; |
674 | |
675 | /* |
676 | * Both parent and child are encrypted, so verify they use the same |
677 | * encryption policy. Compare the cached policies if the keys are |
678 | * available, otherwise retrieve and compare the fscrypt_contexts. |
679 | * |
680 | * Note that the fscrypt_context retrieval will be required frequently |
681 | * when accessing an encrypted directory tree without the key. |
682 | * Performance-wise this is not a big deal because we already don't |
683 | * really optimize for file access without the key (to the extent that |
684 | * such access is even possible), given that any attempted access |
685 | * already causes a fscrypt_context retrieval and keyring search. |
686 | * |
687 | * In any case, if an unexpected error occurs, fall back to "forbidden". |
688 | */ |
689 | |
690 | err = fscrypt_get_encryption_info(inode: parent, allow_unsupported: true); |
691 | if (err) |
692 | return 0; |
693 | err = fscrypt_get_encryption_info(inode: child, allow_unsupported: true); |
694 | if (err) |
695 | return 0; |
696 | |
697 | err1 = fscrypt_get_policy(inode: parent, policy: &parent_policy); |
698 | err2 = fscrypt_get_policy(inode: child, policy: &child_policy); |
699 | |
700 | /* |
701 | * Allow the case where the parent and child both have an unrecognized |
702 | * encryption policy, so that files with an unrecognized encryption |
703 | * policy can be deleted. |
704 | */ |
705 | if (err1 == -EINVAL && err2 == -EINVAL) |
706 | return 1; |
707 | |
708 | if (err1 || err2) |
709 | return 0; |
710 | |
711 | return fscrypt_policies_equal(policy1: &parent_policy, policy2: &child_policy); |
712 | } |
713 | EXPORT_SYMBOL(fscrypt_has_permitted_context); |
714 | |
715 | /* |
716 | * Return the encryption policy that new files in the directory will inherit, or |
717 | * NULL if none, or an ERR_PTR() on error. If the directory is encrypted, also |
718 | * ensure that its key is set up, so that the new filename can be encrypted. |
719 | */ |
720 | const union fscrypt_policy *fscrypt_policy_to_inherit(struct inode *dir) |
721 | { |
722 | int err; |
723 | |
724 | if (IS_ENCRYPTED(dir)) { |
725 | err = fscrypt_require_key(inode: dir); |
726 | if (err) |
727 | return ERR_PTR(error: err); |
728 | return &dir->i_crypt_info->ci_policy; |
729 | } |
730 | |
731 | return fscrypt_get_dummy_policy(sb: dir->i_sb); |
732 | } |
733 | |
734 | /** |
735 | * fscrypt_context_for_new_inode() - create an encryption context for a new inode |
736 | * @ctx: where context should be written |
737 | * @inode: inode from which to fetch policy and nonce |
738 | * |
739 | * Given an in-core "prepared" (via fscrypt_prepare_new_inode) inode, |
740 | * generate a new context and write it to ctx. ctx _must_ be at least |
741 | * FSCRYPT_SET_CONTEXT_MAX_SIZE bytes. |
742 | * |
743 | * Return: size of the resulting context or a negative error code. |
744 | */ |
745 | int fscrypt_context_for_new_inode(void *ctx, struct inode *inode) |
746 | { |
747 | struct fscrypt_inode_info *ci = inode->i_crypt_info; |
748 | |
749 | BUILD_BUG_ON(sizeof(union fscrypt_context) != |
750 | FSCRYPT_SET_CONTEXT_MAX_SIZE); |
751 | |
752 | /* fscrypt_prepare_new_inode() should have set up the key already. */ |
753 | if (WARN_ON_ONCE(!ci)) |
754 | return -ENOKEY; |
755 | |
756 | return fscrypt_new_context(ctx_u: ctx, policy_u: &ci->ci_policy, nonce: ci->ci_nonce); |
757 | } |
758 | EXPORT_SYMBOL_GPL(fscrypt_context_for_new_inode); |
759 | |
760 | /** |
761 | * fscrypt_set_context() - Set the fscrypt context of a new inode |
762 | * @inode: a new inode |
763 | * @fs_data: private data given by FS and passed to ->set_context() |
764 | * |
765 | * This should be called after fscrypt_prepare_new_inode(), generally during a |
766 | * filesystem transaction. Everything here must be %GFP_NOFS-safe. |
767 | * |
768 | * Return: 0 on success, -errno on failure |
769 | */ |
770 | int fscrypt_set_context(struct inode *inode, void *fs_data) |
771 | { |
772 | struct fscrypt_inode_info *ci = inode->i_crypt_info; |
773 | union fscrypt_context ctx; |
774 | int ctxsize; |
775 | |
776 | ctxsize = fscrypt_context_for_new_inode(&ctx, inode); |
777 | if (ctxsize < 0) |
778 | return ctxsize; |
779 | |
780 | /* |
781 | * This may be the first time the inode number is available, so do any |
782 | * delayed key setup that requires the inode number. |
783 | */ |
784 | if (ci->ci_policy.version == FSCRYPT_POLICY_V2 && |
785 | (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) |
786 | fscrypt_hash_inode_number(ci, mk: ci->ci_master_key); |
787 | |
788 | return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, fs_data); |
789 | } |
790 | EXPORT_SYMBOL_GPL(fscrypt_set_context); |
791 | |
792 | /** |
793 | * fscrypt_parse_test_dummy_encryption() - parse the test_dummy_encryption mount option |
794 | * @param: the mount option |
795 | * @dummy_policy: (input/output) the place to write the dummy policy that will |
796 | * result from parsing the option. Zero-initialize this. If a policy is |
797 | * already set here (due to test_dummy_encryption being given multiple |
798 | * times), then this function will verify that the policies are the same. |
799 | * |
800 | * Return: 0 on success; -EINVAL if the argument is invalid; -EEXIST if the |
801 | * argument conflicts with one already specified; or -ENOMEM. |
802 | */ |
803 | int fscrypt_parse_test_dummy_encryption(const struct fs_parameter *param, |
804 | struct fscrypt_dummy_policy *dummy_policy) |
805 | { |
806 | const char *arg = "v2" ; |
807 | union fscrypt_policy *policy; |
808 | int err; |
809 | |
810 | if (param->type == fs_value_is_string && *param->string) |
811 | arg = param->string; |
812 | |
813 | policy = kzalloc(size: sizeof(*policy), GFP_KERNEL); |
814 | if (!policy) |
815 | return -ENOMEM; |
816 | |
817 | if (!strcmp(arg, "v1" )) { |
818 | policy->version = FSCRYPT_POLICY_V1; |
819 | policy->v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; |
820 | policy->v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; |
821 | memset(policy->v1.master_key_descriptor, 0x42, |
822 | FSCRYPT_KEY_DESCRIPTOR_SIZE); |
823 | } else if (!strcmp(arg, "v2" )) { |
824 | policy->version = FSCRYPT_POLICY_V2; |
825 | policy->v2.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS; |
826 | policy->v2.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS; |
827 | err = fscrypt_get_test_dummy_key_identifier( |
828 | key_identifier: policy->v2.master_key_identifier); |
829 | if (err) |
830 | goto out; |
831 | } else { |
832 | err = -EINVAL; |
833 | goto out; |
834 | } |
835 | |
836 | if (dummy_policy->policy) { |
837 | if (fscrypt_policies_equal(policy1: policy, policy2: dummy_policy->policy)) |
838 | err = 0; |
839 | else |
840 | err = -EEXIST; |
841 | goto out; |
842 | } |
843 | dummy_policy->policy = policy; |
844 | policy = NULL; |
845 | err = 0; |
846 | out: |
847 | kfree(objp: policy); |
848 | return err; |
849 | } |
850 | EXPORT_SYMBOL_GPL(fscrypt_parse_test_dummy_encryption); |
851 | |
852 | /** |
853 | * fscrypt_dummy_policies_equal() - check whether two dummy policies are equal |
854 | * @p1: the first test dummy policy (may be unset) |
855 | * @p2: the second test dummy policy (may be unset) |
856 | * |
857 | * Return: %true if the dummy policies are both set and equal, or both unset. |
858 | */ |
859 | bool fscrypt_dummy_policies_equal(const struct fscrypt_dummy_policy *p1, |
860 | const struct fscrypt_dummy_policy *p2) |
861 | { |
862 | if (!p1->policy && !p2->policy) |
863 | return true; |
864 | if (!p1->policy || !p2->policy) |
865 | return false; |
866 | return fscrypt_policies_equal(policy1: p1->policy, policy2: p2->policy); |
867 | } |
868 | EXPORT_SYMBOL_GPL(fscrypt_dummy_policies_equal); |
869 | |
870 | /** |
871 | * fscrypt_show_test_dummy_encryption() - show '-o test_dummy_encryption' |
872 | * @seq: the seq_file to print the option to |
873 | * @sep: the separator character to use |
874 | * @sb: the filesystem whose options are being shown |
875 | * |
876 | * Show the test_dummy_encryption mount option, if it was specified. |
877 | * This is mainly used for /proc/mounts. |
878 | */ |
879 | void fscrypt_show_test_dummy_encryption(struct seq_file *seq, char sep, |
880 | struct super_block *sb) |
881 | { |
882 | const union fscrypt_policy *policy = fscrypt_get_dummy_policy(sb); |
883 | int vers; |
884 | |
885 | if (!policy) |
886 | return; |
887 | |
888 | vers = policy->version; |
889 | if (vers == FSCRYPT_POLICY_V1) /* Handle numbering quirk */ |
890 | vers = 1; |
891 | |
892 | seq_printf(m: seq, fmt: "%ctest_dummy_encryption=v%d" , sep, vers); |
893 | } |
894 | EXPORT_SYMBOL_GPL(fscrypt_show_test_dummy_encryption); |
895 | |