1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3  * fscrypt.h: declarations for per-file encryption
4  *
5  * Filesystems that implement per-file encryption include this header
6  * file with the __FS_HAS_ENCRYPTION set according to whether that filesystem
7  * is being built with encryption support or not.
8  *
9  * Copyright (C) 2015, Google, Inc.
10  *
11  * Written by Michael Halcrow, 2015.
12  * Modified by Jaegeuk Kim, 2015.
13  */
14 #ifndef _LINUX_FSCRYPT_H
15 #define _LINUX_FSCRYPT_H
16 
17 #include <linux/fs.h>
18 
19 #define FS_CRYPTO_BLOCK_SIZE		16
20 
21 struct fscrypt_ctx;
22 struct fscrypt_info;
23 
24 struct fscrypt_str {
25 	unsigned char *name;
26 	u32 len;
27 };
28 
29 struct fscrypt_name {
30 	const struct qstr *usr_fname;
31 	struct fscrypt_str disk_name;
32 	u32 hash;
33 	u32 minor_hash;
34 	struct fscrypt_str crypto_buf;
35 };
36 
37 #define FSTR_INIT(n, l)		{ .name = n, .len = l }
38 #define FSTR_TO_QSTR(f)		QSTR_INIT((f)->name, (f)->len)
39 #define fname_name(p)		((p)->disk_name.name)
40 #define fname_len(p)		((p)->disk_name.len)
41 
42 /* Maximum value for the third parameter of fscrypt_operations.set_context(). */
43 #define FSCRYPT_SET_CONTEXT_MAX_SIZE	28
44 
45 #if __FS_HAS_ENCRYPTION
46 #include <linux/fscrypt_supp.h>
47 #else
48 #include <linux/fscrypt_notsupp.h>
49 #endif
50 
51 /**
52  * fscrypt_require_key - require an inode's encryption key
53  * @inode: the inode we need the key for
54  *
55  * If the inode is encrypted, set up its encryption key if not already done.
56  * Then require that the key be present and return -ENOKEY otherwise.
57  *
58  * No locks are needed, and the key will live as long as the struct inode --- so
59  * it won't go away from under you.
60  *
61  * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
62  * if a problem occurred while setting up the encryption key.
63  */
fscrypt_require_key(struct inode * inode)64 static inline int fscrypt_require_key(struct inode *inode)
65 {
66 	if (IS_ENCRYPTED(inode)) {
67 		int err = fscrypt_get_encryption_info(inode);
68 
69 		if (err)
70 			return err;
71 		if (!fscrypt_has_encryption_key(inode))
72 			return -ENOKEY;
73 	}
74 	return 0;
75 }
76 
77 /**
78  * fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory
79  * @old_dentry: an existing dentry for the inode being linked
80  * @dir: the target directory
81  * @dentry: negative dentry for the target filename
82  *
83  * A new link can only be added to an encrypted directory if the directory's
84  * encryption key is available --- since otherwise we'd have no way to encrypt
85  * the filename.  Therefore, we first set up the directory's encryption key (if
86  * not already done) and return an error if it's unavailable.
87  *
88  * We also verify that the link will not violate the constraint that all files
89  * in an encrypted directory tree use the same encryption policy.
90  *
91  * Return: 0 on success, -ENOKEY if the directory's encryption key is missing,
92  * -EPERM if the link would result in an inconsistent encryption policy, or
93  * another -errno code.
94  */
fscrypt_prepare_link(struct dentry * old_dentry,struct inode * dir,struct dentry * dentry)95 static inline int fscrypt_prepare_link(struct dentry *old_dentry,
96 				       struct inode *dir,
97 				       struct dentry *dentry)
98 {
99 	if (IS_ENCRYPTED(dir))
100 		return __fscrypt_prepare_link(d_inode(old_dentry), dir);
101 	return 0;
102 }
103 
104 /**
105  * fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories
106  * @old_dir: source directory
107  * @old_dentry: dentry for source file
108  * @new_dir: target directory
109  * @new_dentry: dentry for target location (may be negative unless exchanging)
110  * @flags: rename flags (we care at least about %RENAME_EXCHANGE)
111  *
112  * Prepare for ->rename() where the source and/or target directories may be
113  * encrypted.  A new link can only be added to an encrypted directory if the
114  * directory's encryption key is available --- since otherwise we'd have no way
115  * to encrypt the filename.  A rename to an existing name, on the other hand,
116  * *is* cryptographically possible without the key.  However, we take the more
117  * conservative approach and just forbid all no-key renames.
118  *
119  * We also verify that the rename will not violate the constraint that all files
120  * in an encrypted directory tree use the same encryption policy.
121  *
122  * Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the
123  * rename would cause inconsistent encryption policies, or another -errno code.
124  */
fscrypt_prepare_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry,unsigned int flags)125 static inline int fscrypt_prepare_rename(struct inode *old_dir,
126 					 struct dentry *old_dentry,
127 					 struct inode *new_dir,
128 					 struct dentry *new_dentry,
129 					 unsigned int flags)
130 {
131 	if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir))
132 		return __fscrypt_prepare_rename(old_dir, old_dentry,
133 						new_dir, new_dentry, flags);
134 	return 0;
135 }
136 
137 /**
138  * fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory
139  * @dir: directory being searched
140  * @dentry: filename being looked up
141  * @flags: lookup flags
142  *
143  * Prepare for ->lookup() in a directory which may be encrypted.  Lookups can be
144  * done with or without the directory's encryption key; without the key,
145  * filenames are presented in encrypted form.  Therefore, we'll try to set up
146  * the directory's encryption key, but even without it the lookup can continue.
147  *
148  * To allow invalidating stale dentries if the directory's encryption key is
149  * added later, we also install a custom ->d_revalidate() method and use the
150  * DCACHE_ENCRYPTED_WITH_KEY flag to indicate whether a given dentry is a
151  * plaintext name (flag set) or a ciphertext name (flag cleared).
152  *
153  * Return: 0 on success, -errno if a problem occurred while setting up the
154  * encryption key
155  */
fscrypt_prepare_lookup(struct inode * dir,struct dentry * dentry,unsigned int flags)156 static inline int fscrypt_prepare_lookup(struct inode *dir,
157 					 struct dentry *dentry,
158 					 unsigned int flags)
159 {
160 	if (IS_ENCRYPTED(dir))
161 		return __fscrypt_prepare_lookup(dir, dentry);
162 	return 0;
163 }
164 
165 /**
166  * fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes
167  * @dentry: dentry through which the inode is being changed
168  * @attr: attributes to change
169  *
170  * Prepare for ->setattr() on a possibly-encrypted inode.  On an encrypted file,
171  * most attribute changes are allowed even without the encryption key.  However,
172  * without the encryption key we do have to forbid truncates.  This is needed
173  * because the size being truncated to may not be a multiple of the filesystem
174  * block size, and in that case we'd have to decrypt the final block, zero the
175  * portion past i_size, and re-encrypt it.  (We *could* allow truncating to a
176  * filesystem block boundary, but it's simpler to just forbid all truncates ---
177  * and we already forbid all other contents modifications without the key.)
178  *
179  * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
180  * if a problem occurred while setting up the encryption key.
181  */
fscrypt_prepare_setattr(struct dentry * dentry,struct iattr * attr)182 static inline int fscrypt_prepare_setattr(struct dentry *dentry,
183 					  struct iattr *attr)
184 {
185 	if (attr->ia_valid & ATTR_SIZE)
186 		return fscrypt_require_key(d_inode(dentry));
187 	return 0;
188 }
189 
190 /**
191  * fscrypt_prepare_symlink - prepare to create a possibly-encrypted symlink
192  * @dir: directory in which the symlink is being created
193  * @target: plaintext symlink target
194  * @len: length of @target excluding null terminator
195  * @max_len: space the filesystem has available to store the symlink target
196  * @disk_link: (out) the on-disk symlink target being prepared
197  *
198  * This function computes the size the symlink target will require on-disk,
199  * stores it in @disk_link->len, and validates it against @max_len.  An
200  * encrypted symlink may be longer than the original.
201  *
202  * Additionally, @disk_link->name is set to @target if the symlink will be
203  * unencrypted, but left NULL if the symlink will be encrypted.  For encrypted
204  * symlinks, the filesystem must call fscrypt_encrypt_symlink() to create the
205  * on-disk target later.  (The reason for the two-step process is that some
206  * filesystems need to know the size of the symlink target before creating the
207  * inode, e.g. to determine whether it will be a "fast" or "slow" symlink.)
208  *
209  * Return: 0 on success, -ENAMETOOLONG if the symlink target is too long,
210  * -ENOKEY if the encryption key is missing, or another -errno code if a problem
211  * occurred while setting up the encryption key.
212  */
fscrypt_prepare_symlink(struct inode * dir,const char * target,unsigned int len,unsigned int max_len,struct fscrypt_str * disk_link)213 static inline int fscrypt_prepare_symlink(struct inode *dir,
214 					  const char *target,
215 					  unsigned int len,
216 					  unsigned int max_len,
217 					  struct fscrypt_str *disk_link)
218 {
219 	if (IS_ENCRYPTED(dir) || fscrypt_dummy_context_enabled(dir))
220 		return __fscrypt_prepare_symlink(dir, len, max_len, disk_link);
221 
222 	disk_link->name = (unsigned char *)target;
223 	disk_link->len = len + 1;
224 	if (disk_link->len > max_len)
225 		return -ENAMETOOLONG;
226 	return 0;
227 }
228 
229 /**
230  * fscrypt_encrypt_symlink - encrypt the symlink target if needed
231  * @inode: symlink inode
232  * @target: plaintext symlink target
233  * @len: length of @target excluding null terminator
234  * @disk_link: (in/out) the on-disk symlink target being prepared
235  *
236  * If the symlink target needs to be encrypted, then this function encrypts it
237  * into @disk_link->name.  fscrypt_prepare_symlink() must have been called
238  * previously to compute @disk_link->len.  If the filesystem did not allocate a
239  * buffer for @disk_link->name after calling fscrypt_prepare_link(), then one
240  * will be kmalloc()'ed and the filesystem will be responsible for freeing it.
241  *
242  * Return: 0 on success, -errno on failure
243  */
fscrypt_encrypt_symlink(struct inode * inode,const char * target,unsigned int len,struct fscrypt_str * disk_link)244 static inline int fscrypt_encrypt_symlink(struct inode *inode,
245 					  const char *target,
246 					  unsigned int len,
247 					  struct fscrypt_str *disk_link)
248 {
249 	if (IS_ENCRYPTED(inode))
250 		return __fscrypt_encrypt_symlink(inode, target, len, disk_link);
251 	return 0;
252 }
253 
254 #endif	/* _LINUX_FSCRYPT_H */
255