[mirror_ubuntu-zesty-kernel.git] / fs / crypto / policy.c

/*
 * Encryption policy functions for per-file encryption support.
 *
 * Copyright (C) 2015, Google, Inc.
 * Copyright (C) 2015, Motorola Mobility.
 *
 * Written by Michael Halcrow, 2015.
 * Modified by Jaegeuk Kim, 2015.
 */

#include <linux/random.h>
#include <linux/string.h>
#include <linux/mount.h>
#include "fscrypt_private.h"

static int inode_has_encryption_context(struct inode *inode)
{
	if (!inode->i_sb->s_cop->get_context)
		return 0;
	return (inode->i_sb->s_cop->get_context(inode, NULL, 0L) > 0);
}

/*
 * check whether the policy is consistent with the encryption context
 * for the inode
 */
static int is_encryption_context_consistent_with_policy(struct inode *inode,
				const struct fscrypt_policy *policy)
{
	struct fscrypt_context ctx;
	int res;

	if (!inode->i_sb->s_cop->get_context)
		return 0;

	res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
	if (res != sizeof(ctx))
		return 0;

	return (memcmp(ctx.master_key_descriptor, policy->master_key_descriptor,
			FS_KEY_DESCRIPTOR_SIZE) == 0 &&
			(ctx.flags == policy->flags) &&
			(ctx.contents_encryption_mode ==
			 policy->contents_encryption_mode) &&
			(ctx.filenames_encryption_mode ==
			 policy->filenames_encryption_mode));
}

static int create_encryption_context_from_policy(struct inode *inode,
				const struct fscrypt_policy *policy)
{
	struct fscrypt_context ctx;
	int res;

	if (!inode->i_sb->s_cop->set_context)
		return -EOPNOTSUPP;

	if (inode->i_sb->s_cop->prepare_context) {
		res = inode->i_sb->s_cop->prepare_context(inode);
		if (res)
			return res;
	}

	ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1;
	memcpy(ctx.master_key_descriptor, policy->master_key_descriptor,
					FS_KEY_DESCRIPTOR_SIZE);

	if (!fscrypt_valid_contents_enc_mode(
				policy->contents_encryption_mode)) {
		printk(KERN_WARNING
		       "%s: Invalid contents encryption mode %d\n", __func__,
			policy->contents_encryption_mode);
		return -EINVAL;
	}

	if (!fscrypt_valid_filenames_enc_mode(
				policy->filenames_encryption_mode)) {
		printk(KERN_WARNING
			"%s: Invalid filenames encryption mode %d\n", __func__,
			policy->filenames_encryption_mode);
		return -EINVAL;
	}

	if (policy->flags & ~FS_POLICY_FLAGS_VALID)
		return -EINVAL;

	ctx.contents_encryption_mode = policy->contents_encryption_mode;
	ctx.filenames_encryption_mode = policy->filenames_encryption_mode;
	ctx.flags = policy->flags;
	BUILD_BUG_ON(sizeof(ctx.nonce) != FS_KEY_DERIVATION_NONCE_SIZE);
	get_random_bytes(ctx.nonce, FS_KEY_DERIVATION_NONCE_SIZE);

	return inode->i_sb->s_cop->set_context(inode, &ctx, sizeof(ctx), NULL);
}

int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg)
{
	struct fscrypt_policy policy;
	struct inode *inode = file_inode(filp);
	int ret;

	if (copy_from_user(&policy, arg, sizeof(policy)))
		return -EFAULT;

	if (!inode_owner_or_capable(inode))
		return -EACCES;

	if (policy.version != 0)
		return -EINVAL;

	ret = mnt_want_write_file(filp);
	if (ret)
		return ret;

	inode_lock(inode);

	if (!inode_has_encryption_context(inode)) {
		if (!S_ISDIR(inode->i_mode))
			ret = -EINVAL;
		else if (!inode->i_sb->s_cop->empty_dir)
			ret = -EOPNOTSUPP;
		else if (!inode->i_sb->s_cop->empty_dir(inode))
			ret = -ENOTEMPTY;
		else
			ret = create_encryption_context_from_policy(inode,
								    &policy);
	} else if (!is_encryption_context_consistent_with_policy(inode,
								 &policy)) {
		printk(KERN_WARNING
		       "%s: Policy inconsistent with encryption context\n",
		       __func__);
		ret = -EINVAL;
	}

	inode_unlock(inode);

	mnt_drop_write_file(filp);
	return ret;
}
EXPORT_SYMBOL(fscrypt_ioctl_set_policy);

int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg)
{
	struct inode *inode = file_inode(filp);
	struct fscrypt_context ctx;
	struct fscrypt_policy policy;
	int res;

	if (!inode->i_sb->s_cop->get_context ||
			!inode->i_sb->s_cop->is_encrypted(inode))
		return -ENODATA;

	res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
	if (res != sizeof(ctx))
		return -ENODATA;
	if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1)
		return -EINVAL;

	policy.version = 0;
	policy.contents_encryption_mode = ctx.contents_encryption_mode;
	policy.filenames_encryption_mode = ctx.filenames_encryption_mode;
	policy.flags = ctx.flags;
	memcpy(policy.master_key_descriptor, ctx.master_key_descriptor,
				FS_KEY_DESCRIPTOR_SIZE);

	if (copy_to_user(arg, &policy, sizeof(policy)))
		return -EFAULT;
	return 0;
}
EXPORT_SYMBOL(fscrypt_ioctl_get_policy);

/**
 * fscrypt_has_permitted_context() - is a file's encryption policy permitted
 *				     within its directory?
 *
 * @parent: inode for parent directory
 * @child: inode for file being looked up, opened, or linked into @parent
 *
 * Filesystems must call this before permitting access to an inode in a
 * situation where the parent directory is encrypted (either before allowing
 * ->lookup() to succeed, or for a regular file before allowing it to be opened)
 * and before any operation that involves linking an inode into an encrypted
 * directory, including link, rename, and cross rename.  It enforces the
 * constraint that within a given encrypted directory tree, all files use the
 * same encryption policy.  The pre-access check is needed to detect potentially
 * malicious offline violations of this constraint, while the link and rename
 * checks are needed to prevent online violations of this constraint.
 *
 * Return: 1 if permitted, 0 if forbidden.  If forbidden, the caller must fail
 * the filesystem operation with EPERM.
 */
int fscrypt_has_permitted_context(struct inode *parent, struct inode *child)
{
	const struct fscrypt_operations *cops = parent->i_sb->s_cop;
	const struct fscrypt_info *parent_ci, *child_ci;
	struct fscrypt_context parent_ctx, child_ctx;
	int res;

	/* No restrictions on file types which are never encrypted */
	if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) &&
	    !S_ISLNK(child->i_mode))
		return 1;

	/* No restrictions if the parent directory is unencrypted */
	if (!cops->is_encrypted(parent))
		return 1;

	/* Encrypted directories must not contain unencrypted files */
	if (!cops->is_encrypted(child))
		return 0;

	/*
	 * Both parent and child are encrypted, so verify they use the same
	 * encryption policy.  Compare the fscrypt_info structs if the keys are
	 * available, otherwise retrieve and compare the fscrypt_contexts.
	 *
	 * Note that the fscrypt_context retrieval will be required frequently
	 * when accessing an encrypted directory tree without the key.
	 * Performance-wise this is not a big deal because we already don't
	 * really optimize for file access without the key (to the extent that
	 * such access is even possible), given that any attempted access
	 * already causes a fscrypt_context retrieval and keyring search.
	 *
	 * In any case, if an unexpected error occurs, fall back to "forbidden".
	 */

	res = fscrypt_get_encryption_info(parent);
	if (res)
		return 0;
	res = fscrypt_get_encryption_info(child);
	if (res)
		return 0;
	parent_ci = parent->i_crypt_info;
	child_ci = child->i_crypt_info;

	if (parent_ci && child_ci) {
		return memcmp(parent_ci->ci_master_key, child_ci->ci_master_key,
			      FS_KEY_DESCRIPTOR_SIZE) == 0 &&
			(parent_ci->ci_data_mode == child_ci->ci_data_mode) &&
			(parent_ci->ci_filename_mode ==
			 child_ci->ci_filename_mode) &&
			(parent_ci->ci_flags == child_ci->ci_flags);
	}

	res = cops->get_context(parent, &parent_ctx, sizeof(parent_ctx));
	if (res != sizeof(parent_ctx))
		return 0;

	res = cops->get_context(child, &child_ctx, sizeof(child_ctx));
	if (res != sizeof(child_ctx))
		return 0;

	return memcmp(parent_ctx.master_key_descriptor,
		      child_ctx.master_key_descriptor,
		      FS_KEY_DESCRIPTOR_SIZE) == 0 &&
		(parent_ctx.contents_encryption_mode ==
		 child_ctx.contents_encryption_mode) &&
		(parent_ctx.filenames_encryption_mode ==
		 child_ctx.filenames_encryption_mode) &&
		(parent_ctx.flags == child_ctx.flags);
}
EXPORT_SYMBOL(fscrypt_has_permitted_context);

/**
 * fscrypt_inherit_context() - Sets a child context from its parent
 * @parent: Parent inode from which the context is inherited.
 * @child:  Child inode that inherits the context from @parent.
 * @fs_data:  private data given by FS.
 * @preload:  preload child i_crypt_info
 *
 * Return: Zero on success, non-zero otherwise
 */
int fscrypt_inherit_context(struct inode *parent, struct inode *child,
						void *fs_data, bool preload)
{
	struct fscrypt_context ctx;
	struct fscrypt_info *ci;
	int res;

	if (!parent->i_sb->s_cop->set_context)
		return -EOPNOTSUPP;

	res = fscrypt_get_encryption_info(parent);
	if (res < 0)
		return res;

	ci = parent->i_crypt_info;
	if (ci == NULL)
		return -ENOKEY;

	ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1;
	if (fscrypt_dummy_context_enabled(parent)) {
		ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS;
		ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS;
		ctx.flags = 0;
		memset(ctx.master_key_descriptor, 0x42, FS_KEY_DESCRIPTOR_SIZE);
		res = 0;
	} else {
		ctx.contents_encryption_mode = ci->ci_data_mode;
		ctx.filenames_encryption_mode = ci->ci_filename_mode;
		ctx.flags = ci->ci_flags;
		memcpy(ctx.master_key_descriptor, ci->ci_master_key,
				FS_KEY_DESCRIPTOR_SIZE);
	}
	get_random_bytes(ctx.nonce, FS_KEY_DERIVATION_NONCE_SIZE);
	res = parent->i_sb->s_cop->set_context(child, &ctx,
						sizeof(ctx), fs_data);
	if (res)
		return res;
	return preload ? fscrypt_get_encryption_info(child): 0;
}
EXPORT_SYMBOL(fscrypt_inherit_context);
Commit	Line	Data
0b81d077 JK	1	/*
	2	* Encryption policy functions for per-file encryption support.
	3	*
	4	* Copyright (C) 2015, Google, Inc.
	5	* Copyright (C) 2015, Motorola Mobility.
	6	*
	7	* Written by Michael Halcrow, 2015.
	8	* Modified by Jaegeuk Kim, 2015.
	9	*/
	10
	11	#include <linux/random.h>
	12	#include <linux/string.h>
ba63f23d	13	#include <linux/mount.h>
cc4e0df0	14	#include "fscrypt_private.h"
0b81d077 JK	15
	16	static int inode_has_encryption_context(struct inode *inode)
	17	{
	18	if (!inode->i_sb->s_cop->get_context)
	19	return 0;
	20	return (inode->i_sb->s_cop->get_context(inode, NULL, 0L) > 0);
	21	}
	22
	23	/*
	24	* check whether the policy is consistent with the encryption context
	25	* for the inode
	26	*/
	27	static int is_encryption_context_consistent_with_policy(struct inode *inode,
	28	const struct fscrypt_policy *policy)
	29	{
	30	struct fscrypt_context ctx;
	31	int res;
	32
	33	if (!inode->i_sb->s_cop->get_context)
	34	return 0;
	35
	36	res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
	37	if (res != sizeof(ctx))
	38	return 0;
	39
	40	return (memcmp(ctx.master_key_descriptor, policy->master_key_descriptor,
	41	FS_KEY_DESCRIPTOR_SIZE) == 0 &&
	42	(ctx.flags == policy->flags) &&
	43	(ctx.contents_encryption_mode ==
	44	policy->contents_encryption_mode) &&
	45	(ctx.filenames_encryption_mode ==
	46	policy->filenames_encryption_mode));
	47	}
	48
	49	static int create_encryption_context_from_policy(struct inode *inode,
	50	const struct fscrypt_policy *policy)
	51	{
	52	struct fscrypt_context ctx;
	53	int res;
	54
	55	if (!inode->i_sb->s_cop->set_context)
	56	return -EOPNOTSUPP;
	57
	58	if (inode->i_sb->s_cop->prepare_context) {
	59	res = inode->i_sb->s_cop->prepare_context(inode);
	60	if (res)
	61	return res;
	62	}
	63
	64	ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1;
	65	memcpy(ctx.master_key_descriptor, policy->master_key_descriptor,
	66	FS_KEY_DESCRIPTOR_SIZE);
	67
	68	if (!fscrypt_valid_contents_enc_mode(
	69	policy->contents_encryption_mode)) {
	70	printk(KERN_WARNING
	71	"%s: Invalid contents encryption mode %d\n", __func__,
	72	policy->contents_encryption_mode);
	73	return -EINVAL;
	74	}
	75
	76	if (!fscrypt_valid_filenames_enc_mode(
	77	policy->filenames_encryption_mode)) {
	78	printk(KERN_WARNING
79	"%s: Invalid filenames encryption mode %d\n", __func__,
80	policy->filenames_encryption_mode);
81	return -EINVAL;
82	}
83
84	if (policy->flags & ~FS_POLICY_FLAGS_VALID)
85	return -EINVAL;
86
87	ctx.contents_encryption_mode = policy->contents_encryption_mode;
88	ctx.filenames_encryption_mode = policy->filenames_encryption_mode;
89	ctx.flags = policy->flags;
90	BUILD_BUG_ON(sizeof(ctx.nonce) != FS_KEY_DERIVATION_NONCE_SIZE);
91	get_random_bytes(ctx.nonce, FS_KEY_DERIVATION_NONCE_SIZE);
92
93	return inode->i_sb->s_cop->set_context(inode, &ctx, sizeof(ctx), NULL);
94	}
95
db717d8e	96	int fscrypt_ioctl_set_policy(struct file filp, const void __user arg)
0b81d077	97	{
db717d8e	98	struct fscrypt_policy policy;
ba63f23d EB	99	struct inode *inode = file_inode(filp);
	100	int ret;
	101
db717d8e EB	102	if (copy_from_user(&policy, arg, sizeof(policy)))
	103	return -EFAULT;
	104
163ae1c6 EB	105	if (!inode_owner_or_capable(inode))
	106	return -EACCES;
	107
db717d8e	108	if (policy.version != 0)
0b81d077 JK	109	return -EINVAL;
0b81d077 JK	110
ba63f23d EB	111	ret = mnt_want_write_file(filp);
	112	if (ret)
	113	return ret;
	114
8906a822 EB	115	inode_lock(inode);
8906a822 EB	116
0b81d077	117	if (!inode_has_encryption_context(inode)) {
002ced4b	118	if (!S_ISDIR(inode->i_mode))
ba63f23d EB	119	ret = -EINVAL;
	120	else if (!inode->i_sb->s_cop->empty_dir)
	121	ret = -EOPNOTSUPP;
	122	else if (!inode->i_sb->s_cop->empty_dir(inode))
	123	ret = -ENOTEMPTY;
	124	else
	125	ret = create_encryption_context_from_policy(inode,
db717d8e	126	&policy);
ba63f23d	127	} else if (!is_encryption_context_consistent_with_policy(inode,
db717d8e	128	&policy)) {
ba63f23d EB	129	printk(KERN_WARNING
	130	"%s: Policy inconsistent with encryption context\n",
	131	__func__);
	132	ret = -EINVAL;
0b81d077 JK	133	}
0b81d077 JK	134
8906a822 EB	135	inode_unlock(inode);
8906a822 EB	136
ba63f23d EB	137	mnt_drop_write_file(filp);
ba63f23d EB	138	return ret;
0b81d077	139	}
db717d8e	140	EXPORT_SYMBOL(fscrypt_ioctl_set_policy);
0b81d077	141
db717d8e	142	int fscrypt_ioctl_get_policy(struct file filp, void __user arg)
0b81d077	143	{
db717d8e	144	struct inode *inode = file_inode(filp);
0b81d077	145	struct fscrypt_context ctx;
db717d8e	146	struct fscrypt_policy policy;
0b81d077 JK	147	int res;
	148
	149	if (!inode->i_sb->s_cop->get_context \|\|
	150	!inode->i_sb->s_cop->is_encrypted(inode))
	151	return -ENODATA;
	152
	153	res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
	154	if (res != sizeof(ctx))
	155	return -ENODATA;
	156	if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1)
	157	return -EINVAL;
	158
db717d8e EB	159	policy.version = 0;
	160	policy.contents_encryption_mode = ctx.contents_encryption_mode;
	161	policy.filenames_encryption_mode = ctx.filenames_encryption_mode;
	162	policy.flags = ctx.flags;
	163	memcpy(policy.master_key_descriptor, ctx.master_key_descriptor,
0b81d077	164	FS_KEY_DESCRIPTOR_SIZE);
db717d8e EB	165
	166	if (copy_to_user(arg, &policy, sizeof(policy)))
	167	return -EFAULT;
0b81d077 JK	168	return 0;
0b81d077 JK	169	}
db717d8e	170	EXPORT_SYMBOL(fscrypt_ioctl_get_policy);
0b81d077	171
efdb504e EB	172	/**
	173	* fscrypt_has_permitted_context() - is a file's encryption policy permitted
	174	* within its directory?
	175	*
	176	* @parent: inode for parent directory
	177	* @child: inode for file being looked up, opened, or linked into @parent
	178	*
	179	* Filesystems must call this before permitting access to an inode in a
	180	* situation where the parent directory is encrypted (either before allowing
	181	* ->lookup() to succeed, or for a regular file before allowing it to be opened)
	182	* and before any operation that involves linking an inode into an encrypted
	183	* directory, including link, rename, and cross rename. It enforces the
	184	* constraint that within a given encrypted directory tree, all files use the
	185	* same encryption policy. The pre-access check is needed to detect potentially
	186	* malicious offline violations of this constraint, while the link and rename
	187	* checks are needed to prevent online violations of this constraint.
	188	*
	189	* Return: 1 if permitted, 0 if forbidden. If forbidden, the caller must fail
	190	* the filesystem operation with EPERM.
	191	*/
0b81d077 JK	192	int fscrypt_has_permitted_context(struct inode parent, struct inode child)
0b81d077 JK	193	{
efdb504e EB	194	const struct fscrypt_operations *cops = parent->i_sb->s_cop;
	195	const struct fscrypt_info parent_ci, child_ci;
	196	struct fscrypt_context parent_ctx, child_ctx;
0b81d077 JK	197	int res;
0b81d077 JK	198
42d97eb0 EB	199	/* No restrictions on file types which are never encrypted */
	200	if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) &&
	201	!S_ISLNK(child->i_mode))
	202	return 1;
	203
efdb504e EB	204	/* No restrictions if the parent directory is unencrypted */
efdb504e EB	205	if (!cops->is_encrypted(parent))
0b81d077	206	return 1;
efdb504e EB	207
	208	/* Encrypted directories must not contain unencrypted files */
	209	if (!cops->is_encrypted(child))
0b81d077	210	return 0;
efdb504e EB	211
	212	/*
	213	* Both parent and child are encrypted, so verify they use the same
	214	* encryption policy. Compare the fscrypt_info structs if the keys are
	215	* available, otherwise retrieve and compare the fscrypt_contexts.
	216	*
	217	* Note that the fscrypt_context retrieval will be required frequently
	218	* when accessing an encrypted directory tree without the key.
	219	* Performance-wise this is not a big deal because we already don't
	220	* really optimize for file access without the key (to the extent that
	221	* such access is even possible), given that any attempted access
	222	* already causes a fscrypt_context retrieval and keyring search.
	223	*
	224	* In any case, if an unexpected error occurs, fall back to "forbidden".
	225	*/
	226
0b81d077 JK	227	res = fscrypt_get_encryption_info(parent);
	228	if (res)
	229	return 0;
	230	res = fscrypt_get_encryption_info(child);
	231	if (res)
	232	return 0;
	233	parent_ci = parent->i_crypt_info;
	234	child_ci = child->i_crypt_info;
efdb504e EB	235
	236	if (parent_ci && child_ci) {
	237	return memcmp(parent_ci->ci_master_key, child_ci->ci_master_key,
	238	FS_KEY_DESCRIPTOR_SIZE) == 0 &&
	239	(parent_ci->ci_data_mode == child_ci->ci_data_mode) &&
	240	(parent_ci->ci_filename_mode ==
	241	child_ci->ci_filename_mode) &&
	242	(parent_ci->ci_flags == child_ci->ci_flags);
	243	}
	244
	245	res = cops->get_context(parent, &parent_ctx, sizeof(parent_ctx));
	246	if (res != sizeof(parent_ctx))
0b81d077 JK	247	return 0;
0b81d077 JK	248
efdb504e EB	249	res = cops->get_context(child, &child_ctx, sizeof(child_ctx));
	250	if (res != sizeof(child_ctx))
	251	return 0;
	252
	253	return memcmp(parent_ctx.master_key_descriptor,
	254	child_ctx.master_key_descriptor,
	255	FS_KEY_DESCRIPTOR_SIZE) == 0 &&
	256	(parent_ctx.contents_encryption_mode ==
	257	child_ctx.contents_encryption_mode) &&
	258	(parent_ctx.filenames_encryption_mode ==
	259	child_ctx.filenames_encryption_mode) &&
	260	(parent_ctx.flags == child_ctx.flags);
0b81d077 JK	261	}
	262	EXPORT_SYMBOL(fscrypt_has_permitted_context);
	263
	264	/**
	265	* fscrypt_inherit_context() - Sets a child context from its parent
	266	* @parent: Parent inode from which the context is inherited.
	267	* @child: Child inode that inherits the context from @parent.
	268	* @fs_data: private data given by FS.
	269	* @preload: preload child i_crypt_info
	270	*
	271	* Return: Zero on success, non-zero otherwise
	272	*/
	273	int fscrypt_inherit_context(struct inode parent, struct inode child,
	274	void *fs_data, bool preload)
	275	{
	276	struct fscrypt_context ctx;
	277	struct fscrypt_info *ci;
	278	int res;
	279
	280	if (!parent->i_sb->s_cop->set_context)
	281	return -EOPNOTSUPP;
	282
	283	res = fscrypt_get_encryption_info(parent);
	284	if (res < 0)
	285	return res;
	286
	287	ci = parent->i_crypt_info;
	288	if (ci == NULL)
	289	return -ENOKEY;
	290
	291	ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1;
	292	if (fscrypt_dummy_context_enabled(parent)) {
	293	ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS;
	294	ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS;
	295	ctx.flags = 0;
	296	memset(ctx.master_key_descriptor, 0x42, FS_KEY_DESCRIPTOR_SIZE);
	297	res = 0;
	298	} else {
	299	ctx.contents_encryption_mode = ci->ci_data_mode;
	300	ctx.filenames_encryption_mode = ci->ci_filename_mode;
	301	ctx.flags = ci->ci_flags;
	302	memcpy(ctx.master_key_descriptor, ci->ci_master_key,
	303	FS_KEY_DESCRIPTOR_SIZE);
	304	}
	305	get_random_bytes(ctx.nonce, FS_KEY_DERIVATION_NONCE_SIZE);
	306	res = parent->i_sb->s_cop->set_context(child, &ctx,
	307	sizeof(ctx), fs_data);
	308	if (res)
	309	return res;
	310	return preload ? fscrypt_get_encryption_info(child): 0;
	311	}
	312	EXPORT_SYMBOL(fscrypt_inherit_context);