[mirror_ubuntu-bionic-kernel.git] / include / linux / fscrypt.h

/* SPDX-License-Identifier: GPL-2.0 */
/*
 * fscrypt.h: declarations for per-file encryption
 *
 * Filesystems that implement per-file encryption include this header
 * file with the __FS_HAS_ENCRYPTION set according to whether that filesystem
 * is being built with encryption support or not.
 *
 * Copyright (C) 2015, Google, Inc.
 *
 * Written by Michael Halcrow, 2015.
 * Modified by Jaegeuk Kim, 2015.
 */
#ifndef _LINUX_FSCRYPT_H
#define _LINUX_FSCRYPT_H

#include <linux/key.h>
#include <linux/fs.h>
#include <linux/mm.h>
#include <linux/bio.h>
#include <linux/dcache.h>
#include <crypto/skcipher.h>
#include <uapi/linux/fs.h>

#define FS_CRYPTO_BLOCK_SIZE		16

struct fscrypt_info;

struct fscrypt_ctx {
	union {
		struct {
			struct page *bounce_page;	/* Ciphertext page */
			struct page *control_page;	/* Original page  */
		} w;
		struct {
			struct bio *bio;
			struct work_struct work;
		} r;
		struct list_head free_list;	/* Free list */
	};
	u8 flags;				/* Flags */
};

/**
 * For encrypted symlinks, the ciphertext length is stored at the beginning
 * of the string in little-endian format.
 */
struct fscrypt_symlink_data {
	__le16 len;
	char encrypted_path[1];
} __packed;

struct fscrypt_str {
	unsigned char *name;
	u32 len;
};

struct fscrypt_name {
	const struct qstr *usr_fname;
	struct fscrypt_str disk_name;
	u32 hash;
	u32 minor_hash;
	struct fscrypt_str crypto_buf;
};

#define FSTR_INIT(n, l)		{ .name = n, .len = l }
#define FSTR_TO_QSTR(f)		QSTR_INIT((f)->name, (f)->len)
#define fname_name(p)		((p)->disk_name.name)
#define fname_len(p)		((p)->disk_name.len)

/*
 * fscrypt superblock flags
 */
#define FS_CFLG_OWN_PAGES (1U << 1)

/*
 * crypto opertions for filesystems
 */
struct fscrypt_operations {
	unsigned int flags;
	const char *key_prefix;
	int (*get_context)(struct inode *, void *, size_t);
	int (*set_context)(struct inode *, const void *, size_t, void *);
	bool (*dummy_context)(struct inode *);
	bool (*empty_dir)(struct inode *);
	unsigned (*max_namelen)(struct inode *);
};

/* Maximum value for the third parameter of fscrypt_operations.set_context(). */
#define FSCRYPT_SET_CONTEXT_MAX_SIZE	28

static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
{
	if (inode->i_sb->s_cop->dummy_context &&
				inode->i_sb->s_cop->dummy_context(inode))
		return true;
	return false;
}

static inline bool fscrypt_valid_enc_modes(u32 contents_mode,
					u32 filenames_mode)
{
	if (contents_mode == FS_ENCRYPTION_MODE_AES_128_CBC &&
	    filenames_mode == FS_ENCRYPTION_MODE_AES_128_CTS)
		return true;

	if (contents_mode == FS_ENCRYPTION_MODE_AES_256_XTS &&
	    filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS)
		return true;

	return false;
}

static inline bool fscrypt_is_dot_dotdot(const struct qstr *str)
{
	if (str->len == 1 && str->name[0] == '.')
		return true;

	if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.')
		return true;

	return false;
}

#if __FS_HAS_ENCRYPTION

static inline struct page *fscrypt_control_page(struct page *page)
{
	return ((struct fscrypt_ctx *)page_private(page))->w.control_page;
}

static inline bool fscrypt_has_encryption_key(const struct inode *inode)
{
	return (inode->i_crypt_info != NULL);
}

#include <linux/fscrypt_supp.h>

#else /* !__FS_HAS_ENCRYPTION */

static inline struct page *fscrypt_control_page(struct page *page)
{
	WARN_ON_ONCE(1);
	return ERR_PTR(-EINVAL);
}

static inline bool fscrypt_has_encryption_key(const struct inode *inode)
{
	return 0;
}

#include <linux/fscrypt_notsupp.h>
#endif /* __FS_HAS_ENCRYPTION */

/**
 * fscrypt_require_key - require an inode's encryption key
 * @inode: the inode we need the key for
 *
 * If the inode is encrypted, set up its encryption key if not already done.
 * Then require that the key be present and return -ENOKEY otherwise.
 *
 * No locks are needed, and the key will live as long as the struct inode --- so
 * it won't go away from under you.
 *
 * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
 * if a problem occurred while setting up the encryption key.
 */
static inline int fscrypt_require_key(struct inode *inode)
{
	if (IS_ENCRYPTED(inode)) {
		int err = fscrypt_get_encryption_info(inode);

		if (err)
			return err;
		if (!fscrypt_has_encryption_key(inode))
			return -ENOKEY;
	}
	return 0;
}

/**
 * fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory
 * @old_dentry: an existing dentry for the inode being linked
 * @dir: the target directory
 * @dentry: negative dentry for the target filename
 *
 * A new link can only be added to an encrypted directory if the directory's
 * encryption key is available --- since otherwise we'd have no way to encrypt
 * the filename.  Therefore, we first set up the directory's encryption key (if
 * not already done) and return an error if it's unavailable.
 *
 * We also verify that the link will not violate the constraint that all files
 * in an encrypted directory tree use the same encryption policy.
 *
 * Return: 0 on success, -ENOKEY if the directory's encryption key is missing,
 * -EPERM if the link would result in an inconsistent encryption policy, or
 * another -errno code.
 */
static inline int fscrypt_prepare_link(struct dentry *old_dentry,
				       struct inode *dir,
				       struct dentry *dentry)
{
	if (IS_ENCRYPTED(dir))
		return __fscrypt_prepare_link(d_inode(old_dentry), dir);
	return 0;
}

/**
 * fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories
 * @old_dir: source directory
 * @old_dentry: dentry for source file
 * @new_dir: target directory
 * @new_dentry: dentry for target location (may be negative unless exchanging)
 * @flags: rename flags (we care at least about %RENAME_EXCHANGE)
 *
 * Prepare for ->rename() where the source and/or target directories may be
 * encrypted.  A new link can only be added to an encrypted directory if the
 * directory's encryption key is available --- since otherwise we'd have no way
 * to encrypt the filename.  A rename to an existing name, on the other hand,
 * *is* cryptographically possible without the key.  However, we take the more
 * conservative approach and just forbid all no-key renames.
 *
 * We also verify that the rename will not violate the constraint that all files
 * in an encrypted directory tree use the same encryption policy.
 *
 * Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the
 * rename would cause inconsistent encryption policies, or another -errno code.
 */
static inline int fscrypt_prepare_rename(struct inode *old_dir,
					 struct dentry *old_dentry,
					 struct inode *new_dir,
					 struct dentry *new_dentry,
					 unsigned int flags)
{
	if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir))
		return __fscrypt_prepare_rename(old_dir, old_dentry,
						new_dir, new_dentry, flags);
	return 0;
}

/**
 * fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory
 * @dir: directory being searched
 * @dentry: filename being looked up
 * @flags: lookup flags
 *
 * Prepare for ->lookup() in a directory which may be encrypted.  Lookups can be
 * done with or without the directory's encryption key; without the key,
 * filenames are presented in encrypted form.  Therefore, we'll try to set up
 * the directory's encryption key, but even without it the lookup can continue.
 *
 * To allow invalidating stale dentries if the directory's encryption key is
 * added later, we also install a custom ->d_revalidate() method and use the
 * DCACHE_ENCRYPTED_WITH_KEY flag to indicate whether a given dentry is a
 * plaintext name (flag set) or a ciphertext name (flag cleared).
 *
 * Return: 0 on success, -errno if a problem occurred while setting up the
 * encryption key
 */
static inline int fscrypt_prepare_lookup(struct inode *dir,
					 struct dentry *dentry,
					 unsigned int flags)
{
	if (IS_ENCRYPTED(dir))
		return __fscrypt_prepare_lookup(dir, dentry);
	return 0;
}

/**
 * fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes
 * @dentry: dentry through which the inode is being changed
 * @attr: attributes to change
 *
 * Prepare for ->setattr() on a possibly-encrypted inode.  On an encrypted file,
 * most attribute changes are allowed even without the encryption key.  However,
 * without the encryption key we do have to forbid truncates.  This is needed
 * because the size being truncated to may not be a multiple of the filesystem
 * block size, and in that case we'd have to decrypt the final block, zero the
 * portion past i_size, and re-encrypt it.  (We *could* allow truncating to a
 * filesystem block boundary, but it's simpler to just forbid all truncates ---
 * and we already forbid all other contents modifications without the key.)
 *
 * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
 * if a problem occurred while setting up the encryption key.
 */
static inline int fscrypt_prepare_setattr(struct dentry *dentry,
					  struct iattr *attr)
{
	if (attr->ia_valid & ATTR_SIZE)
		return fscrypt_require_key(d_inode(dentry));
	return 0;
}

#endif	/* _LINUX_FSCRYPT_H */
Commit	Line	Data
32190f0a	1	/* SPDX-License-Identifier: GPL-2.0 */
46f47e48	2	/*
734f0d24 DC	3	* fscrypt.h: declarations for per-file encryption
	4	*
	5	* Filesystems that implement per-file encryption include this header
	6	* file with the __FS_HAS_ENCRYPTION set according to whether that filesystem
	7	* is being built with encryption support or not.
46f47e48 EB	8	*
	9	* Copyright (C) 2015, Google, Inc.
	10	*
	11	* Written by Michael Halcrow, 2015.
	12	* Modified by Jaegeuk Kim, 2015.
	13	*/
734f0d24 DC	14	#ifndef _LINUX_FSCRYPT_H
734f0d24 DC	15	#define _LINUX_FSCRYPT_H
46f47e48 EB	16
	17	#include <linux/key.h>
	18	#include <linux/fs.h>
	19	#include <linux/mm.h>
	20	#include <linux/bio.h>
	21	#include <linux/dcache.h>
	22	#include <crypto/skcipher.h>
	23	#include <uapi/linux/fs.h>
	24
	25	#define FS_CRYPTO_BLOCK_SIZE 16
	26
	27	struct fscrypt_info;
	28
	29	struct fscrypt_ctx {
	30	union {
	31	struct {
	32	struct page bounce_page; / Ciphertext page */
	33	struct page control_page; / Original page */
	34	} w;
	35	struct {
	36	struct bio *bio;
	37	struct work_struct work;
	38	} r;
	39	struct list_head free_list; /* Free list */
	40	};
	41	u8 flags; /* Flags */
	42	};
	43
	44	/**
	45	* For encrypted symlinks, the ciphertext length is stored at the beginning
	46	* of the string in little-endian format.
	47	*/
	48	struct fscrypt_symlink_data {
	49	__le16 len;
	50	char encrypted_path[1];
	51	} __packed;
	52
46f47e48 EB	53	struct fscrypt_str {
	54	unsigned char *name;
	55	u32 len;
	56	};
	57
	58	struct fscrypt_name {
	59	const struct qstr *usr_fname;
	60	struct fscrypt_str disk_name;
	61	u32 hash;
	62	u32 minor_hash;
	63	struct fscrypt_str crypto_buf;
	64	};
	65
	66	#define FSTR_INIT(n, l) { .name = n, .len = l }
	67	#define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len)
	68	#define fname_name(p) ((p)->disk_name.name)
	69	#define fname_len(p) ((p)->disk_name.len)
	70
	71	/*
	72	* fscrypt superblock flags
	73	*/
	74	#define FS_CFLG_OWN_PAGES (1U << 1)
	75
	76	/*
	77	* crypto opertions for filesystems
	78	*/
	79	struct fscrypt_operations {
	80	unsigned int flags;
	81	const char *key_prefix;
	82	int (get_context)(struct inode , void *, size_t);
46f47e48	83	int (set_context)(struct inode , const void , size_t, void );
c250b7dd	84	bool (dummy_context)(struct inode );
46f47e48 EB	85	bool (empty_dir)(struct inode );
	86	unsigned (max_namelen)(struct inode );
	87	};
	88
af65207c TE	89	/* Maximum value for the third parameter of fscrypt_operations.set_context(). */
	90	#define FSCRYPT_SET_CONTEXT_MAX_SIZE 28
	91
46f47e48 EB	92	static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
	93	{
	94	if (inode->i_sb->s_cop->dummy_context &&
	95	inode->i_sb->s_cop->dummy_context(inode))
	96	return true;
	97	return false;
	98	}
	99
b7e7cf7a DW	100	static inline bool fscrypt_valid_enc_modes(u32 contents_mode,
b7e7cf7a DW	101	u32 filenames_mode)
46f47e48	102	{
b7e7cf7a DW	103	if (contents_mode == FS_ENCRYPTION_MODE_AES_128_CBC &&
	104	filenames_mode == FS_ENCRYPTION_MODE_AES_128_CTS)
	105	return true;
46f47e48	106
b7e7cf7a DW	107	if (contents_mode == FS_ENCRYPTION_MODE_AES_256_XTS &&
	108	filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS)
	109	return true;
	110
	111	return false;
46f47e48 EB	112	}
	113
	114	static inline bool fscrypt_is_dot_dotdot(const struct qstr *str)
	115	{
	116	if (str->len == 1 && str->name[0] == '.')
	117	return true;
	118
	119	if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.')
	120	return true;
	121
	122	return false;
	123	}
	124
734f0d24 DC	125	#if __FS_HAS_ENCRYPTION
734f0d24 DC	126
46f47e48 EB	127	static inline struct page fscrypt_control_page(struct page page)
46f47e48 EB	128	{
46f47e48	129	return ((struct fscrypt_ctx *)page_private(page))->w.control_page;
734f0d24 DC	130	}
	131
	132	static inline bool fscrypt_has_encryption_key(const struct inode *inode)
	133	{
	134	return (inode->i_crypt_info != NULL);
	135	}
	136
	137	#include <linux/fscrypt_supp.h>
	138
	139	#else /* !__FS_HAS_ENCRYPTION */
	140
	141	static inline struct page fscrypt_control_page(struct page page)
	142	{
46f47e48 EB	143	WARN_ON_ONCE(1);
46f47e48 EB	144	return ERR_PTR(-EINVAL);
46f47e48 EB	145	}
46f47e48 EB	146
734f0d24	147	static inline bool fscrypt_has_encryption_key(const struct inode *inode)
46f47e48	148	{
46f47e48	149	return 0;
46f47e48 EB	150	}
46f47e48 EB	151
734f0d24 DC	152	#include <linux/fscrypt_notsupp.h>
	153	#endif /* __FS_HAS_ENCRYPTION */
	154
d293c3e4 EB	155	/**
	156	* fscrypt_require_key - require an inode's encryption key
	157	* @inode: the inode we need the key for
	158	*
	159	* If the inode is encrypted, set up its encryption key if not already done.
	160	* Then require that the key be present and return -ENOKEY otherwise.
	161	*
	162	* No locks are needed, and the key will live as long as the struct inode --- so
	163	* it won't go away from under you.
	164	*
	165	* Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
	166	* if a problem occurred while setting up the encryption key.
	167	*/
	168	static inline int fscrypt_require_key(struct inode *inode)
	169	{
	170	if (IS_ENCRYPTED(inode)) {
	171	int err = fscrypt_get_encryption_info(inode);
	172
	173	if (err)
	174	return err;
	175	if (!fscrypt_has_encryption_key(inode))
	176	return -ENOKEY;
	177	}
	178	return 0;
	179	}
734f0d24	180
0ea87a96 EB	181	/**
	182	* fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory
	183	* @old_dentry: an existing dentry for the inode being linked
	184	* @dir: the target directory
	185	* @dentry: negative dentry for the target filename
	186	*
	187	* A new link can only be added to an encrypted directory if the directory's
	188	* encryption key is available --- since otherwise we'd have no way to encrypt
	189	* the filename. Therefore, we first set up the directory's encryption key (if
	190	* not already done) and return an error if it's unavailable.
	191	*
	192	* We also verify that the link will not violate the constraint that all files
	193	* in an encrypted directory tree use the same encryption policy.
	194	*
	195	* Return: 0 on success, -ENOKEY if the directory's encryption key is missing,
	196	* -EPERM if the link would result in an inconsistent encryption policy, or
	197	* another -errno code.
	198	*/
	199	static inline int fscrypt_prepare_link(struct dentry *old_dentry,
	200	struct inode *dir,
	201	struct dentry *dentry)
	202	{
	203	if (IS_ENCRYPTED(dir))
	204	return __fscrypt_prepare_link(d_inode(old_dentry), dir);
	205	return 0;
	206	}
	207
94b26f36 EB	208	/**
	209	* fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories
	210	* @old_dir: source directory
	211	* @old_dentry: dentry for source file
	212	* @new_dir: target directory
	213	* @new_dentry: dentry for target location (may be negative unless exchanging)
	214	* @flags: rename flags (we care at least about %RENAME_EXCHANGE)
	215	*
	216	* Prepare for ->rename() where the source and/or target directories may be
	217	* encrypted. A new link can only be added to an encrypted directory if the
	218	* directory's encryption key is available --- since otherwise we'd have no way
	219	* to encrypt the filename. A rename to an existing name, on the other hand,
	220	* is cryptographically possible without the key. However, we take the more
	221	* conservative approach and just forbid all no-key renames.
	222	*
	223	* We also verify that the rename will not violate the constraint that all files
	224	* in an encrypted directory tree use the same encryption policy.
	225	*
	226	* Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the
	227	* rename would cause inconsistent encryption policies, or another -errno code.
	228	*/
	229	static inline int fscrypt_prepare_rename(struct inode *old_dir,
	230	struct dentry *old_dentry,
	231	struct inode *new_dir,
	232	struct dentry *new_dentry,
	233	unsigned int flags)
	234	{
	235	if (IS_ENCRYPTED(old_dir) \|\| IS_ENCRYPTED(new_dir))
	236	return __fscrypt_prepare_rename(old_dir, old_dentry,
	237	new_dir, new_dentry, flags);
	238	return 0;
	239	}
	240
32c3cf02 EB	241	/**
	242	* fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory
	243	* @dir: directory being searched
	244	* @dentry: filename being looked up
	245	* @flags: lookup flags
	246	*
	247	* Prepare for ->lookup() in a directory which may be encrypted. Lookups can be
	248	* done with or without the directory's encryption key; without the key,
	249	* filenames are presented in encrypted form. Therefore, we'll try to set up
	250	* the directory's encryption key, but even without it the lookup can continue.
	251	*
	252	* To allow invalidating stale dentries if the directory's encryption key is
	253	* added later, we also install a custom ->d_revalidate() method and use the
	254	* DCACHE_ENCRYPTED_WITH_KEY flag to indicate whether a given dentry is a
	255	* plaintext name (flag set) or a ciphertext name (flag cleared).
	256	*
	257	* Return: 0 on success, -errno if a problem occurred while setting up the
	258	* encryption key
	259	*/
	260	static inline int fscrypt_prepare_lookup(struct inode *dir,
	261	struct dentry *dentry,
	262	unsigned int flags)
	263	{
	264	if (IS_ENCRYPTED(dir))
	265	return __fscrypt_prepare_lookup(dir, dentry);
	266	return 0;
	267	}
	268
815dac33 EB	269	/**
	270	* fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes
	271	* @dentry: dentry through which the inode is being changed
	272	* @attr: attributes to change
	273	*
	274	* Prepare for ->setattr() on a possibly-encrypted inode. On an encrypted file,
	275	* most attribute changes are allowed even without the encryption key. However,
	276	* without the encryption key we do have to forbid truncates. This is needed
	277	* because the size being truncated to may not be a multiple of the filesystem
	278	* block size, and in that case we'd have to decrypt the final block, zero the
	279	* portion past i_size, and re-encrypt it. (We could allow truncating to a
	280	* filesystem block boundary, but it's simpler to just forbid all truncates ---
	281	* and we already forbid all other contents modifications without the key.)
	282	*
	283	* Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
	284	* if a problem occurred while setting up the encryption key.
	285	*/
	286	static inline int fscrypt_prepare_setattr(struct dentry *dentry,
	287	struct iattr *attr)
	288	{
	289	if (attr->ia_valid & ATTR_SIZE)
	290	return fscrypt_require_key(d_inode(dentry));
	291	return 0;
	292	}
	293
734f0d24	294	#endif /* _LINUX_FSCRYPT_H */