]>
Commit | Line | Data |
---|---|---|
32190f0a | 1 | /* SPDX-License-Identifier: GPL-2.0 */ |
46f47e48 | 2 | /* |
734f0d24 DC |
3 | * fscrypt.h: declarations for per-file encryption |
4 | * | |
5 | * Filesystems that implement per-file encryption include this header | |
6 | * file with the __FS_HAS_ENCRYPTION set according to whether that filesystem | |
7 | * is being built with encryption support or not. | |
46f47e48 EB |
8 | * |
9 | * Copyright (C) 2015, Google, Inc. | |
10 | * | |
11 | * Written by Michael Halcrow, 2015. | |
12 | * Modified by Jaegeuk Kim, 2015. | |
13 | */ | |
734f0d24 DC |
14 | #ifndef _LINUX_FSCRYPT_H |
15 | #define _LINUX_FSCRYPT_H | |
46f47e48 EB |
16 | |
17 | #include <linux/key.h> | |
18 | #include <linux/fs.h> | |
19 | #include <linux/mm.h> | |
20 | #include <linux/bio.h> | |
21 | #include <linux/dcache.h> | |
22 | #include <crypto/skcipher.h> | |
23 | #include <uapi/linux/fs.h> | |
24 | ||
25 | #define FS_CRYPTO_BLOCK_SIZE 16 | |
26 | ||
27 | struct fscrypt_info; | |
28 | ||
29 | struct fscrypt_ctx { | |
30 | union { | |
31 | struct { | |
32 | struct page *bounce_page; /* Ciphertext page */ | |
33 | struct page *control_page; /* Original page */ | |
34 | } w; | |
35 | struct { | |
36 | struct bio *bio; | |
37 | struct work_struct work; | |
38 | } r; | |
39 | struct list_head free_list; /* Free list */ | |
40 | }; | |
41 | u8 flags; /* Flags */ | |
42 | }; | |
43 | ||
44 | /** | |
45 | * For encrypted symlinks, the ciphertext length is stored at the beginning | |
46 | * of the string in little-endian format. | |
47 | */ | |
48 | struct fscrypt_symlink_data { | |
49 | __le16 len; | |
50 | char encrypted_path[1]; | |
51 | } __packed; | |
52 | ||
46f47e48 EB |
53 | struct fscrypt_str { |
54 | unsigned char *name; | |
55 | u32 len; | |
56 | }; | |
57 | ||
58 | struct fscrypt_name { | |
59 | const struct qstr *usr_fname; | |
60 | struct fscrypt_str disk_name; | |
61 | u32 hash; | |
62 | u32 minor_hash; | |
63 | struct fscrypt_str crypto_buf; | |
64 | }; | |
65 | ||
66 | #define FSTR_INIT(n, l) { .name = n, .len = l } | |
67 | #define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len) | |
68 | #define fname_name(p) ((p)->disk_name.name) | |
69 | #define fname_len(p) ((p)->disk_name.len) | |
70 | ||
71 | /* | |
72 | * fscrypt superblock flags | |
73 | */ | |
74 | #define FS_CFLG_OWN_PAGES (1U << 1) | |
75 | ||
76 | /* | |
77 | * crypto opertions for filesystems | |
78 | */ | |
79 | struct fscrypt_operations { | |
80 | unsigned int flags; | |
81 | const char *key_prefix; | |
82 | int (*get_context)(struct inode *, void *, size_t); | |
46f47e48 | 83 | int (*set_context)(struct inode *, const void *, size_t, void *); |
c250b7dd | 84 | bool (*dummy_context)(struct inode *); |
46f47e48 EB |
85 | bool (*empty_dir)(struct inode *); |
86 | unsigned (*max_namelen)(struct inode *); | |
87 | }; | |
88 | ||
af65207c TE |
89 | /* Maximum value for the third parameter of fscrypt_operations.set_context(). */ |
90 | #define FSCRYPT_SET_CONTEXT_MAX_SIZE 28 | |
91 | ||
46f47e48 EB |
92 | static inline bool fscrypt_dummy_context_enabled(struct inode *inode) |
93 | { | |
94 | if (inode->i_sb->s_cop->dummy_context && | |
95 | inode->i_sb->s_cop->dummy_context(inode)) | |
96 | return true; | |
97 | return false; | |
98 | } | |
99 | ||
b7e7cf7a DW |
100 | static inline bool fscrypt_valid_enc_modes(u32 contents_mode, |
101 | u32 filenames_mode) | |
46f47e48 | 102 | { |
b7e7cf7a DW |
103 | if (contents_mode == FS_ENCRYPTION_MODE_AES_128_CBC && |
104 | filenames_mode == FS_ENCRYPTION_MODE_AES_128_CTS) | |
105 | return true; | |
46f47e48 | 106 | |
b7e7cf7a DW |
107 | if (contents_mode == FS_ENCRYPTION_MODE_AES_256_XTS && |
108 | filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS) | |
109 | return true; | |
110 | ||
111 | return false; | |
46f47e48 EB |
112 | } |
113 | ||
114 | static inline bool fscrypt_is_dot_dotdot(const struct qstr *str) | |
115 | { | |
116 | if (str->len == 1 && str->name[0] == '.') | |
117 | return true; | |
118 | ||
119 | if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.') | |
120 | return true; | |
121 | ||
122 | return false; | |
123 | } | |
124 | ||
734f0d24 DC |
125 | #if __FS_HAS_ENCRYPTION |
126 | ||
46f47e48 EB |
127 | static inline struct page *fscrypt_control_page(struct page *page) |
128 | { | |
46f47e48 | 129 | return ((struct fscrypt_ctx *)page_private(page))->w.control_page; |
734f0d24 DC |
130 | } |
131 | ||
132 | static inline bool fscrypt_has_encryption_key(const struct inode *inode) | |
133 | { | |
134 | return (inode->i_crypt_info != NULL); | |
135 | } | |
136 | ||
137 | #include <linux/fscrypt_supp.h> | |
138 | ||
139 | #else /* !__FS_HAS_ENCRYPTION */ | |
140 | ||
141 | static inline struct page *fscrypt_control_page(struct page *page) | |
142 | { | |
46f47e48 EB |
143 | WARN_ON_ONCE(1); |
144 | return ERR_PTR(-EINVAL); | |
46f47e48 EB |
145 | } |
146 | ||
734f0d24 | 147 | static inline bool fscrypt_has_encryption_key(const struct inode *inode) |
46f47e48 | 148 | { |
46f47e48 | 149 | return 0; |
46f47e48 EB |
150 | } |
151 | ||
734f0d24 DC |
152 | #include <linux/fscrypt_notsupp.h> |
153 | #endif /* __FS_HAS_ENCRYPTION */ | |
154 | ||
d293c3e4 EB |
155 | /** |
156 | * fscrypt_require_key - require an inode's encryption key | |
157 | * @inode: the inode we need the key for | |
158 | * | |
159 | * If the inode is encrypted, set up its encryption key if not already done. | |
160 | * Then require that the key be present and return -ENOKEY otherwise. | |
161 | * | |
162 | * No locks are needed, and the key will live as long as the struct inode --- so | |
163 | * it won't go away from under you. | |
164 | * | |
165 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code | |
166 | * if a problem occurred while setting up the encryption key. | |
167 | */ | |
168 | static inline int fscrypt_require_key(struct inode *inode) | |
169 | { | |
170 | if (IS_ENCRYPTED(inode)) { | |
171 | int err = fscrypt_get_encryption_info(inode); | |
172 | ||
173 | if (err) | |
174 | return err; | |
175 | if (!fscrypt_has_encryption_key(inode)) | |
176 | return -ENOKEY; | |
177 | } | |
178 | return 0; | |
179 | } | |
734f0d24 | 180 | |
0ea87a96 EB |
181 | /** |
182 | * fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory | |
183 | * @old_dentry: an existing dentry for the inode being linked | |
184 | * @dir: the target directory | |
185 | * @dentry: negative dentry for the target filename | |
186 | * | |
187 | * A new link can only be added to an encrypted directory if the directory's | |
188 | * encryption key is available --- since otherwise we'd have no way to encrypt | |
189 | * the filename. Therefore, we first set up the directory's encryption key (if | |
190 | * not already done) and return an error if it's unavailable. | |
191 | * | |
192 | * We also verify that the link will not violate the constraint that all files | |
193 | * in an encrypted directory tree use the same encryption policy. | |
194 | * | |
195 | * Return: 0 on success, -ENOKEY if the directory's encryption key is missing, | |
196 | * -EPERM if the link would result in an inconsistent encryption policy, or | |
197 | * another -errno code. | |
198 | */ | |
199 | static inline int fscrypt_prepare_link(struct dentry *old_dentry, | |
200 | struct inode *dir, | |
201 | struct dentry *dentry) | |
202 | { | |
203 | if (IS_ENCRYPTED(dir)) | |
204 | return __fscrypt_prepare_link(d_inode(old_dentry), dir); | |
205 | return 0; | |
206 | } | |
207 | ||
94b26f36 EB |
208 | /** |
209 | * fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories | |
210 | * @old_dir: source directory | |
211 | * @old_dentry: dentry for source file | |
212 | * @new_dir: target directory | |
213 | * @new_dentry: dentry for target location (may be negative unless exchanging) | |
214 | * @flags: rename flags (we care at least about %RENAME_EXCHANGE) | |
215 | * | |
216 | * Prepare for ->rename() where the source and/or target directories may be | |
217 | * encrypted. A new link can only be added to an encrypted directory if the | |
218 | * directory's encryption key is available --- since otherwise we'd have no way | |
219 | * to encrypt the filename. A rename to an existing name, on the other hand, | |
220 | * *is* cryptographically possible without the key. However, we take the more | |
221 | * conservative approach and just forbid all no-key renames. | |
222 | * | |
223 | * We also verify that the rename will not violate the constraint that all files | |
224 | * in an encrypted directory tree use the same encryption policy. | |
225 | * | |
226 | * Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the | |
227 | * rename would cause inconsistent encryption policies, or another -errno code. | |
228 | */ | |
229 | static inline int fscrypt_prepare_rename(struct inode *old_dir, | |
230 | struct dentry *old_dentry, | |
231 | struct inode *new_dir, | |
232 | struct dentry *new_dentry, | |
233 | unsigned int flags) | |
234 | { | |
235 | if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir)) | |
236 | return __fscrypt_prepare_rename(old_dir, old_dentry, | |
237 | new_dir, new_dentry, flags); | |
238 | return 0; | |
239 | } | |
240 | ||
32c3cf02 EB |
241 | /** |
242 | * fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory | |
243 | * @dir: directory being searched | |
244 | * @dentry: filename being looked up | |
245 | * @flags: lookup flags | |
246 | * | |
247 | * Prepare for ->lookup() in a directory which may be encrypted. Lookups can be | |
248 | * done with or without the directory's encryption key; without the key, | |
249 | * filenames are presented in encrypted form. Therefore, we'll try to set up | |
250 | * the directory's encryption key, but even without it the lookup can continue. | |
251 | * | |
252 | * To allow invalidating stale dentries if the directory's encryption key is | |
253 | * added later, we also install a custom ->d_revalidate() method and use the | |
254 | * DCACHE_ENCRYPTED_WITH_KEY flag to indicate whether a given dentry is a | |
255 | * plaintext name (flag set) or a ciphertext name (flag cleared). | |
256 | * | |
257 | * Return: 0 on success, -errno if a problem occurred while setting up the | |
258 | * encryption key | |
259 | */ | |
260 | static inline int fscrypt_prepare_lookup(struct inode *dir, | |
261 | struct dentry *dentry, | |
262 | unsigned int flags) | |
263 | { | |
264 | if (IS_ENCRYPTED(dir)) | |
265 | return __fscrypt_prepare_lookup(dir, dentry); | |
266 | return 0; | |
267 | } | |
268 | ||
815dac33 EB |
269 | /** |
270 | * fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes | |
271 | * @dentry: dentry through which the inode is being changed | |
272 | * @attr: attributes to change | |
273 | * | |
274 | * Prepare for ->setattr() on a possibly-encrypted inode. On an encrypted file, | |
275 | * most attribute changes are allowed even without the encryption key. However, | |
276 | * without the encryption key we do have to forbid truncates. This is needed | |
277 | * because the size being truncated to may not be a multiple of the filesystem | |
278 | * block size, and in that case we'd have to decrypt the final block, zero the | |
279 | * portion past i_size, and re-encrypt it. (We *could* allow truncating to a | |
280 | * filesystem block boundary, but it's simpler to just forbid all truncates --- | |
281 | * and we already forbid all other contents modifications without the key.) | |
282 | * | |
283 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code | |
284 | * if a problem occurred while setting up the encryption key. | |
285 | */ | |
286 | static inline int fscrypt_prepare_setattr(struct dentry *dentry, | |
287 | struct iattr *attr) | |
288 | { | |
289 | if (attr->ia_valid & ATTR_SIZE) | |
290 | return fscrypt_require_key(d_inode(dentry)); | |
291 | return 0; | |
292 | } | |
293 | ||
734f0d24 | 294 | #endif /* _LINUX_FSCRYPT_H */ |