include/linux/fscrypt.h

   1 /* SPDX-License-Identifier: GPL-2.0 */
   2 /*
   3  * fscrypt.h: declarations for per-file encryption
   4  *
   5  * Filesystems that implement per-file encryption include this header
   6  * file with the __FS_HAS_ENCRYPTION set according to whether that filesystem
   7  * is being built with encryption support or not.
   8  *
   9  * Copyright (C) 2015, Google, Inc.
  10  *
  11  * Written by Michael Halcrow, 2015.
  12  * Modified by Jaegeuk Kim, 2015.
  13  */
  14 #ifndef _LINUX_FSCRYPT_H
  15 #define _LINUX_FSCRYPT_H
  16
  17 #include <linux/key.h>
  18 #include <linux/fs.h>
  19 #include <linux/mm.h>
  20 #include <linux/bio.h>
  21 #include <linux/dcache.h>
  22 #include <crypto/skcipher.h>
  23 #include <uapi/linux/fs.h>
  24
  25 #define FS_CRYPTO_BLOCK_SIZE            16
  26
  27 struct fscrypt_info;
  28
  29 struct fscrypt_ctx {
  30         union {
  31                 struct {
  32                         struct page *bounce_page;       /* Ciphertext page */
  33                         struct page *control_page;      /* Original page  */
  34                 } w;
  35                 struct {
  36                         struct bio *bio;
  37                         struct work_struct work;
  38                 } r;
  39                 struct list_head free_list;     /* Free list */
  40         };
  41         u8 flags;                               /* Flags */
  42 };
  43
  44 /**
  45  * For encrypted symlinks, the ciphertext length is stored at the beginning
  46  * of the string in little-endian format.
  47  */
  48 struct fscrypt_symlink_data {
  49         __le16 len;
  50         char encrypted_path[1];
  51 } __packed;
  52
  53 struct fscrypt_str {
  54         unsigned char *name;
  55         u32 len;
  56 };
  57
  58 struct fscrypt_name {
  59         const struct qstr *usr_fname;
  60         struct fscrypt_str disk_name;
  61         u32 hash;
  62         u32 minor_hash;
  63         struct fscrypt_str crypto_buf;
  64 };
  65
  66 #define FSTR_INIT(n, l)         { .name = n, .len = l }
  67 #define FSTR_TO_QSTR(f)         QSTR_INIT((f)->name, (f)->len)
  68 #define fname_name(p)           ((p)->disk_name.name)
  69 #define fname_len(p)            ((p)->disk_name.len)
  70
  71 /*
  72  * fscrypt superblock flags
  73  */
  74 #define FS_CFLG_OWN_PAGES (1U << 1)
  75
  76 /*
  77  * crypto opertions for filesystems
  78  */
  79 struct fscrypt_operations {
  80         unsigned int flags;
  81         const char *key_prefix;
  82         int (*get_context)(struct inode *, void *, size_t);
  83         int (*set_context)(struct inode *, const void *, size_t, void *);
  84         bool (*dummy_context)(struct inode *);
  85         bool (*empty_dir)(struct inode *);
  86         unsigned (*max_namelen)(struct inode *);
  87 };
  88
  89 /* Maximum value for the third parameter of fscrypt_operations.set_context(). */
  90 #define FSCRYPT_SET_CONTEXT_MAX_SIZE    28
  91
  92 static inline bool fscrypt_dummy_context_enabled(struct inode *inode)
  93 {
  94         if (inode->i_sb->s_cop->dummy_context &&
  95                                 inode->i_sb->s_cop->dummy_context(inode))
  96                 return true;
  97         return false;
  98 }
  99
 100 static inline bool fscrypt_valid_enc_modes(u32 contents_mode,
 101                                         u32 filenames_mode)
 102 {
 103         if (contents_mode == FS_ENCRYPTION_MODE_AES_128_CBC &&
 104             filenames_mode == FS_ENCRYPTION_MODE_AES_128_CTS)
 105                 return true;
 106
 107         if (contents_mode == FS_ENCRYPTION_MODE_AES_256_XTS &&
 108             filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS)
 109                 return true;
 110
 111         return false;
 112 }
 113
 114 static inline bool fscrypt_is_dot_dotdot(const struct qstr *str)
 115 {
 116         if (str->len == 1 && str->name[0] == '.')
 117                 return true;
 118
 119         if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.')
 120                 return true;
 121
 122         return false;
 123 }
 124
 125 #if __FS_HAS_ENCRYPTION
 126
 127 static inline struct page *fscrypt_control_page(struct page *page)
 128 {
 129         return ((struct fscrypt_ctx *)page_private(page))->w.control_page;
 130 }
 131
 132 static inline bool fscrypt_has_encryption_key(const struct inode *inode)
 133 {
 134         return (inode->i_crypt_info != NULL);
 135 }
 136
 137 #include <linux/fscrypt_supp.h>
 138
 139 #else /* !__FS_HAS_ENCRYPTION */
 140
 141 static inline struct page *fscrypt_control_page(struct page *page)
 142 {
 143         WARN_ON_ONCE(1);
 144         return ERR_PTR(-EINVAL);
 145 }
 146
 147 static inline bool fscrypt_has_encryption_key(const struct inode *inode)
 148 {
 149         return 0;
 150 }
 151
 152 #include <linux/fscrypt_notsupp.h>
 153 #endif /* __FS_HAS_ENCRYPTION */
 154
 155 /**
 156  * fscrypt_require_key - require an inode's encryption key
 157  * @inode: the inode we need the key for
 158  *
 159  * If the inode is encrypted, set up its encryption key if not already done.
 160  * Then require that the key be present and return -ENOKEY otherwise.
 161  *
 162  * No locks are needed, and the key will live as long as the struct inode --- so
 163  * it won't go away from under you.
 164  *
 165  * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
 166  * if a problem occurred while setting up the encryption key.
 167  */
 168 static inline int fscrypt_require_key(struct inode *inode)
 169 {
 170         if (IS_ENCRYPTED(inode)) {
 171                 int err = fscrypt_get_encryption_info(inode);
 172
 173                 if (err)
 174                         return err;
 175                 if (!fscrypt_has_encryption_key(inode))
 176                         return -ENOKEY;
 177         }
 178         return 0;
 179 }
 180
 181 /**
 182  * fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory
 183  * @old_dentry: an existing dentry for the inode being linked
 184  * @dir: the target directory
 185  * @dentry: negative dentry for the target filename
 186  *
 187  * A new link can only be added to an encrypted directory if the directory's
 188  * encryption key is available --- since otherwise we'd have no way to encrypt
 189  * the filename.  Therefore, we first set up the directory's encryption key (if
 190  * not already done) and return an error if it's unavailable.
 191  *
 192  * We also verify that the link will not violate the constraint that all files
 193  * in an encrypted directory tree use the same encryption policy.
 194  *
 195  * Return: 0 on success, -ENOKEY if the directory's encryption key is missing,
 196  * -EPERM if the link would result in an inconsistent encryption policy, or
 197  * another -errno code.
 198  */
 199 static inline int fscrypt_prepare_link(struct dentry *old_dentry,
 200                                        struct inode *dir,
 201                                        struct dentry *dentry)
 202 {
 203         if (IS_ENCRYPTED(dir))
 204                 return __fscrypt_prepare_link(d_inode(old_dentry), dir);
 205         return 0;
 206 }
 207
 208 /**
 209  * fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories
 210  * @old_dir: source directory
 211  * @old_dentry: dentry for source file
 212  * @new_dir: target directory
 213  * @new_dentry: dentry for target location (may be negative unless exchanging)
 214  * @flags: rename flags (we care at least about %RENAME_EXCHANGE)
 215  *
 216  * Prepare for ->rename() where the source and/or target directories may be
 217  * encrypted.  A new link can only be added to an encrypted directory if the
 218  * directory's encryption key is available --- since otherwise we'd have no way
 219  * to encrypt the filename.  A rename to an existing name, on the other hand,
 220  * *is* cryptographically possible without the key.  However, we take the more
 221  * conservative approach and just forbid all no-key renames.
 222  *
 223  * We also verify that the rename will not violate the constraint that all files
 224  * in an encrypted directory tree use the same encryption policy.
 225  *
 226  * Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the
 227  * rename would cause inconsistent encryption policies, or another -errno code.
 228  */
 229 static inline int fscrypt_prepare_rename(struct inode *old_dir,
 230                                          struct dentry *old_dentry,
 231                                          struct inode *new_dir,
 232                                          struct dentry *new_dentry,
 233                                          unsigned int flags)
 234 {
 235         if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir))
 236                 return __fscrypt_prepare_rename(old_dir, old_dentry,
 237                                                 new_dir, new_dentry, flags);
 238         return 0;
 239 }
 240
 241 /**
 242  * fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory
 243  * @dir: directory being searched
 244  * @dentry: filename being looked up
 245  * @flags: lookup flags
 246  *
 247  * Prepare for ->lookup() in a directory which may be encrypted.  Lookups can be
 248  * done with or without the directory's encryption key; without the key,
 249  * filenames are presented in encrypted form.  Therefore, we'll try to set up
 250  * the directory's encryption key, but even without it the lookup can continue.
 251  *
 252  * To allow invalidating stale dentries if the directory's encryption key is
 253  * added later, we also install a custom ->d_revalidate() method and use the
 254  * DCACHE_ENCRYPTED_WITH_KEY flag to indicate whether a given dentry is a
 255  * plaintext name (flag set) or a ciphertext name (flag cleared).
 256  *
 257  * Return: 0 on success, -errno if a problem occurred while setting up the
 258  * encryption key
 259  */
 260 static inline int fscrypt_prepare_lookup(struct inode *dir,
 261                                          struct dentry *dentry,
 262                                          unsigned int flags)
 263 {
 264         if (IS_ENCRYPTED(dir))
 265                 return __fscrypt_prepare_lookup(dir, dentry);
 266         return 0;
 267 }
 268
 269 /**
 270  * fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes
 271  * @dentry: dentry through which the inode is being changed
 272  * @attr: attributes to change
 273  *
 274  * Prepare for ->setattr() on a possibly-encrypted inode.  On an encrypted file,
 275  * most attribute changes are allowed even without the encryption key.  However,
 276  * without the encryption key we do have to forbid truncates.  This is needed
 277  * because the size being truncated to may not be a multiple of the filesystem
 278  * block size, and in that case we'd have to decrypt the final block, zero the
 279  * portion past i_size, and re-encrypt it.  (We *could* allow truncating to a
 280  * filesystem block boundary, but it's simpler to just forbid all truncates ---
 281  * and we already forbid all other contents modifications without the key.)
 282  *
 283  * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
 284  * if a problem occurred while setting up the encryption key.
 285  */
 286 static inline int fscrypt_prepare_setattr(struct dentry *dentry,
 287                                           struct iattr *attr)
 288 {
 289         if (attr->ia_valid & ATTR_SIZE)
 290                 return fscrypt_require_key(d_inode(dentry));
 291         return 0;
 292 }
 293
 294 #endif  /* _LINUX_FSCRYPT_H */