1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * fscrypt.h: declarations for per-file encryption
4 *
5 * Filesystems that implement per-file encryption include this header
6 * file with the __FS_HAS_ENCRYPTION set according to whether that filesystem
7 * is being built with encryption support or not.
8 *
9 * Copyright (C) 2015, Google, Inc.
10 *
11 * Written by Michael Halcrow, 2015.
12 * Modified by Jaegeuk Kim, 2015.
13 */
14 #ifndef _LINUX_FSCRYPT_H
15 #define _LINUX_FSCRYPT_H
16
17 #include <linux/fs.h>
18
19 #define FS_CRYPTO_BLOCK_SIZE 16
20
21 struct fscrypt_ctx;
22 struct fscrypt_info;
23
24 struct fscrypt_str {
25 unsigned char *name;
26 u32 len;
27 };
28
29 struct fscrypt_name {
30 const struct qstr *usr_fname;
31 struct fscrypt_str disk_name;
32 u32 hash;
33 u32 minor_hash;
34 struct fscrypt_str crypto_buf;
35 bool is_ciphertext_name;
36 };
37
38 #define FSTR_INIT(n, l) { .name = n, .len = l }
39 #define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len)
40 #define fname_name(p) ((p)->disk_name.name)
41 #define fname_len(p) ((p)->disk_name.len)
42
43 /* Maximum value for the third parameter of fscrypt_operations.set_context(). */
44 #define FSCRYPT_SET_CONTEXT_MAX_SIZE 28
45
46 #if __FS_HAS_ENCRYPTION
47 #include <linux/fscrypt_supp.h>
48 #else
49 #include <linux/fscrypt_notsupp.h>
50 #endif
51
52 /**
53 * fscrypt_require_key - require an inode's encryption key
54 * @inode: the inode we need the key for
55 *
56 * If the inode is encrypted, set up its encryption key if not already done.
57 * Then require that the key be present and return -ENOKEY otherwise.
58 *
59 * No locks are needed, and the key will live as long as the struct inode --- so
60 * it won't go away from under you.
61 *
62 * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
63 * if a problem occurred while setting up the encryption key.
64 */
fscrypt_require_key(struct inode * inode)65 static inline int fscrypt_require_key(struct inode *inode)
66 {
67 if (IS_ENCRYPTED(inode)) {
68 int err = fscrypt_get_encryption_info(inode);
69
70 if (err)
71 return err;
72 if (!fscrypt_has_encryption_key(inode))
73 return -ENOKEY;
74 }
75 return 0;
76 }
77
78 /**
79 * fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory
80 * @old_dentry: an existing dentry for the inode being linked
81 * @dir: the target directory
82 * @dentry: negative dentry for the target filename
83 *
84 * A new link can only be added to an encrypted directory if the directory's
85 * encryption key is available --- since otherwise we'd have no way to encrypt
86 * the filename. Therefore, we first set up the directory's encryption key (if
87 * not already done) and return an error if it's unavailable.
88 *
89 * We also verify that the link will not violate the constraint that all files
90 * in an encrypted directory tree use the same encryption policy.
91 *
92 * Return: 0 on success, -ENOKEY if the directory's encryption key is missing,
93 * -EXDEV if the link would result in an inconsistent encryption policy, or
94 * another -errno code.
95 */
fscrypt_prepare_link(struct dentry * old_dentry,struct inode * dir,struct dentry * dentry)96 static inline int fscrypt_prepare_link(struct dentry *old_dentry,
97 struct inode *dir,
98 struct dentry *dentry)
99 {
100 if (IS_ENCRYPTED(dir))
101 return __fscrypt_prepare_link(d_inode(old_dentry), dir, dentry);
102 return 0;
103 }
104
105 /**
106 * fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories
107 * @old_dir: source directory
108 * @old_dentry: dentry for source file
109 * @new_dir: target directory
110 * @new_dentry: dentry for target location (may be negative unless exchanging)
111 * @flags: rename flags (we care at least about %RENAME_EXCHANGE)
112 *
113 * Prepare for ->rename() where the source and/or target directories may be
114 * encrypted. A new link can only be added to an encrypted directory if the
115 * directory's encryption key is available --- since otherwise we'd have no way
116 * to encrypt the filename. A rename to an existing name, on the other hand,
117 * *is* cryptographically possible without the key. However, we take the more
118 * conservative approach and just forbid all no-key renames.
119 *
120 * We also verify that the rename will not violate the constraint that all files
121 * in an encrypted directory tree use the same encryption policy.
122 *
123 * Return: 0 on success, -ENOKEY if an encryption key is missing, -EXDEV if the
124 * rename would cause inconsistent encryption policies, or another -errno code.
125 */
fscrypt_prepare_rename(struct inode * old_dir,struct dentry * old_dentry,struct inode * new_dir,struct dentry * new_dentry,unsigned int flags)126 static inline int fscrypt_prepare_rename(struct inode *old_dir,
127 struct dentry *old_dentry,
128 struct inode *new_dir,
129 struct dentry *new_dentry,
130 unsigned int flags)
131 {
132 if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir))
133 return __fscrypt_prepare_rename(old_dir, old_dentry,
134 new_dir, new_dentry, flags);
135 return 0;
136 }
137
138 /**
139 * fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory
140 * @dir: directory being searched
141 * @dentry: filename being looked up
142 * @fname: (output) the name to use to search the on-disk directory
143 *
144 * Prepare for ->lookup() in a directory which may be encrypted by determining
145 * the name that will actually be used to search the directory on-disk. Lookups
146 * can be done with or without the directory's encryption key; without the key,
147 * filenames are presented in encrypted form. Therefore, we'll try to set up
148 * the directory's encryption key, but even without it the lookup can continue.
149 *
150 * This also installs a custom ->d_revalidate() method which will invalidate the
151 * dentry if it was created without the key and the key is later added.
152 *
153 * Return: 0 on success; -ENOENT if key is unavailable but the filename isn't a
154 * correctly formed encoded ciphertext name, so a negative dentry should be
155 * created; or another -errno code.
156 */
fscrypt_prepare_lookup(struct inode * dir,struct dentry * dentry,struct fscrypt_name * fname)157 static inline int fscrypt_prepare_lookup(struct inode *dir,
158 struct dentry *dentry,
159 struct fscrypt_name *fname)
160 {
161 if (IS_ENCRYPTED(dir))
162 return __fscrypt_prepare_lookup(dir, dentry, fname);
163
164 memset(fname, 0, sizeof(*fname));
165 fname->usr_fname = &dentry->d_name;
166 fname->disk_name.name = (unsigned char *)dentry->d_name.name;
167 fname->disk_name.len = dentry->d_name.len;
168 return 0;
169 }
170
171 /**
172 * fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes
173 * @dentry: dentry through which the inode is being changed
174 * @attr: attributes to change
175 *
176 * Prepare for ->setattr() on a possibly-encrypted inode. On an encrypted file,
177 * most attribute changes are allowed even without the encryption key. However,
178 * without the encryption key we do have to forbid truncates. This is needed
179 * because the size being truncated to may not be a multiple of the filesystem
180 * block size, and in that case we'd have to decrypt the final block, zero the
181 * portion past i_size, and re-encrypt it. (We *could* allow truncating to a
182 * filesystem block boundary, but it's simpler to just forbid all truncates ---
183 * and we already forbid all other contents modifications without the key.)
184 *
185 * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
186 * if a problem occurred while setting up the encryption key.
187 */
fscrypt_prepare_setattr(struct dentry * dentry,struct iattr * attr)188 static inline int fscrypt_prepare_setattr(struct dentry *dentry,
189 struct iattr *attr)
190 {
191 if (attr->ia_valid & ATTR_SIZE)
192 return fscrypt_require_key(d_inode(dentry));
193 return 0;
194 }
195
196 /**
197 * fscrypt_prepare_symlink - prepare to create a possibly-encrypted symlink
198 * @dir: directory in which the symlink is being created
199 * @target: plaintext symlink target
200 * @len: length of @target excluding null terminator
201 * @max_len: space the filesystem has available to store the symlink target
202 * @disk_link: (out) the on-disk symlink target being prepared
203 *
204 * This function computes the size the symlink target will require on-disk,
205 * stores it in @disk_link->len, and validates it against @max_len. An
206 * encrypted symlink may be longer than the original.
207 *
208 * Additionally, @disk_link->name is set to @target if the symlink will be
209 * unencrypted, but left NULL if the symlink will be encrypted. For encrypted
210 * symlinks, the filesystem must call fscrypt_encrypt_symlink() to create the
211 * on-disk target later. (The reason for the two-step process is that some
212 * filesystems need to know the size of the symlink target before creating the
213 * inode, e.g. to determine whether it will be a "fast" or "slow" symlink.)
214 *
215 * Return: 0 on success, -ENAMETOOLONG if the symlink target is too long,
216 * -ENOKEY if the encryption key is missing, or another -errno code if a problem
217 * occurred while setting up the encryption key.
218 */
fscrypt_prepare_symlink(struct inode * dir,const char * target,unsigned int len,unsigned int max_len,struct fscrypt_str * disk_link)219 static inline int fscrypt_prepare_symlink(struct inode *dir,
220 const char *target,
221 unsigned int len,
222 unsigned int max_len,
223 struct fscrypt_str *disk_link)
224 {
225 if (IS_ENCRYPTED(dir) || fscrypt_dummy_context_enabled(dir))
226 return __fscrypt_prepare_symlink(dir, len, max_len, disk_link);
227
228 disk_link->name = (unsigned char *)target;
229 disk_link->len = len + 1;
230 if (disk_link->len > max_len)
231 return -ENAMETOOLONG;
232 return 0;
233 }
234
235 /**
236 * fscrypt_encrypt_symlink - encrypt the symlink target if needed
237 * @inode: symlink inode
238 * @target: plaintext symlink target
239 * @len: length of @target excluding null terminator
240 * @disk_link: (in/out) the on-disk symlink target being prepared
241 *
242 * If the symlink target needs to be encrypted, then this function encrypts it
243 * into @disk_link->name. fscrypt_prepare_symlink() must have been called
244 * previously to compute @disk_link->len. If the filesystem did not allocate a
245 * buffer for @disk_link->name after calling fscrypt_prepare_link(), then one
246 * will be kmalloc()'ed and the filesystem will be responsible for freeing it.
247 *
248 * Return: 0 on success, -errno on failure
249 */
fscrypt_encrypt_symlink(struct inode * inode,const char * target,unsigned int len,struct fscrypt_str * disk_link)250 static inline int fscrypt_encrypt_symlink(struct inode *inode,
251 const char *target,
252 unsigned int len,
253 struct fscrypt_str *disk_link)
254 {
255 if (IS_ENCRYPTED(inode))
256 return __fscrypt_encrypt_symlink(inode, target, len, disk_link);
257 return 0;
258 }
259
260 #endif /* _LINUX_FSCRYPT_H */
261