Commit | Line | Data |
---|---|---|
22d94f49 EB |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* | |
3 | * Filesystem-level keyring for fscrypt | |
4 | * | |
5 | * Copyright 2019 Google LLC | |
6 | */ | |
7 | ||
8 | /* | |
9 | * This file implements management of fscrypt master keys in the | |
10 | * filesystem-level keyring, including the ioctls: | |
11 | * | |
12 | * - FS_IOC_ADD_ENCRYPTION_KEY | |
b1c0ec35 | 13 | * - FS_IOC_REMOVE_ENCRYPTION_KEY |
78a1b96b | 14 | * - FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS |
5a7e2992 | 15 | * - FS_IOC_GET_ENCRYPTION_KEY_STATUS |
22d94f49 EB |
16 | * |
17 | * See the "User API" section of Documentation/filesystems/fscrypt.rst for more | |
18 | * information about these ioctls. | |
19 | */ | |
20 | ||
5dae460c | 21 | #include <crypto/skcipher.h> |
22d94f49 EB |
22 | #include <linux/key-type.h> |
23 | #include <linux/seq_file.h> | |
24 | ||
25 | #include "fscrypt_private.h" | |
26 | ||
27 | static void wipe_master_key_secret(struct fscrypt_master_key_secret *secret) | |
28 | { | |
5dae460c | 29 | fscrypt_destroy_hkdf(&secret->hkdf); |
22d94f49 EB |
30 | memzero_explicit(secret, sizeof(*secret)); |
31 | } | |
32 | ||
33 | static void move_master_key_secret(struct fscrypt_master_key_secret *dst, | |
34 | struct fscrypt_master_key_secret *src) | |
35 | { | |
36 | memcpy(dst, src, sizeof(*dst)); | |
37 | memzero_explicit(src, sizeof(*src)); | |
38 | } | |
39 | ||
40 | static void free_master_key(struct fscrypt_master_key *mk) | |
41 | { | |
5dae460c EB |
42 | size_t i; |
43 | ||
22d94f49 | 44 | wipe_master_key_secret(&mk->mk_secret); |
5dae460c EB |
45 | |
46 | for (i = 0; i < ARRAY_SIZE(mk->mk_mode_keys); i++) | |
47 | crypto_free_skcipher(mk->mk_mode_keys[i]); | |
48 | ||
23c688b5 | 49 | key_put(mk->mk_users); |
22d94f49 EB |
50 | kzfree(mk); |
51 | } | |
52 | ||
53 | static inline bool valid_key_spec(const struct fscrypt_key_specifier *spec) | |
54 | { | |
55 | if (spec->__reserved) | |
56 | return false; | |
57 | return master_key_spec_len(spec) != 0; | |
58 | } | |
59 | ||
60 | static int fscrypt_key_instantiate(struct key *key, | |
61 | struct key_preparsed_payload *prep) | |
62 | { | |
63 | key->payload.data[0] = (struct fscrypt_master_key *)prep->data; | |
64 | return 0; | |
65 | } | |
66 | ||
67 | static void fscrypt_key_destroy(struct key *key) | |
68 | { | |
69 | free_master_key(key->payload.data[0]); | |
70 | } | |
71 | ||
72 | static void fscrypt_key_describe(const struct key *key, struct seq_file *m) | |
73 | { | |
74 | seq_puts(m, key->description); | |
b1c0ec35 EB |
75 | |
76 | if (key_is_positive(key)) { | |
77 | const struct fscrypt_master_key *mk = key->payload.data[0]; | |
78 | ||
79 | if (!is_master_key_secret_present(&mk->mk_secret)) | |
80 | seq_puts(m, ": secret removed"); | |
81 | } | |
22d94f49 EB |
82 | } |
83 | ||
84 | /* | |
85 | * Type of key in ->s_master_keys. Each key of this type represents a master | |
86 | * key which has been added to the filesystem. Its payload is a | |
87 | * 'struct fscrypt_master_key'. The "." prefix in the key type name prevents | |
88 | * users from adding keys of this type via the keyrings syscalls rather than via | |
89 | * the intended method of FS_IOC_ADD_ENCRYPTION_KEY. | |
90 | */ | |
91 | static struct key_type key_type_fscrypt = { | |
92 | .name = "._fscrypt", | |
93 | .instantiate = fscrypt_key_instantiate, | |
94 | .destroy = fscrypt_key_destroy, | |
95 | .describe = fscrypt_key_describe, | |
96 | }; | |
97 | ||
23c688b5 EB |
98 | static int fscrypt_user_key_instantiate(struct key *key, |
99 | struct key_preparsed_payload *prep) | |
100 | { | |
101 | /* | |
102 | * We just charge FSCRYPT_MAX_KEY_SIZE bytes to the user's key quota for | |
103 | * each key, regardless of the exact key size. The amount of memory | |
104 | * actually used is greater than the size of the raw key anyway. | |
105 | */ | |
106 | return key_payload_reserve(key, FSCRYPT_MAX_KEY_SIZE); | |
107 | } | |
108 | ||
109 | static void fscrypt_user_key_describe(const struct key *key, struct seq_file *m) | |
110 | { | |
111 | seq_puts(m, key->description); | |
112 | } | |
113 | ||
114 | /* | |
115 | * Type of key in ->mk_users. Each key of this type represents a particular | |
116 | * user who has added a particular master key. | |
117 | * | |
118 | * Note that the name of this key type really should be something like | |
119 | * ".fscrypt-user" instead of simply ".fscrypt". But the shorter name is chosen | |
120 | * mainly for simplicity of presentation in /proc/keys when read by a non-root | |
121 | * user. And it is expected to be rare that a key is actually added by multiple | |
122 | * users, since users should keep their encryption keys confidential. | |
123 | */ | |
124 | static struct key_type key_type_fscrypt_user = { | |
125 | .name = ".fscrypt", | |
126 | .instantiate = fscrypt_user_key_instantiate, | |
127 | .describe = fscrypt_user_key_describe, | |
128 | }; | |
129 | ||
130 | /* Search ->s_master_keys or ->mk_users */ | |
22d94f49 EB |
131 | static struct key *search_fscrypt_keyring(struct key *keyring, |
132 | struct key_type *type, | |
133 | const char *description) | |
134 | { | |
135 | /* | |
136 | * We need to mark the keyring reference as "possessed" so that we | |
137 | * acquire permission to search it, via the KEY_POS_SEARCH permission. | |
138 | */ | |
139 | key_ref_t keyref = make_key_ref(keyring, true /* possessed */); | |
140 | ||
141 | keyref = keyring_search(keyref, type, description, false); | |
142 | if (IS_ERR(keyref)) { | |
143 | if (PTR_ERR(keyref) == -EAGAIN || /* not found */ | |
144 | PTR_ERR(keyref) == -EKEYREVOKED) /* recently invalidated */ | |
145 | keyref = ERR_PTR(-ENOKEY); | |
146 | return ERR_CAST(keyref); | |
147 | } | |
148 | return key_ref_to_ptr(keyref); | |
149 | } | |
150 | ||
151 | #define FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE \ | |
152 | (CONST_STRLEN("fscrypt-") + FIELD_SIZEOF(struct super_block, s_id)) | |
153 | ||
5dae460c | 154 | #define FSCRYPT_MK_DESCRIPTION_SIZE (2 * FSCRYPT_KEY_IDENTIFIER_SIZE + 1) |
22d94f49 | 155 | |
23c688b5 EB |
156 | #define FSCRYPT_MK_USERS_DESCRIPTION_SIZE \ |
157 | (CONST_STRLEN("fscrypt-") + 2 * FSCRYPT_KEY_IDENTIFIER_SIZE + \ | |
158 | CONST_STRLEN("-users") + 1) | |
159 | ||
160 | #define FSCRYPT_MK_USER_DESCRIPTION_SIZE \ | |
161 | (2 * FSCRYPT_KEY_IDENTIFIER_SIZE + CONST_STRLEN(".uid.") + 10 + 1) | |
162 | ||
22d94f49 EB |
163 | static void format_fs_keyring_description( |
164 | char description[FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE], | |
165 | const struct super_block *sb) | |
166 | { | |
167 | sprintf(description, "fscrypt-%s", sb->s_id); | |
168 | } | |
169 | ||
170 | static void format_mk_description( | |
171 | char description[FSCRYPT_MK_DESCRIPTION_SIZE], | |
172 | const struct fscrypt_key_specifier *mk_spec) | |
173 | { | |
174 | sprintf(description, "%*phN", | |
175 | master_key_spec_len(mk_spec), (u8 *)&mk_spec->u); | |
176 | } | |
177 | ||
23c688b5 EB |
178 | static void format_mk_users_keyring_description( |
179 | char description[FSCRYPT_MK_USERS_DESCRIPTION_SIZE], | |
180 | const u8 mk_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]) | |
181 | { | |
182 | sprintf(description, "fscrypt-%*phN-users", | |
183 | FSCRYPT_KEY_IDENTIFIER_SIZE, mk_identifier); | |
184 | } | |
185 | ||
186 | static void format_mk_user_description( | |
187 | char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE], | |
188 | const u8 mk_identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]) | |
189 | { | |
190 | ||
191 | sprintf(description, "%*phN.uid.%u", FSCRYPT_KEY_IDENTIFIER_SIZE, | |
192 | mk_identifier, __kuid_val(current_fsuid())); | |
193 | } | |
194 | ||
22d94f49 EB |
195 | /* Create ->s_master_keys if needed. Synchronized by fscrypt_add_key_mutex. */ |
196 | static int allocate_filesystem_keyring(struct super_block *sb) | |
197 | { | |
198 | char description[FSCRYPT_FS_KEYRING_DESCRIPTION_SIZE]; | |
199 | struct key *keyring; | |
200 | ||
201 | if (sb->s_master_keys) | |
202 | return 0; | |
203 | ||
204 | format_fs_keyring_description(description, sb); | |
205 | keyring = keyring_alloc(description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, | |
206 | current_cred(), KEY_POS_SEARCH | | |
207 | KEY_USR_SEARCH | KEY_USR_READ | KEY_USR_VIEW, | |
208 | KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); | |
209 | if (IS_ERR(keyring)) | |
210 | return PTR_ERR(keyring); | |
211 | ||
212 | /* Pairs with READ_ONCE() in fscrypt_find_master_key() */ | |
213 | smp_store_release(&sb->s_master_keys, keyring); | |
214 | return 0; | |
215 | } | |
216 | ||
217 | void fscrypt_sb_free(struct super_block *sb) | |
218 | { | |
219 | key_put(sb->s_master_keys); | |
220 | sb->s_master_keys = NULL; | |
221 | } | |
222 | ||
223 | /* | |
224 | * Find the specified master key in ->s_master_keys. | |
225 | * Returns ERR_PTR(-ENOKEY) if not found. | |
226 | */ | |
227 | struct key *fscrypt_find_master_key(struct super_block *sb, | |
228 | const struct fscrypt_key_specifier *mk_spec) | |
229 | { | |
230 | struct key *keyring; | |
231 | char description[FSCRYPT_MK_DESCRIPTION_SIZE]; | |
232 | ||
233 | /* pairs with smp_store_release() in allocate_filesystem_keyring() */ | |
234 | keyring = READ_ONCE(sb->s_master_keys); | |
235 | if (keyring == NULL) | |
236 | return ERR_PTR(-ENOKEY); /* No keyring yet, so no keys yet. */ | |
237 | ||
238 | format_mk_description(description, mk_spec); | |
239 | return search_fscrypt_keyring(keyring, &key_type_fscrypt, description); | |
240 | } | |
241 | ||
23c688b5 EB |
242 | static int allocate_master_key_users_keyring(struct fscrypt_master_key *mk) |
243 | { | |
244 | char description[FSCRYPT_MK_USERS_DESCRIPTION_SIZE]; | |
245 | struct key *keyring; | |
246 | ||
247 | format_mk_users_keyring_description(description, | |
248 | mk->mk_spec.u.identifier); | |
249 | keyring = keyring_alloc(description, GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, | |
250 | current_cred(), KEY_POS_SEARCH | | |
251 | KEY_USR_SEARCH | KEY_USR_READ | KEY_USR_VIEW, | |
252 | KEY_ALLOC_NOT_IN_QUOTA, NULL, NULL); | |
253 | if (IS_ERR(keyring)) | |
254 | return PTR_ERR(keyring); | |
255 | ||
256 | mk->mk_users = keyring; | |
257 | return 0; | |
258 | } | |
259 | ||
260 | /* | |
261 | * Find the current user's "key" in the master key's ->mk_users. | |
262 | * Returns ERR_PTR(-ENOKEY) if not found. | |
263 | */ | |
264 | static struct key *find_master_key_user(struct fscrypt_master_key *mk) | |
265 | { | |
266 | char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE]; | |
267 | ||
268 | format_mk_user_description(description, mk->mk_spec.u.identifier); | |
269 | return search_fscrypt_keyring(mk->mk_users, &key_type_fscrypt_user, | |
270 | description); | |
271 | } | |
272 | ||
273 | /* | |
274 | * Give the current user a "key" in ->mk_users. This charges the user's quota | |
275 | * and marks the master key as added by the current user, so that it cannot be | |
276 | * removed by another user with the key. Either the master key's key->sem must | |
277 | * be held for write, or the master key must be still undergoing initialization. | |
278 | */ | |
279 | static int add_master_key_user(struct fscrypt_master_key *mk) | |
280 | { | |
281 | char description[FSCRYPT_MK_USER_DESCRIPTION_SIZE]; | |
282 | struct key *mk_user; | |
283 | int err; | |
284 | ||
285 | format_mk_user_description(description, mk->mk_spec.u.identifier); | |
286 | mk_user = key_alloc(&key_type_fscrypt_user, description, | |
287 | current_fsuid(), current_gid(), current_cred(), | |
288 | KEY_POS_SEARCH | KEY_USR_VIEW, 0, NULL); | |
289 | if (IS_ERR(mk_user)) | |
290 | return PTR_ERR(mk_user); | |
291 | ||
292 | err = key_instantiate_and_link(mk_user, NULL, 0, mk->mk_users, NULL); | |
293 | key_put(mk_user); | |
294 | return err; | |
295 | } | |
296 | ||
297 | /* | |
298 | * Remove the current user's "key" from ->mk_users. | |
299 | * The master key's key->sem must be held for write. | |
300 | * | |
301 | * Returns 0 if removed, -ENOKEY if not found, or another -errno code. | |
302 | */ | |
303 | static int remove_master_key_user(struct fscrypt_master_key *mk) | |
304 | { | |
305 | struct key *mk_user; | |
306 | int err; | |
307 | ||
308 | mk_user = find_master_key_user(mk); | |
309 | if (IS_ERR(mk_user)) | |
310 | return PTR_ERR(mk_user); | |
311 | err = key_unlink(mk->mk_users, mk_user); | |
312 | key_put(mk_user); | |
313 | return err; | |
314 | } | |
315 | ||
22d94f49 EB |
316 | /* |
317 | * Allocate a new fscrypt_master_key which contains the given secret, set it as | |
318 | * the payload of a new 'struct key' of type fscrypt, and link the 'struct key' | |
319 | * into the given keyring. Synchronized by fscrypt_add_key_mutex. | |
320 | */ | |
321 | static int add_new_master_key(struct fscrypt_master_key_secret *secret, | |
322 | const struct fscrypt_key_specifier *mk_spec, | |
323 | struct key *keyring) | |
324 | { | |
325 | struct fscrypt_master_key *mk; | |
326 | char description[FSCRYPT_MK_DESCRIPTION_SIZE]; | |
327 | struct key *key; | |
328 | int err; | |
329 | ||
330 | mk = kzalloc(sizeof(*mk), GFP_KERNEL); | |
331 | if (!mk) | |
332 | return -ENOMEM; | |
333 | ||
334 | mk->mk_spec = *mk_spec; | |
335 | ||
336 | move_master_key_secret(&mk->mk_secret, secret); | |
23c688b5 | 337 | init_rwsem(&mk->mk_secret_sem); |
22d94f49 | 338 | |
b1c0ec35 EB |
339 | refcount_set(&mk->mk_refcount, 1); /* secret is present */ |
340 | INIT_LIST_HEAD(&mk->mk_decrypted_inodes); | |
341 | spin_lock_init(&mk->mk_decrypted_inodes_lock); | |
342 | ||
23c688b5 EB |
343 | if (mk_spec->type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) { |
344 | err = allocate_master_key_users_keyring(mk); | |
345 | if (err) | |
346 | goto out_free_mk; | |
347 | err = add_master_key_user(mk); | |
348 | if (err) | |
349 | goto out_free_mk; | |
350 | } | |
351 | ||
352 | /* | |
353 | * Note that we don't charge this key to anyone's quota, since when | |
354 | * ->mk_users is in use those keys are charged instead, and otherwise | |
355 | * (when ->mk_users isn't in use) only root can add these keys. | |
356 | */ | |
22d94f49 EB |
357 | format_mk_description(description, mk_spec); |
358 | key = key_alloc(&key_type_fscrypt, description, | |
359 | GLOBAL_ROOT_UID, GLOBAL_ROOT_GID, current_cred(), | |
360 | KEY_POS_SEARCH | KEY_USR_SEARCH | KEY_USR_VIEW, | |
361 | KEY_ALLOC_NOT_IN_QUOTA, NULL); | |
362 | if (IS_ERR(key)) { | |
363 | err = PTR_ERR(key); | |
364 | goto out_free_mk; | |
365 | } | |
366 | err = key_instantiate_and_link(key, mk, sizeof(*mk), keyring, NULL); | |
367 | key_put(key); | |
368 | if (err) | |
369 | goto out_free_mk; | |
370 | ||
371 | return 0; | |
372 | ||
373 | out_free_mk: | |
374 | free_master_key(mk); | |
375 | return err; | |
376 | } | |
377 | ||
b1c0ec35 EB |
378 | #define KEY_DEAD 1 |
379 | ||
380 | static int add_existing_master_key(struct fscrypt_master_key *mk, | |
381 | struct fscrypt_master_key_secret *secret) | |
382 | { | |
23c688b5 EB |
383 | struct key *mk_user; |
384 | bool rekey; | |
385 | int err; | |
b1c0ec35 | 386 | |
23c688b5 EB |
387 | /* |
388 | * If the current user is already in ->mk_users, then there's nothing to | |
389 | * do. (Not applicable for v1 policy keys, which have NULL ->mk_users.) | |
390 | */ | |
391 | if (mk->mk_users) { | |
392 | mk_user = find_master_key_user(mk); | |
393 | if (mk_user != ERR_PTR(-ENOKEY)) { | |
394 | if (IS_ERR(mk_user)) | |
395 | return PTR_ERR(mk_user); | |
396 | key_put(mk_user); | |
397 | return 0; | |
398 | } | |
399 | } | |
400 | ||
401 | /* If we'll be re-adding ->mk_secret, try to take the reference. */ | |
402 | rekey = !is_master_key_secret_present(&mk->mk_secret); | |
403 | if (rekey && !refcount_inc_not_zero(&mk->mk_refcount)) | |
b1c0ec35 EB |
404 | return KEY_DEAD; |
405 | ||
23c688b5 EB |
406 | /* Add the current user to ->mk_users, if applicable. */ |
407 | if (mk->mk_users) { | |
408 | err = add_master_key_user(mk); | |
409 | if (err) { | |
410 | if (rekey && refcount_dec_and_test(&mk->mk_refcount)) | |
411 | return KEY_DEAD; | |
412 | return err; | |
413 | } | |
414 | } | |
415 | ||
416 | /* Re-add the secret if needed. */ | |
417 | if (rekey) { | |
418 | down_write(&mk->mk_secret_sem); | |
419 | move_master_key_secret(&mk->mk_secret, secret); | |
420 | up_write(&mk->mk_secret_sem); | |
421 | } | |
b1c0ec35 EB |
422 | return 0; |
423 | } | |
424 | ||
22d94f49 EB |
425 | static int add_master_key(struct super_block *sb, |
426 | struct fscrypt_master_key_secret *secret, | |
427 | const struct fscrypt_key_specifier *mk_spec) | |
428 | { | |
429 | static DEFINE_MUTEX(fscrypt_add_key_mutex); | |
430 | struct key *key; | |
431 | int err; | |
432 | ||
433 | mutex_lock(&fscrypt_add_key_mutex); /* serialize find + link */ | |
b1c0ec35 | 434 | retry: |
22d94f49 EB |
435 | key = fscrypt_find_master_key(sb, mk_spec); |
436 | if (IS_ERR(key)) { | |
437 | err = PTR_ERR(key); | |
438 | if (err != -ENOKEY) | |
439 | goto out_unlock; | |
440 | /* Didn't find the key in ->s_master_keys. Add it. */ | |
441 | err = allocate_filesystem_keyring(sb); | |
442 | if (err) | |
443 | goto out_unlock; | |
444 | err = add_new_master_key(secret, mk_spec, sb->s_master_keys); | |
445 | } else { | |
b1c0ec35 EB |
446 | /* |
447 | * Found the key in ->s_master_keys. Re-add the secret if | |
23c688b5 | 448 | * needed, and add the user to ->mk_users if needed. |
b1c0ec35 EB |
449 | */ |
450 | down_write(&key->sem); | |
451 | err = add_existing_master_key(key->payload.data[0], secret); | |
452 | up_write(&key->sem); | |
453 | if (err == KEY_DEAD) { | |
454 | /* Key being removed or needs to be removed */ | |
455 | key_invalidate(key); | |
456 | key_put(key); | |
457 | goto retry; | |
458 | } | |
22d94f49 | 459 | key_put(key); |
22d94f49 EB |
460 | } |
461 | out_unlock: | |
462 | mutex_unlock(&fscrypt_add_key_mutex); | |
463 | return err; | |
464 | } | |
465 | ||
466 | /* | |
467 | * Add a master encryption key to the filesystem, causing all files which were | |
468 | * encrypted with it to appear "unlocked" (decrypted) when accessed. | |
469 | * | |
23c688b5 EB |
470 | * When adding a key for use by v1 encryption policies, this ioctl is |
471 | * privileged, and userspace must provide the 'key_descriptor'. | |
472 | * | |
473 | * When adding a key for use by v2+ encryption policies, this ioctl is | |
474 | * unprivileged. This is needed, in general, to allow non-root users to use | |
475 | * encryption without encountering the visibility problems of process-subscribed | |
476 | * keyrings and the inability to properly remove keys. This works by having | |
477 | * each key identified by its cryptographically secure hash --- the | |
478 | * 'key_identifier'. The cryptographic hash ensures that a malicious user | |
479 | * cannot add the wrong key for a given identifier. Furthermore, each added key | |
480 | * is charged to the appropriate user's quota for the keyrings service, which | |
481 | * prevents a malicious user from adding too many keys. Finally, we forbid a | |
482 | * user from removing a key while other users have added it too, which prevents | |
483 | * a user who knows another user's key from causing a denial-of-service by | |
484 | * removing it at an inopportune time. (We tolerate that a user who knows a key | |
485 | * can prevent other users from removing it.) | |
486 | * | |
22d94f49 EB |
487 | * For more details, see the "FS_IOC_ADD_ENCRYPTION_KEY" section of |
488 | * Documentation/filesystems/fscrypt.rst. | |
489 | */ | |
490 | int fscrypt_ioctl_add_key(struct file *filp, void __user *_uarg) | |
491 | { | |
492 | struct super_block *sb = file_inode(filp)->i_sb; | |
493 | struct fscrypt_add_key_arg __user *uarg = _uarg; | |
494 | struct fscrypt_add_key_arg arg; | |
495 | struct fscrypt_master_key_secret secret; | |
496 | int err; | |
497 | ||
498 | if (copy_from_user(&arg, uarg, sizeof(arg))) | |
499 | return -EFAULT; | |
500 | ||
501 | if (!valid_key_spec(&arg.key_spec)) | |
502 | return -EINVAL; | |
503 | ||
504 | if (arg.raw_size < FSCRYPT_MIN_KEY_SIZE || | |
505 | arg.raw_size > FSCRYPT_MAX_KEY_SIZE) | |
506 | return -EINVAL; | |
507 | ||
508 | if (memchr_inv(arg.__reserved, 0, sizeof(arg.__reserved))) | |
509 | return -EINVAL; | |
510 | ||
511 | memset(&secret, 0, sizeof(secret)); | |
512 | secret.size = arg.raw_size; | |
513 | err = -EFAULT; | |
514 | if (copy_from_user(secret.raw, uarg->raw, secret.size)) | |
515 | goto out_wipe_secret; | |
516 | ||
23c688b5 EB |
517 | switch (arg.key_spec.type) { |
518 | case FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR: | |
519 | /* | |
520 | * Only root can add keys that are identified by an arbitrary | |
521 | * descriptor rather than by a cryptographic hash --- since | |
522 | * otherwise a malicious user could add the wrong key. | |
523 | */ | |
524 | err = -EACCES; | |
525 | if (!capable(CAP_SYS_ADMIN)) | |
526 | goto out_wipe_secret; | |
527 | break; | |
528 | case FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER: | |
5dae460c EB |
529 | err = fscrypt_init_hkdf(&secret.hkdf, secret.raw, secret.size); |
530 | if (err) | |
531 | goto out_wipe_secret; | |
532 | ||
533 | /* | |
534 | * Now that the HKDF context is initialized, the raw key is no | |
535 | * longer needed. | |
536 | */ | |
537 | memzero_explicit(secret.raw, secret.size); | |
538 | ||
539 | /* Calculate the key identifier and return it to userspace. */ | |
540 | err = fscrypt_hkdf_expand(&secret.hkdf, | |
541 | HKDF_CONTEXT_KEY_IDENTIFIER, | |
542 | NULL, 0, arg.key_spec.u.identifier, | |
543 | FSCRYPT_KEY_IDENTIFIER_SIZE); | |
544 | if (err) | |
545 | goto out_wipe_secret; | |
546 | err = -EFAULT; | |
547 | if (copy_to_user(uarg->key_spec.u.identifier, | |
548 | arg.key_spec.u.identifier, | |
549 | FSCRYPT_KEY_IDENTIFIER_SIZE)) | |
550 | goto out_wipe_secret; | |
23c688b5 EB |
551 | break; |
552 | default: | |
553 | WARN_ON(1); | |
554 | err = -EINVAL; | |
555 | goto out_wipe_secret; | |
5dae460c EB |
556 | } |
557 | ||
22d94f49 EB |
558 | err = add_master_key(sb, &secret, &arg.key_spec); |
559 | out_wipe_secret: | |
560 | wipe_master_key_secret(&secret); | |
561 | return err; | |
562 | } | |
563 | EXPORT_SYMBOL_GPL(fscrypt_ioctl_add_key); | |
564 | ||
5ab7189a EB |
565 | /* |
566 | * Verify that the current user has added a master key with the given identifier | |
567 | * (returns -ENOKEY if not). This is needed to prevent a user from encrypting | |
568 | * their files using some other user's key which they don't actually know. | |
569 | * Cryptographically this isn't much of a problem, but the semantics of this | |
570 | * would be a bit weird, so it's best to just forbid it. | |
571 | * | |
572 | * The system administrator (CAP_FOWNER) can override this, which should be | |
573 | * enough for any use cases where encryption policies are being set using keys | |
574 | * that were chosen ahead of time but aren't available at the moment. | |
575 | * | |
576 | * Note that the key may have already removed by the time this returns, but | |
577 | * that's okay; we just care whether the key was there at some point. | |
578 | * | |
579 | * Return: 0 if the key is added, -ENOKEY if it isn't, or another -errno code | |
580 | */ | |
581 | int fscrypt_verify_key_added(struct super_block *sb, | |
582 | const u8 identifier[FSCRYPT_KEY_IDENTIFIER_SIZE]) | |
583 | { | |
584 | struct fscrypt_key_specifier mk_spec; | |
585 | struct key *key, *mk_user; | |
586 | struct fscrypt_master_key *mk; | |
587 | int err; | |
588 | ||
589 | mk_spec.type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER; | |
590 | memcpy(mk_spec.u.identifier, identifier, FSCRYPT_KEY_IDENTIFIER_SIZE); | |
591 | ||
592 | key = fscrypt_find_master_key(sb, &mk_spec); | |
593 | if (IS_ERR(key)) { | |
594 | err = PTR_ERR(key); | |
595 | goto out; | |
596 | } | |
597 | mk = key->payload.data[0]; | |
598 | mk_user = find_master_key_user(mk); | |
599 | if (IS_ERR(mk_user)) { | |
600 | err = PTR_ERR(mk_user); | |
601 | } else { | |
602 | key_put(mk_user); | |
603 | err = 0; | |
604 | } | |
605 | key_put(key); | |
606 | out: | |
607 | if (err == -ENOKEY && capable(CAP_FOWNER)) | |
608 | err = 0; | |
609 | return err; | |
610 | } | |
611 | ||
b1c0ec35 EB |
612 | /* |
613 | * Try to evict the inode's dentries from the dentry cache. If the inode is a | |
614 | * directory, then it can have at most one dentry; however, that dentry may be | |
615 | * pinned by child dentries, so first try to evict the children too. | |
616 | */ | |
617 | static void shrink_dcache_inode(struct inode *inode) | |
618 | { | |
619 | struct dentry *dentry; | |
620 | ||
621 | if (S_ISDIR(inode->i_mode)) { | |
622 | dentry = d_find_any_alias(inode); | |
623 | if (dentry) { | |
624 | shrink_dcache_parent(dentry); | |
625 | dput(dentry); | |
626 | } | |
627 | } | |
628 | d_prune_aliases(inode); | |
629 | } | |
630 | ||
631 | static void evict_dentries_for_decrypted_inodes(struct fscrypt_master_key *mk) | |
632 | { | |
633 | struct fscrypt_info *ci; | |
634 | struct inode *inode; | |
635 | struct inode *toput_inode = NULL; | |
636 | ||
637 | spin_lock(&mk->mk_decrypted_inodes_lock); | |
638 | ||
639 | list_for_each_entry(ci, &mk->mk_decrypted_inodes, ci_master_key_link) { | |
640 | inode = ci->ci_inode; | |
641 | spin_lock(&inode->i_lock); | |
642 | if (inode->i_state & (I_FREEING | I_WILL_FREE | I_NEW)) { | |
643 | spin_unlock(&inode->i_lock); | |
644 | continue; | |
645 | } | |
646 | __iget(inode); | |
647 | spin_unlock(&inode->i_lock); | |
648 | spin_unlock(&mk->mk_decrypted_inodes_lock); | |
649 | ||
650 | shrink_dcache_inode(inode); | |
651 | iput(toput_inode); | |
652 | toput_inode = inode; | |
653 | ||
654 | spin_lock(&mk->mk_decrypted_inodes_lock); | |
655 | } | |
656 | ||
657 | spin_unlock(&mk->mk_decrypted_inodes_lock); | |
658 | iput(toput_inode); | |
659 | } | |
660 | ||
661 | static int check_for_busy_inodes(struct super_block *sb, | |
662 | struct fscrypt_master_key *mk) | |
663 | { | |
664 | struct list_head *pos; | |
665 | size_t busy_count = 0; | |
666 | unsigned long ino; | |
667 | struct dentry *dentry; | |
668 | char _path[256]; | |
669 | char *path = NULL; | |
670 | ||
671 | spin_lock(&mk->mk_decrypted_inodes_lock); | |
672 | ||
673 | list_for_each(pos, &mk->mk_decrypted_inodes) | |
674 | busy_count++; | |
675 | ||
676 | if (busy_count == 0) { | |
677 | spin_unlock(&mk->mk_decrypted_inodes_lock); | |
678 | return 0; | |
679 | } | |
680 | ||
681 | { | |
682 | /* select an example file to show for debugging purposes */ | |
683 | struct inode *inode = | |
684 | list_first_entry(&mk->mk_decrypted_inodes, | |
685 | struct fscrypt_info, | |
686 | ci_master_key_link)->ci_inode; | |
687 | ino = inode->i_ino; | |
688 | dentry = d_find_alias(inode); | |
689 | } | |
690 | spin_unlock(&mk->mk_decrypted_inodes_lock); | |
691 | ||
692 | if (dentry) { | |
693 | path = dentry_path(dentry, _path, sizeof(_path)); | |
694 | dput(dentry); | |
695 | } | |
696 | if (IS_ERR_OR_NULL(path)) | |
697 | path = "(unknown)"; | |
698 | ||
699 | fscrypt_warn(NULL, | |
700 | "%s: %zu inode(s) still busy after removing key with %s %*phN, including ino %lu (%s)", | |
701 | sb->s_id, busy_count, master_key_spec_type(&mk->mk_spec), | |
702 | master_key_spec_len(&mk->mk_spec), (u8 *)&mk->mk_spec.u, | |
703 | ino, path); | |
704 | return -EBUSY; | |
705 | } | |
706 | ||
707 | static int try_to_lock_encrypted_files(struct super_block *sb, | |
708 | struct fscrypt_master_key *mk) | |
709 | { | |
710 | int err1; | |
711 | int err2; | |
712 | ||
713 | /* | |
714 | * An inode can't be evicted while it is dirty or has dirty pages. | |
715 | * Thus, we first have to clean the inodes in ->mk_decrypted_inodes. | |
716 | * | |
717 | * Just do it the easy way: call sync_filesystem(). It's overkill, but | |
718 | * it works, and it's more important to minimize the amount of caches we | |
719 | * drop than the amount of data we sync. Also, unprivileged users can | |
720 | * already call sync_filesystem() via sys_syncfs() or sys_sync(). | |
721 | */ | |
722 | down_read(&sb->s_umount); | |
723 | err1 = sync_filesystem(sb); | |
724 | up_read(&sb->s_umount); | |
725 | /* If a sync error occurs, still try to evict as much as possible. */ | |
726 | ||
727 | /* | |
728 | * Inodes are pinned by their dentries, so we have to evict their | |
729 | * dentries. shrink_dcache_sb() would suffice, but would be overkill | |
730 | * and inappropriate for use by unprivileged users. So instead go | |
731 | * through the inodes' alias lists and try to evict each dentry. | |
732 | */ | |
733 | evict_dentries_for_decrypted_inodes(mk); | |
734 | ||
735 | /* | |
736 | * evict_dentries_for_decrypted_inodes() already iput() each inode in | |
737 | * the list; any inodes for which that dropped the last reference will | |
738 | * have been evicted due to fscrypt_drop_inode() detecting the key | |
739 | * removal and telling the VFS to evict the inode. So to finish, we | |
740 | * just need to check whether any inodes couldn't be evicted. | |
741 | */ | |
742 | err2 = check_for_busy_inodes(sb, mk); | |
743 | ||
744 | return err1 ?: err2; | |
745 | } | |
746 | ||
747 | /* | |
748 | * Try to remove an fscrypt master encryption key. | |
749 | * | |
78a1b96b EB |
750 | * FS_IOC_REMOVE_ENCRYPTION_KEY (all_users=false) removes the current user's |
751 | * claim to the key, then removes the key itself if no other users have claims. | |
752 | * FS_IOC_REMOVE_ENCRYPTION_KEY_ALL_USERS (all_users=true) always removes the | |
753 | * key itself. | |
23c688b5 EB |
754 | * |
755 | * To "remove the key itself", first we wipe the actual master key secret, so | |
756 | * that no more inodes can be unlocked with it. Then we try to evict all cached | |
757 | * inodes that had been unlocked with the key. | |
b1c0ec35 EB |
758 | * |
759 | * If all inodes were evicted, then we unlink the fscrypt_master_key from the | |
760 | * keyring. Otherwise it remains in the keyring in the "incompletely removed" | |
761 | * state (without the actual secret key) where it tracks the list of remaining | |
762 | * inodes. Userspace can execute the ioctl again later to retry eviction, or | |
763 | * alternatively can re-add the secret key again. | |
764 | * | |
765 | * For more details, see the "Removing keys" section of | |
766 | * Documentation/filesystems/fscrypt.rst. | |
767 | */ | |
78a1b96b | 768 | static int do_remove_key(struct file *filp, void __user *_uarg, bool all_users) |
b1c0ec35 EB |
769 | { |
770 | struct super_block *sb = file_inode(filp)->i_sb; | |
771 | struct fscrypt_remove_key_arg __user *uarg = _uarg; | |
772 | struct fscrypt_remove_key_arg arg; | |
773 | struct key *key; | |
774 | struct fscrypt_master_key *mk; | |
775 | u32 status_flags = 0; | |
776 | int err; | |
777 | bool dead; | |
778 | ||
779 | if (copy_from_user(&arg, uarg, sizeof(arg))) | |
780 | return -EFAULT; | |
781 | ||
782 | if (!valid_key_spec(&arg.key_spec)) | |
783 | return -EINVAL; | |
784 | ||
785 | if (memchr_inv(arg.__reserved, 0, sizeof(arg.__reserved))) | |
786 | return -EINVAL; | |
787 | ||
23c688b5 EB |
788 | /* |
789 | * Only root can add and remove keys that are identified by an arbitrary | |
790 | * descriptor rather than by a cryptographic hash. | |
791 | */ | |
792 | if (arg.key_spec.type == FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR && | |
793 | !capable(CAP_SYS_ADMIN)) | |
b1c0ec35 EB |
794 | return -EACCES; |
795 | ||
796 | /* Find the key being removed. */ | |
797 | key = fscrypt_find_master_key(sb, &arg.key_spec); | |
798 | if (IS_ERR(key)) | |
799 | return PTR_ERR(key); | |
800 | mk = key->payload.data[0]; | |
801 | ||
802 | down_write(&key->sem); | |
803 | ||
78a1b96b | 804 | /* If relevant, remove current user's (or all users) claim to the key */ |
23c688b5 | 805 | if (mk->mk_users && mk->mk_users->keys.nr_leaves_on_tree != 0) { |
78a1b96b EB |
806 | if (all_users) |
807 | err = keyring_clear(mk->mk_users); | |
808 | else | |
809 | err = remove_master_key_user(mk); | |
23c688b5 EB |
810 | if (err) { |
811 | up_write(&key->sem); | |
812 | goto out_put_key; | |
813 | } | |
814 | if (mk->mk_users->keys.nr_leaves_on_tree != 0) { | |
815 | /* | |
816 | * Other users have still added the key too. We removed | |
817 | * the current user's claim to the key, but we still | |
818 | * can't remove the key itself. | |
819 | */ | |
820 | status_flags |= | |
821 | FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS; | |
822 | err = 0; | |
823 | up_write(&key->sem); | |
824 | goto out_put_key; | |
825 | } | |
826 | } | |
827 | ||
828 | /* No user claims remaining. Go ahead and wipe the secret. */ | |
b1c0ec35 EB |
829 | dead = false; |
830 | if (is_master_key_secret_present(&mk->mk_secret)) { | |
23c688b5 | 831 | down_write(&mk->mk_secret_sem); |
b1c0ec35 EB |
832 | wipe_master_key_secret(&mk->mk_secret); |
833 | dead = refcount_dec_and_test(&mk->mk_refcount); | |
23c688b5 | 834 | up_write(&mk->mk_secret_sem); |
b1c0ec35 EB |
835 | } |
836 | up_write(&key->sem); | |
837 | if (dead) { | |
838 | /* | |
839 | * No inodes reference the key, and we wiped the secret, so the | |
840 | * key object is free to be removed from the keyring. | |
841 | */ | |
842 | key_invalidate(key); | |
843 | err = 0; | |
844 | } else { | |
845 | /* Some inodes still reference this key; try to evict them. */ | |
846 | err = try_to_lock_encrypted_files(sb, mk); | |
847 | if (err == -EBUSY) { | |
848 | status_flags |= | |
849 | FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY; | |
850 | err = 0; | |
851 | } | |
852 | } | |
853 | /* | |
23c688b5 EB |
854 | * We return 0 if we successfully did something: removed a claim to the |
855 | * key, wiped the secret, or tried locking the files again. Users need | |
856 | * to check the informational status flags if they care whether the key | |
857 | * has been fully removed including all files locked. | |
b1c0ec35 | 858 | */ |
23c688b5 | 859 | out_put_key: |
b1c0ec35 EB |
860 | key_put(key); |
861 | if (err == 0) | |
862 | err = put_user(status_flags, &uarg->removal_status_flags); | |
863 | return err; | |
864 | } | |
78a1b96b EB |
865 | |
866 | int fscrypt_ioctl_remove_key(struct file *filp, void __user *uarg) | |
867 | { | |
868 | return do_remove_key(filp, uarg, false); | |
869 | } | |
b1c0ec35 EB |
870 | EXPORT_SYMBOL_GPL(fscrypt_ioctl_remove_key); |
871 | ||
78a1b96b EB |
872 | int fscrypt_ioctl_remove_key_all_users(struct file *filp, void __user *uarg) |
873 | { | |
874 | if (!capable(CAP_SYS_ADMIN)) | |
875 | return -EACCES; | |
876 | return do_remove_key(filp, uarg, true); | |
877 | } | |
878 | EXPORT_SYMBOL_GPL(fscrypt_ioctl_remove_key_all_users); | |
879 | ||
5a7e2992 EB |
880 | /* |
881 | * Retrieve the status of an fscrypt master encryption key. | |
882 | * | |
883 | * We set ->status to indicate whether the key is absent, present, or | |
884 | * incompletely removed. "Incompletely removed" means that the master key | |
885 | * secret has been removed, but some files which had been unlocked with it are | |
886 | * still in use. This field allows applications to easily determine the state | |
887 | * of an encrypted directory without using a hack such as trying to open a | |
888 | * regular file in it (which can confuse the "incompletely removed" state with | |
889 | * absent or present). | |
890 | * | |
23c688b5 EB |
891 | * In addition, for v2 policy keys we allow applications to determine, via |
892 | * ->status_flags and ->user_count, whether the key has been added by the | |
893 | * current user, by other users, or by both. Most applications should not need | |
894 | * this, since ordinarily only one user should know a given key. However, if a | |
895 | * secret key is shared by multiple users, applications may wish to add an | |
896 | * already-present key to prevent other users from removing it. This ioctl can | |
897 | * be used to check whether that really is the case before the work is done to | |
898 | * add the key --- which might e.g. require prompting the user for a passphrase. | |
899 | * | |
5a7e2992 EB |
900 | * For more details, see the "FS_IOC_GET_ENCRYPTION_KEY_STATUS" section of |
901 | * Documentation/filesystems/fscrypt.rst. | |
902 | */ | |
903 | int fscrypt_ioctl_get_key_status(struct file *filp, void __user *uarg) | |
904 | { | |
905 | struct super_block *sb = file_inode(filp)->i_sb; | |
906 | struct fscrypt_get_key_status_arg arg; | |
907 | struct key *key; | |
908 | struct fscrypt_master_key *mk; | |
909 | int err; | |
910 | ||
911 | if (copy_from_user(&arg, uarg, sizeof(arg))) | |
912 | return -EFAULT; | |
913 | ||
914 | if (!valid_key_spec(&arg.key_spec)) | |
915 | return -EINVAL; | |
916 | ||
917 | if (memchr_inv(arg.__reserved, 0, sizeof(arg.__reserved))) | |
918 | return -EINVAL; | |
919 | ||
23c688b5 EB |
920 | arg.status_flags = 0; |
921 | arg.user_count = 0; | |
5a7e2992 EB |
922 | memset(arg.__out_reserved, 0, sizeof(arg.__out_reserved)); |
923 | ||
924 | key = fscrypt_find_master_key(sb, &arg.key_spec); | |
925 | if (IS_ERR(key)) { | |
926 | if (key != ERR_PTR(-ENOKEY)) | |
927 | return PTR_ERR(key); | |
928 | arg.status = FSCRYPT_KEY_STATUS_ABSENT; | |
929 | err = 0; | |
930 | goto out; | |
931 | } | |
932 | mk = key->payload.data[0]; | |
933 | down_read(&key->sem); | |
934 | ||
935 | if (!is_master_key_secret_present(&mk->mk_secret)) { | |
936 | arg.status = FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED; | |
937 | err = 0; | |
938 | goto out_release_key; | |
939 | } | |
940 | ||
941 | arg.status = FSCRYPT_KEY_STATUS_PRESENT; | |
23c688b5 EB |
942 | if (mk->mk_users) { |
943 | struct key *mk_user; | |
944 | ||
945 | arg.user_count = mk->mk_users->keys.nr_leaves_on_tree; | |
946 | mk_user = find_master_key_user(mk); | |
947 | if (!IS_ERR(mk_user)) { | |
948 | arg.status_flags |= | |
949 | FSCRYPT_KEY_STATUS_FLAG_ADDED_BY_SELF; | |
950 | key_put(mk_user); | |
951 | } else if (mk_user != ERR_PTR(-ENOKEY)) { | |
952 | err = PTR_ERR(mk_user); | |
953 | goto out_release_key; | |
954 | } | |
955 | } | |
5a7e2992 EB |
956 | err = 0; |
957 | out_release_key: | |
958 | up_read(&key->sem); | |
959 | key_put(key); | |
960 | out: | |
961 | if (!err && copy_to_user(uarg, &arg, sizeof(arg))) | |
962 | err = -EFAULT; | |
963 | return err; | |
964 | } | |
965 | EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_key_status); | |
966 | ||
22d94f49 EB |
967 | int __init fscrypt_init_keyring(void) |
968 | { | |
23c688b5 EB |
969 | int err; |
970 | ||
971 | err = register_key_type(&key_type_fscrypt); | |
972 | if (err) | |
973 | return err; | |
974 | ||
975 | err = register_key_type(&key_type_fscrypt_user); | |
976 | if (err) | |
977 | goto err_unregister_fscrypt; | |
978 | ||
979 | return 0; | |
980 | ||
981 | err_unregister_fscrypt: | |
982 | unregister_key_type(&key_type_fscrypt); | |
983 | return err; | |
22d94f49 | 984 | } |