Commit | Line | Data |
---|---|---|
32190f0a | 1 | /* SPDX-License-Identifier: GPL-2.0 */ |
46f47e48 | 2 | /* |
734f0d24 DC |
3 | * fscrypt.h: declarations for per-file encryption |
4 | * | |
643fa961 CR |
5 | * Filesystems that implement per-file encryption must include this header |
6 | * file. | |
46f47e48 EB |
7 | * |
8 | * Copyright (C) 2015, Google, Inc. | |
9 | * | |
10 | * Written by Michael Halcrow, 2015. | |
11 | * Modified by Jaegeuk Kim, 2015. | |
12 | */ | |
734f0d24 DC |
13 | #ifndef _LINUX_FSCRYPT_H |
14 | #define _LINUX_FSCRYPT_H | |
46f47e48 | 15 | |
46f47e48 | 16 | #include <linux/fs.h> |
643fa961 CR |
17 | #include <linux/mm.h> |
18 | #include <linux/slab.h> | |
46f47e48 EB |
19 | |
20 | #define FS_CRYPTO_BLOCK_SIZE 16 | |
21 | ||
542060c0 | 22 | struct fscrypt_ctx; |
46f47e48 EB |
23 | struct fscrypt_info; |
24 | ||
46f47e48 EB |
25 | struct fscrypt_str { |
26 | unsigned char *name; | |
27 | u32 len; | |
28 | }; | |
29 | ||
30 | struct fscrypt_name { | |
31 | const struct qstr *usr_fname; | |
32 | struct fscrypt_str disk_name; | |
33 | u32 hash; | |
34 | u32 minor_hash; | |
35 | struct fscrypt_str crypto_buf; | |
b01531db | 36 | bool is_ciphertext_name; |
46f47e48 EB |
37 | }; |
38 | ||
39 | #define FSTR_INIT(n, l) { .name = n, .len = l } | |
40 | #define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len) | |
41 | #define fname_name(p) ((p)->disk_name.name) | |
42 | #define fname_len(p) ((p)->disk_name.len) | |
43 | ||
af65207c TE |
44 | /* Maximum value for the third parameter of fscrypt_operations.set_context(). */ |
45 | #define FSCRYPT_SET_CONTEXT_MAX_SIZE 28 | |
46 | ||
643fa961 CR |
47 | #ifdef CONFIG_FS_ENCRYPTION |
48 | /* | |
49 | * fscrypt superblock flags | |
50 | */ | |
51 | #define FS_CFLG_OWN_PAGES (1U << 1) | |
52 | ||
53 | /* | |
54 | * crypto operations for filesystems | |
55 | */ | |
56 | struct fscrypt_operations { | |
57 | unsigned int flags; | |
58 | const char *key_prefix; | |
59 | int (*get_context)(struct inode *, void *, size_t); | |
60 | int (*set_context)(struct inode *, const void *, size_t, void *); | |
61 | bool (*dummy_context)(struct inode *); | |
62 | bool (*empty_dir)(struct inode *); | |
63 | unsigned int max_namelen; | |
64 | }; | |
65 | ||
2a415a02 | 66 | /* Decryption work */ |
643fa961 CR |
67 | struct fscrypt_ctx { |
68 | union { | |
643fa961 CR |
69 | struct { |
70 | struct bio *bio; | |
71 | struct work_struct work; | |
2a415a02 | 72 | }; |
643fa961 CR |
73 | struct list_head free_list; /* Free list */ |
74 | }; | |
75 | u8 flags; /* Flags */ | |
76 | }; | |
77 | ||
78 | static inline bool fscrypt_has_encryption_key(const struct inode *inode) | |
79 | { | |
e37a784d EB |
80 | /* pairs with cmpxchg_release() in fscrypt_get_encryption_info() */ |
81 | return READ_ONCE(inode->i_crypt_info) != NULL; | |
643fa961 CR |
82 | } |
83 | ||
84 | static inline bool fscrypt_dummy_context_enabled(struct inode *inode) | |
85 | { | |
86 | return inode->i_sb->s_cop->dummy_context && | |
87 | inode->i_sb->s_cop->dummy_context(inode); | |
88 | } | |
89 | ||
0bf3d5c1 EB |
90 | /* |
91 | * When d_splice_alias() moves a directory's encrypted alias to its decrypted | |
92 | * alias as a result of the encryption key being added, DCACHE_ENCRYPTED_NAME | |
93 | * must be cleared. Note that we don't have to support arbitrary moves of this | |
94 | * flag because fscrypt doesn't allow encrypted aliases to be the source or | |
95 | * target of a rename(). | |
96 | */ | |
97 | static inline void fscrypt_handle_d_move(struct dentry *dentry) | |
98 | { | |
99 | dentry->d_flags &= ~DCACHE_ENCRYPTED_NAME; | |
100 | } | |
101 | ||
643fa961 CR |
102 | /* crypto.c */ |
103 | extern void fscrypt_enqueue_decrypt_work(struct work_struct *); | |
cd0265fc | 104 | extern struct fscrypt_ctx *fscrypt_get_ctx(gfp_t); |
643fa961 | 105 | extern void fscrypt_release_ctx(struct fscrypt_ctx *); |
53bc1d85 EB |
106 | |
107 | extern struct page *fscrypt_encrypt_pagecache_blocks(struct page *page, | |
108 | unsigned int len, | |
109 | unsigned int offs, | |
110 | gfp_t gfp_flags); | |
03569f2f EB |
111 | extern int fscrypt_encrypt_block_inplace(const struct inode *inode, |
112 | struct page *page, unsigned int len, | |
113 | unsigned int offs, u64 lblk_num, | |
114 | gfp_t gfp_flags); | |
aa8bc1ac EB |
115 | |
116 | extern int fscrypt_decrypt_pagecache_blocks(struct page *page, unsigned int len, | |
117 | unsigned int offs); | |
41adbcb7 EB |
118 | extern int fscrypt_decrypt_block_inplace(const struct inode *inode, |
119 | struct page *page, unsigned int len, | |
120 | unsigned int offs, u64 lblk_num); | |
643fa961 | 121 | |
d2d0727b | 122 | static inline bool fscrypt_is_bounce_page(struct page *page) |
643fa961 | 123 | { |
d2d0727b | 124 | return page->mapping == NULL; |
643fa961 CR |
125 | } |
126 | ||
d2d0727b EB |
127 | static inline struct page *fscrypt_pagecache_page(struct page *bounce_page) |
128 | { | |
129 | return (struct page *)page_private(bounce_page); | |
130 | } | |
131 | ||
132 | extern void fscrypt_free_bounce_page(struct page *bounce_page); | |
643fa961 CR |
133 | |
134 | /* policy.c */ | |
135 | extern int fscrypt_ioctl_set_policy(struct file *, const void __user *); | |
136 | extern int fscrypt_ioctl_get_policy(struct file *, void __user *); | |
137 | extern int fscrypt_has_permitted_context(struct inode *, struct inode *); | |
138 | extern int fscrypt_inherit_context(struct inode *, struct inode *, | |
139 | void *, bool); | |
140 | /* keyinfo.c */ | |
141 | extern int fscrypt_get_encryption_info(struct inode *); | |
142 | extern void fscrypt_put_encryption_info(struct inode *); | |
2c58d548 | 143 | extern void fscrypt_free_inode(struct inode *); |
643fa961 CR |
144 | |
145 | /* fname.c */ | |
146 | extern int fscrypt_setup_filename(struct inode *, const struct qstr *, | |
147 | int lookup, struct fscrypt_name *); | |
148 | ||
149 | static inline void fscrypt_free_filename(struct fscrypt_name *fname) | |
150 | { | |
151 | kfree(fname->crypto_buf.name); | |
152 | } | |
153 | ||
154 | extern int fscrypt_fname_alloc_buffer(const struct inode *, u32, | |
155 | struct fscrypt_str *); | |
156 | extern void fscrypt_fname_free_buffer(struct fscrypt_str *); | |
157 | extern int fscrypt_fname_disk_to_usr(struct inode *, u32, u32, | |
158 | const struct fscrypt_str *, struct fscrypt_str *); | |
159 | ||
160 | #define FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE 32 | |
161 | ||
162 | /* Extracts the second-to-last ciphertext block; see explanation below */ | |
163 | #define FSCRYPT_FNAME_DIGEST(name, len) \ | |
164 | ((name) + round_down((len) - FS_CRYPTO_BLOCK_SIZE - 1, \ | |
165 | FS_CRYPTO_BLOCK_SIZE)) | |
166 | ||
167 | #define FSCRYPT_FNAME_DIGEST_SIZE FS_CRYPTO_BLOCK_SIZE | |
168 | ||
169 | /** | |
170 | * fscrypt_digested_name - alternate identifier for an on-disk filename | |
171 | * | |
172 | * When userspace lists an encrypted directory without access to the key, | |
173 | * filenames whose ciphertext is longer than FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE | |
174 | * bytes are shown in this abbreviated form (base64-encoded) rather than as the | |
175 | * full ciphertext (base64-encoded). This is necessary to allow supporting | |
176 | * filenames up to NAME_MAX bytes, since base64 encoding expands the length. | |
177 | * | |
178 | * To make it possible for filesystems to still find the correct directory entry | |
179 | * despite not knowing the full on-disk name, we encode any filesystem-specific | |
180 | * 'hash' and/or 'minor_hash' which the filesystem may need for its lookups, | |
181 | * followed by the second-to-last ciphertext block of the filename. Due to the | |
182 | * use of the CBC-CTS encryption mode, the second-to-last ciphertext block | |
183 | * depends on the full plaintext. (Note that ciphertext stealing causes the | |
184 | * last two blocks to appear "flipped".) This makes accidental collisions very | |
185 | * unlikely: just a 1 in 2^128 chance for two filenames to collide even if they | |
186 | * share the same filesystem-specific hashes. | |
187 | * | |
188 | * However, this scheme isn't immune to intentional collisions, which can be | |
189 | * created by anyone able to create arbitrary plaintext filenames and view them | |
190 | * without the key. Making the "digest" be a real cryptographic hash like | |
191 | * SHA-256 over the full ciphertext would prevent this, although it would be | |
192 | * less efficient and harder to implement, especially since the filesystem would | |
193 | * need to calculate it for each directory entry examined during a search. | |
194 | */ | |
195 | struct fscrypt_digested_name { | |
196 | u32 hash; | |
197 | u32 minor_hash; | |
198 | u8 digest[FSCRYPT_FNAME_DIGEST_SIZE]; | |
199 | }; | |
200 | ||
201 | /** | |
202 | * fscrypt_match_name() - test whether the given name matches a directory entry | |
203 | * @fname: the name being searched for | |
204 | * @de_name: the name from the directory entry | |
205 | * @de_name_len: the length of @de_name in bytes | |
206 | * | |
207 | * Normally @fname->disk_name will be set, and in that case we simply compare | |
208 | * that to the name stored in the directory entry. The only exception is that | |
209 | * if we don't have the key for an encrypted directory and a filename in it is | |
210 | * very long, then we won't have the full disk_name and we'll instead need to | |
211 | * match against the fscrypt_digested_name. | |
212 | * | |
213 | * Return: %true if the name matches, otherwise %false. | |
214 | */ | |
215 | static inline bool fscrypt_match_name(const struct fscrypt_name *fname, | |
216 | const u8 *de_name, u32 de_name_len) | |
217 | { | |
218 | if (unlikely(!fname->disk_name.name)) { | |
219 | const struct fscrypt_digested_name *n = | |
220 | (const void *)fname->crypto_buf.name; | |
221 | if (WARN_ON_ONCE(fname->usr_fname->name[0] != '_')) | |
222 | return false; | |
223 | if (de_name_len <= FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE) | |
224 | return false; | |
225 | return !memcmp(FSCRYPT_FNAME_DIGEST(de_name, de_name_len), | |
226 | n->digest, FSCRYPT_FNAME_DIGEST_SIZE); | |
227 | } | |
228 | ||
229 | if (de_name_len != fname->disk_name.len) | |
230 | return false; | |
231 | return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len); | |
232 | } | |
233 | ||
234 | /* bio.c */ | |
235 | extern void fscrypt_decrypt_bio(struct bio *); | |
236 | extern void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx, | |
237 | struct bio *bio); | |
643fa961 CR |
238 | extern int fscrypt_zeroout_range(const struct inode *, pgoff_t, sector_t, |
239 | unsigned int); | |
240 | ||
241 | /* hooks.c */ | |
242 | extern int fscrypt_file_open(struct inode *inode, struct file *filp); | |
968dd6d0 EB |
243 | extern int __fscrypt_prepare_link(struct inode *inode, struct inode *dir, |
244 | struct dentry *dentry); | |
643fa961 CR |
245 | extern int __fscrypt_prepare_rename(struct inode *old_dir, |
246 | struct dentry *old_dentry, | |
247 | struct inode *new_dir, | |
248 | struct dentry *new_dentry, | |
249 | unsigned int flags); | |
b01531db EB |
250 | extern int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry, |
251 | struct fscrypt_name *fname); | |
643fa961 CR |
252 | extern int __fscrypt_prepare_symlink(struct inode *dir, unsigned int len, |
253 | unsigned int max_len, | |
254 | struct fscrypt_str *disk_link); | |
255 | extern int __fscrypt_encrypt_symlink(struct inode *inode, const char *target, | |
256 | unsigned int len, | |
257 | struct fscrypt_str *disk_link); | |
258 | extern const char *fscrypt_get_symlink(struct inode *inode, const void *caddr, | |
259 | unsigned int max_size, | |
260 | struct delayed_call *done); | |
eea2c05d SH |
261 | static inline void fscrypt_set_ops(struct super_block *sb, |
262 | const struct fscrypt_operations *s_cop) | |
263 | { | |
264 | sb->s_cop = s_cop; | |
265 | } | |
643fa961 CR |
266 | #else /* !CONFIG_FS_ENCRYPTION */ |
267 | ||
268 | static inline bool fscrypt_has_encryption_key(const struct inode *inode) | |
269 | { | |
270 | return false; | |
271 | } | |
272 | ||
273 | static inline bool fscrypt_dummy_context_enabled(struct inode *inode) | |
274 | { | |
275 | return false; | |
276 | } | |
277 | ||
0bf3d5c1 EB |
278 | static inline void fscrypt_handle_d_move(struct dentry *dentry) |
279 | { | |
280 | } | |
281 | ||
643fa961 CR |
282 | /* crypto.c */ |
283 | static inline void fscrypt_enqueue_decrypt_work(struct work_struct *work) | |
284 | { | |
285 | } | |
286 | ||
cd0265fc | 287 | static inline struct fscrypt_ctx *fscrypt_get_ctx(gfp_t gfp_flags) |
643fa961 CR |
288 | { |
289 | return ERR_PTR(-EOPNOTSUPP); | |
290 | } | |
291 | ||
292 | static inline void fscrypt_release_ctx(struct fscrypt_ctx *ctx) | |
293 | { | |
294 | return; | |
295 | } | |
296 | ||
53bc1d85 EB |
297 | static inline struct page *fscrypt_encrypt_pagecache_blocks(struct page *page, |
298 | unsigned int len, | |
299 | unsigned int offs, | |
300 | gfp_t gfp_flags) | |
643fa961 CR |
301 | { |
302 | return ERR_PTR(-EOPNOTSUPP); | |
303 | } | |
304 | ||
03569f2f EB |
305 | static inline int fscrypt_encrypt_block_inplace(const struct inode *inode, |
306 | struct page *page, | |
307 | unsigned int len, | |
308 | unsigned int offs, u64 lblk_num, | |
309 | gfp_t gfp_flags) | |
310 | { | |
311 | return -EOPNOTSUPP; | |
312 | } | |
313 | ||
aa8bc1ac EB |
314 | static inline int fscrypt_decrypt_pagecache_blocks(struct page *page, |
315 | unsigned int len, | |
316 | unsigned int offs) | |
643fa961 CR |
317 | { |
318 | return -EOPNOTSUPP; | |
319 | } | |
320 | ||
41adbcb7 EB |
321 | static inline int fscrypt_decrypt_block_inplace(const struct inode *inode, |
322 | struct page *page, | |
323 | unsigned int len, | |
324 | unsigned int offs, u64 lblk_num) | |
325 | { | |
326 | return -EOPNOTSUPP; | |
327 | } | |
328 | ||
d2d0727b EB |
329 | static inline bool fscrypt_is_bounce_page(struct page *page) |
330 | { | |
331 | return false; | |
332 | } | |
333 | ||
334 | static inline struct page *fscrypt_pagecache_page(struct page *bounce_page) | |
643fa961 CR |
335 | { |
336 | WARN_ON_ONCE(1); | |
337 | return ERR_PTR(-EINVAL); | |
338 | } | |
339 | ||
d2d0727b | 340 | static inline void fscrypt_free_bounce_page(struct page *bounce_page) |
643fa961 | 341 | { |
643fa961 CR |
342 | } |
343 | ||
344 | /* policy.c */ | |
345 | static inline int fscrypt_ioctl_set_policy(struct file *filp, | |
346 | const void __user *arg) | |
347 | { | |
348 | return -EOPNOTSUPP; | |
349 | } | |
350 | ||
351 | static inline int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg) | |
352 | { | |
353 | return -EOPNOTSUPP; | |
354 | } | |
355 | ||
356 | static inline int fscrypt_has_permitted_context(struct inode *parent, | |
357 | struct inode *child) | |
358 | { | |
359 | return 0; | |
360 | } | |
361 | ||
362 | static inline int fscrypt_inherit_context(struct inode *parent, | |
363 | struct inode *child, | |
364 | void *fs_data, bool preload) | |
365 | { | |
366 | return -EOPNOTSUPP; | |
367 | } | |
368 | ||
369 | /* keyinfo.c */ | |
370 | static inline int fscrypt_get_encryption_info(struct inode *inode) | |
371 | { | |
372 | return -EOPNOTSUPP; | |
373 | } | |
374 | ||
375 | static inline void fscrypt_put_encryption_info(struct inode *inode) | |
376 | { | |
377 | return; | |
378 | } | |
379 | ||
2c58d548 EB |
380 | static inline void fscrypt_free_inode(struct inode *inode) |
381 | { | |
382 | } | |
383 | ||
643fa961 CR |
384 | /* fname.c */ |
385 | static inline int fscrypt_setup_filename(struct inode *dir, | |
386 | const struct qstr *iname, | |
387 | int lookup, struct fscrypt_name *fname) | |
388 | { | |
389 | if (IS_ENCRYPTED(dir)) | |
390 | return -EOPNOTSUPP; | |
391 | ||
b01531db | 392 | memset(fname, 0, sizeof(*fname)); |
643fa961 CR |
393 | fname->usr_fname = iname; |
394 | fname->disk_name.name = (unsigned char *)iname->name; | |
395 | fname->disk_name.len = iname->len; | |
396 | return 0; | |
397 | } | |
398 | ||
399 | static inline void fscrypt_free_filename(struct fscrypt_name *fname) | |
400 | { | |
401 | return; | |
402 | } | |
403 | ||
404 | static inline int fscrypt_fname_alloc_buffer(const struct inode *inode, | |
405 | u32 max_encrypted_len, | |
406 | struct fscrypt_str *crypto_str) | |
407 | { | |
408 | return -EOPNOTSUPP; | |
409 | } | |
410 | ||
411 | static inline void fscrypt_fname_free_buffer(struct fscrypt_str *crypto_str) | |
412 | { | |
413 | return; | |
414 | } | |
415 | ||
416 | static inline int fscrypt_fname_disk_to_usr(struct inode *inode, | |
417 | u32 hash, u32 minor_hash, | |
418 | const struct fscrypt_str *iname, | |
419 | struct fscrypt_str *oname) | |
420 | { | |
421 | return -EOPNOTSUPP; | |
422 | } | |
423 | ||
424 | static inline bool fscrypt_match_name(const struct fscrypt_name *fname, | |
425 | const u8 *de_name, u32 de_name_len) | |
426 | { | |
427 | /* Encryption support disabled; use standard comparison */ | |
428 | if (de_name_len != fname->disk_name.len) | |
429 | return false; | |
430 | return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len); | |
431 | } | |
432 | ||
433 | /* bio.c */ | |
434 | static inline void fscrypt_decrypt_bio(struct bio *bio) | |
435 | { | |
436 | } | |
437 | ||
438 | static inline void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx, | |
439 | struct bio *bio) | |
440 | { | |
441 | } | |
442 | ||
643fa961 CR |
443 | static inline int fscrypt_zeroout_range(const struct inode *inode, pgoff_t lblk, |
444 | sector_t pblk, unsigned int len) | |
445 | { | |
446 | return -EOPNOTSUPP; | |
447 | } | |
448 | ||
449 | /* hooks.c */ | |
450 | ||
451 | static inline int fscrypt_file_open(struct inode *inode, struct file *filp) | |
452 | { | |
453 | if (IS_ENCRYPTED(inode)) | |
454 | return -EOPNOTSUPP; | |
455 | return 0; | |
456 | } | |
457 | ||
968dd6d0 EB |
458 | static inline int __fscrypt_prepare_link(struct inode *inode, struct inode *dir, |
459 | struct dentry *dentry) | |
643fa961 CR |
460 | { |
461 | return -EOPNOTSUPP; | |
462 | } | |
463 | ||
464 | static inline int __fscrypt_prepare_rename(struct inode *old_dir, | |
465 | struct dentry *old_dentry, | |
466 | struct inode *new_dir, | |
467 | struct dentry *new_dentry, | |
468 | unsigned int flags) | |
469 | { | |
470 | return -EOPNOTSUPP; | |
471 | } | |
472 | ||
473 | static inline int __fscrypt_prepare_lookup(struct inode *dir, | |
b01531db EB |
474 | struct dentry *dentry, |
475 | struct fscrypt_name *fname) | |
643fa961 CR |
476 | { |
477 | return -EOPNOTSUPP; | |
478 | } | |
479 | ||
480 | static inline int __fscrypt_prepare_symlink(struct inode *dir, | |
481 | unsigned int len, | |
482 | unsigned int max_len, | |
483 | struct fscrypt_str *disk_link) | |
484 | { | |
485 | return -EOPNOTSUPP; | |
486 | } | |
487 | ||
488 | ||
489 | static inline int __fscrypt_encrypt_symlink(struct inode *inode, | |
490 | const char *target, | |
491 | unsigned int len, | |
492 | struct fscrypt_str *disk_link) | |
493 | { | |
494 | return -EOPNOTSUPP; | |
495 | } | |
496 | ||
497 | static inline const char *fscrypt_get_symlink(struct inode *inode, | |
498 | const void *caddr, | |
499 | unsigned int max_size, | |
500 | struct delayed_call *done) | |
501 | { | |
502 | return ERR_PTR(-EOPNOTSUPP); | |
503 | } | |
eea2c05d SH |
504 | |
505 | static inline void fscrypt_set_ops(struct super_block *sb, | |
506 | const struct fscrypt_operations *s_cop) | |
507 | { | |
508 | } | |
509 | ||
643fa961 | 510 | #endif /* !CONFIG_FS_ENCRYPTION */ |
734f0d24 | 511 | |
d293c3e4 EB |
512 | /** |
513 | * fscrypt_require_key - require an inode's encryption key | |
514 | * @inode: the inode we need the key for | |
515 | * | |
516 | * If the inode is encrypted, set up its encryption key if not already done. | |
517 | * Then require that the key be present and return -ENOKEY otherwise. | |
518 | * | |
519 | * No locks are needed, and the key will live as long as the struct inode --- so | |
520 | * it won't go away from under you. | |
521 | * | |
522 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code | |
523 | * if a problem occurred while setting up the encryption key. | |
524 | */ | |
525 | static inline int fscrypt_require_key(struct inode *inode) | |
526 | { | |
527 | if (IS_ENCRYPTED(inode)) { | |
528 | int err = fscrypt_get_encryption_info(inode); | |
529 | ||
530 | if (err) | |
531 | return err; | |
532 | if (!fscrypt_has_encryption_key(inode)) | |
533 | return -ENOKEY; | |
534 | } | |
535 | return 0; | |
536 | } | |
734f0d24 | 537 | |
0ea87a96 EB |
538 | /** |
539 | * fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory | |
540 | * @old_dentry: an existing dentry for the inode being linked | |
541 | * @dir: the target directory | |
542 | * @dentry: negative dentry for the target filename | |
543 | * | |
544 | * A new link can only be added to an encrypted directory if the directory's | |
545 | * encryption key is available --- since otherwise we'd have no way to encrypt | |
546 | * the filename. Therefore, we first set up the directory's encryption key (if | |
547 | * not already done) and return an error if it's unavailable. | |
548 | * | |
549 | * We also verify that the link will not violate the constraint that all files | |
550 | * in an encrypted directory tree use the same encryption policy. | |
551 | * | |
552 | * Return: 0 on success, -ENOKEY if the directory's encryption key is missing, | |
f5e55e77 | 553 | * -EXDEV if the link would result in an inconsistent encryption policy, or |
0ea87a96 EB |
554 | * another -errno code. |
555 | */ | |
556 | static inline int fscrypt_prepare_link(struct dentry *old_dentry, | |
557 | struct inode *dir, | |
558 | struct dentry *dentry) | |
559 | { | |
560 | if (IS_ENCRYPTED(dir)) | |
968dd6d0 | 561 | return __fscrypt_prepare_link(d_inode(old_dentry), dir, dentry); |
0ea87a96 EB |
562 | return 0; |
563 | } | |
564 | ||
94b26f36 EB |
565 | /** |
566 | * fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories | |
567 | * @old_dir: source directory | |
568 | * @old_dentry: dentry for source file | |
569 | * @new_dir: target directory | |
570 | * @new_dentry: dentry for target location (may be negative unless exchanging) | |
571 | * @flags: rename flags (we care at least about %RENAME_EXCHANGE) | |
572 | * | |
573 | * Prepare for ->rename() where the source and/or target directories may be | |
574 | * encrypted. A new link can only be added to an encrypted directory if the | |
575 | * directory's encryption key is available --- since otherwise we'd have no way | |
576 | * to encrypt the filename. A rename to an existing name, on the other hand, | |
577 | * *is* cryptographically possible without the key. However, we take the more | |
578 | * conservative approach and just forbid all no-key renames. | |
579 | * | |
580 | * We also verify that the rename will not violate the constraint that all files | |
581 | * in an encrypted directory tree use the same encryption policy. | |
582 | * | |
f5e55e77 | 583 | * Return: 0 on success, -ENOKEY if an encryption key is missing, -EXDEV if the |
94b26f36 EB |
584 | * rename would cause inconsistent encryption policies, or another -errno code. |
585 | */ | |
586 | static inline int fscrypt_prepare_rename(struct inode *old_dir, | |
587 | struct dentry *old_dentry, | |
588 | struct inode *new_dir, | |
589 | struct dentry *new_dentry, | |
590 | unsigned int flags) | |
591 | { | |
592 | if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir)) | |
593 | return __fscrypt_prepare_rename(old_dir, old_dentry, | |
594 | new_dir, new_dentry, flags); | |
595 | return 0; | |
596 | } | |
597 | ||
32c3cf02 EB |
598 | /** |
599 | * fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory | |
600 | * @dir: directory being searched | |
601 | * @dentry: filename being looked up | |
b01531db | 602 | * @fname: (output) the name to use to search the on-disk directory |
32c3cf02 | 603 | * |
b01531db EB |
604 | * Prepare for ->lookup() in a directory which may be encrypted by determining |
605 | * the name that will actually be used to search the directory on-disk. Lookups | |
606 | * can be done with or without the directory's encryption key; without the key, | |
32c3cf02 EB |
607 | * filenames are presented in encrypted form. Therefore, we'll try to set up |
608 | * the directory's encryption key, but even without it the lookup can continue. | |
609 | * | |
6cc24868 EB |
610 | * This also installs a custom ->d_revalidate() method which will invalidate the |
611 | * dentry if it was created without the key and the key is later added. | |
32c3cf02 | 612 | * |
b01531db EB |
613 | * Return: 0 on success; -ENOENT if key is unavailable but the filename isn't a |
614 | * correctly formed encoded ciphertext name, so a negative dentry should be | |
615 | * created; or another -errno code. | |
32c3cf02 EB |
616 | */ |
617 | static inline int fscrypt_prepare_lookup(struct inode *dir, | |
618 | struct dentry *dentry, | |
b01531db | 619 | struct fscrypt_name *fname) |
32c3cf02 EB |
620 | { |
621 | if (IS_ENCRYPTED(dir)) | |
b01531db EB |
622 | return __fscrypt_prepare_lookup(dir, dentry, fname); |
623 | ||
624 | memset(fname, 0, sizeof(*fname)); | |
625 | fname->usr_fname = &dentry->d_name; | |
626 | fname->disk_name.name = (unsigned char *)dentry->d_name.name; | |
627 | fname->disk_name.len = dentry->d_name.len; | |
32c3cf02 EB |
628 | return 0; |
629 | } | |
630 | ||
815dac33 EB |
631 | /** |
632 | * fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes | |
633 | * @dentry: dentry through which the inode is being changed | |
634 | * @attr: attributes to change | |
635 | * | |
636 | * Prepare for ->setattr() on a possibly-encrypted inode. On an encrypted file, | |
637 | * most attribute changes are allowed even without the encryption key. However, | |
638 | * without the encryption key we do have to forbid truncates. This is needed | |
639 | * because the size being truncated to may not be a multiple of the filesystem | |
640 | * block size, and in that case we'd have to decrypt the final block, zero the | |
641 | * portion past i_size, and re-encrypt it. (We *could* allow truncating to a | |
642 | * filesystem block boundary, but it's simpler to just forbid all truncates --- | |
643 | * and we already forbid all other contents modifications without the key.) | |
644 | * | |
645 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code | |
646 | * if a problem occurred while setting up the encryption key. | |
647 | */ | |
648 | static inline int fscrypt_prepare_setattr(struct dentry *dentry, | |
649 | struct iattr *attr) | |
650 | { | |
651 | if (attr->ia_valid & ATTR_SIZE) | |
652 | return fscrypt_require_key(d_inode(dentry)); | |
653 | return 0; | |
654 | } | |
655 | ||
76e81d6d EB |
656 | /** |
657 | * fscrypt_prepare_symlink - prepare to create a possibly-encrypted symlink | |
658 | * @dir: directory in which the symlink is being created | |
659 | * @target: plaintext symlink target | |
660 | * @len: length of @target excluding null terminator | |
661 | * @max_len: space the filesystem has available to store the symlink target | |
662 | * @disk_link: (out) the on-disk symlink target being prepared | |
663 | * | |
664 | * This function computes the size the symlink target will require on-disk, | |
665 | * stores it in @disk_link->len, and validates it against @max_len. An | |
666 | * encrypted symlink may be longer than the original. | |
667 | * | |
668 | * Additionally, @disk_link->name is set to @target if the symlink will be | |
669 | * unencrypted, but left NULL if the symlink will be encrypted. For encrypted | |
670 | * symlinks, the filesystem must call fscrypt_encrypt_symlink() to create the | |
671 | * on-disk target later. (The reason for the two-step process is that some | |
672 | * filesystems need to know the size of the symlink target before creating the | |
673 | * inode, e.g. to determine whether it will be a "fast" or "slow" symlink.) | |
674 | * | |
675 | * Return: 0 on success, -ENAMETOOLONG if the symlink target is too long, | |
676 | * -ENOKEY if the encryption key is missing, or another -errno code if a problem | |
677 | * occurred while setting up the encryption key. | |
678 | */ | |
679 | static inline int fscrypt_prepare_symlink(struct inode *dir, | |
680 | const char *target, | |
681 | unsigned int len, | |
682 | unsigned int max_len, | |
683 | struct fscrypt_str *disk_link) | |
684 | { | |
685 | if (IS_ENCRYPTED(dir) || fscrypt_dummy_context_enabled(dir)) | |
686 | return __fscrypt_prepare_symlink(dir, len, max_len, disk_link); | |
687 | ||
688 | disk_link->name = (unsigned char *)target; | |
689 | disk_link->len = len + 1; | |
690 | if (disk_link->len > max_len) | |
691 | return -ENAMETOOLONG; | |
692 | return 0; | |
693 | } | |
694 | ||
695 | /** | |
696 | * fscrypt_encrypt_symlink - encrypt the symlink target if needed | |
697 | * @inode: symlink inode | |
698 | * @target: plaintext symlink target | |
699 | * @len: length of @target excluding null terminator | |
700 | * @disk_link: (in/out) the on-disk symlink target being prepared | |
701 | * | |
702 | * If the symlink target needs to be encrypted, then this function encrypts it | |
703 | * into @disk_link->name. fscrypt_prepare_symlink() must have been called | |
704 | * previously to compute @disk_link->len. If the filesystem did not allocate a | |
705 | * buffer for @disk_link->name after calling fscrypt_prepare_link(), then one | |
706 | * will be kmalloc()'ed and the filesystem will be responsible for freeing it. | |
707 | * | |
708 | * Return: 0 on success, -errno on failure | |
709 | */ | |
710 | static inline int fscrypt_encrypt_symlink(struct inode *inode, | |
711 | const char *target, | |
712 | unsigned int len, | |
713 | struct fscrypt_str *disk_link) | |
714 | { | |
715 | if (IS_ENCRYPTED(inode)) | |
716 | return __fscrypt_encrypt_symlink(inode, target, len, disk_link); | |
717 | return 0; | |
718 | } | |
719 | ||
d2d0727b EB |
720 | /* If *pagep is a bounce page, free it and set *pagep to the pagecache page */ |
721 | static inline void fscrypt_finalize_bounce_page(struct page **pagep) | |
722 | { | |
723 | struct page *page = *pagep; | |
724 | ||
725 | if (fscrypt_is_bounce_page(page)) { | |
726 | *pagep = fscrypt_pagecache_page(page); | |
727 | fscrypt_free_bounce_page(page); | |
728 | } | |
729 | } | |
730 | ||
734f0d24 | 731 | #endif /* _LINUX_FSCRYPT_H */ |