Commit | Line | Data |
---|---|---|
32190f0a | 1 | /* SPDX-License-Identifier: GPL-2.0 */ |
46f47e48 | 2 | /* |
734f0d24 DC |
3 | * fscrypt.h: declarations for per-file encryption |
4 | * | |
643fa961 CR |
5 | * Filesystems that implement per-file encryption must include this header |
6 | * file. | |
46f47e48 EB |
7 | * |
8 | * Copyright (C) 2015, Google, Inc. | |
9 | * | |
10 | * Written by Michael Halcrow, 2015. | |
11 | * Modified by Jaegeuk Kim, 2015. | |
12 | */ | |
734f0d24 DC |
13 | #ifndef _LINUX_FSCRYPT_H |
14 | #define _LINUX_FSCRYPT_H | |
46f47e48 | 15 | |
46f47e48 | 16 | #include <linux/fs.h> |
643fa961 CR |
17 | #include <linux/mm.h> |
18 | #include <linux/slab.h> | |
46f47e48 EB |
19 | |
20 | #define FS_CRYPTO_BLOCK_SIZE 16 | |
21 | ||
542060c0 | 22 | struct fscrypt_ctx; |
46f47e48 EB |
23 | struct fscrypt_info; |
24 | ||
46f47e48 EB |
25 | struct fscrypt_str { |
26 | unsigned char *name; | |
27 | u32 len; | |
28 | }; | |
29 | ||
30 | struct fscrypt_name { | |
31 | const struct qstr *usr_fname; | |
32 | struct fscrypt_str disk_name; | |
33 | u32 hash; | |
34 | u32 minor_hash; | |
35 | struct fscrypt_str crypto_buf; | |
b01531db | 36 | bool is_ciphertext_name; |
46f47e48 EB |
37 | }; |
38 | ||
39 | #define FSTR_INIT(n, l) { .name = n, .len = l } | |
40 | #define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len) | |
41 | #define fname_name(p) ((p)->disk_name.name) | |
42 | #define fname_len(p) ((p)->disk_name.len) | |
43 | ||
af65207c TE |
44 | /* Maximum value for the third parameter of fscrypt_operations.set_context(). */ |
45 | #define FSCRYPT_SET_CONTEXT_MAX_SIZE 28 | |
46 | ||
643fa961 CR |
47 | #ifdef CONFIG_FS_ENCRYPTION |
48 | /* | |
49 | * fscrypt superblock flags | |
50 | */ | |
51 | #define FS_CFLG_OWN_PAGES (1U << 1) | |
52 | ||
53 | /* | |
54 | * crypto operations for filesystems | |
55 | */ | |
56 | struct fscrypt_operations { | |
57 | unsigned int flags; | |
58 | const char *key_prefix; | |
59 | int (*get_context)(struct inode *, void *, size_t); | |
60 | int (*set_context)(struct inode *, const void *, size_t, void *); | |
61 | bool (*dummy_context)(struct inode *); | |
62 | bool (*empty_dir)(struct inode *); | |
63 | unsigned int max_namelen; | |
64 | }; | |
65 | ||
66 | struct fscrypt_ctx { | |
67 | union { | |
68 | struct { | |
69 | struct page *bounce_page; /* Ciphertext page */ | |
70 | struct page *control_page; /* Original page */ | |
71 | } w; | |
72 | struct { | |
73 | struct bio *bio; | |
74 | struct work_struct work; | |
75 | } r; | |
76 | struct list_head free_list; /* Free list */ | |
77 | }; | |
78 | u8 flags; /* Flags */ | |
79 | }; | |
80 | ||
81 | static inline bool fscrypt_has_encryption_key(const struct inode *inode) | |
82 | { | |
e37a784d EB |
83 | /* pairs with cmpxchg_release() in fscrypt_get_encryption_info() */ |
84 | return READ_ONCE(inode->i_crypt_info) != NULL; | |
643fa961 CR |
85 | } |
86 | ||
87 | static inline bool fscrypt_dummy_context_enabled(struct inode *inode) | |
88 | { | |
89 | return inode->i_sb->s_cop->dummy_context && | |
90 | inode->i_sb->s_cop->dummy_context(inode); | |
91 | } | |
92 | ||
0bf3d5c1 EB |
93 | /* |
94 | * When d_splice_alias() moves a directory's encrypted alias to its decrypted | |
95 | * alias as a result of the encryption key being added, DCACHE_ENCRYPTED_NAME | |
96 | * must be cleared. Note that we don't have to support arbitrary moves of this | |
97 | * flag because fscrypt doesn't allow encrypted aliases to be the source or | |
98 | * target of a rename(). | |
99 | */ | |
100 | static inline void fscrypt_handle_d_move(struct dentry *dentry) | |
101 | { | |
102 | dentry->d_flags &= ~DCACHE_ENCRYPTED_NAME; | |
103 | } | |
104 | ||
643fa961 CR |
105 | /* crypto.c */ |
106 | extern void fscrypt_enqueue_decrypt_work(struct work_struct *); | |
cd0265fc | 107 | extern struct fscrypt_ctx *fscrypt_get_ctx(gfp_t); |
643fa961 CR |
108 | extern void fscrypt_release_ctx(struct fscrypt_ctx *); |
109 | extern struct page *fscrypt_encrypt_page(const struct inode *, struct page *, | |
110 | unsigned int, unsigned int, | |
111 | u64, gfp_t); | |
112 | extern int fscrypt_decrypt_page(const struct inode *, struct page *, unsigned int, | |
113 | unsigned int, u64); | |
114 | ||
115 | static inline struct page *fscrypt_control_page(struct page *page) | |
116 | { | |
117 | return ((struct fscrypt_ctx *)page_private(page))->w.control_page; | |
118 | } | |
119 | ||
120 | extern void fscrypt_restore_control_page(struct page *); | |
121 | ||
122 | /* policy.c */ | |
123 | extern int fscrypt_ioctl_set_policy(struct file *, const void __user *); | |
124 | extern int fscrypt_ioctl_get_policy(struct file *, void __user *); | |
125 | extern int fscrypt_has_permitted_context(struct inode *, struct inode *); | |
126 | extern int fscrypt_inherit_context(struct inode *, struct inode *, | |
127 | void *, bool); | |
128 | /* keyinfo.c */ | |
129 | extern int fscrypt_get_encryption_info(struct inode *); | |
130 | extern void fscrypt_put_encryption_info(struct inode *); | |
2c58d548 | 131 | extern void fscrypt_free_inode(struct inode *); |
643fa961 CR |
132 | |
133 | /* fname.c */ | |
134 | extern int fscrypt_setup_filename(struct inode *, const struct qstr *, | |
135 | int lookup, struct fscrypt_name *); | |
136 | ||
137 | static inline void fscrypt_free_filename(struct fscrypt_name *fname) | |
138 | { | |
139 | kfree(fname->crypto_buf.name); | |
140 | } | |
141 | ||
142 | extern int fscrypt_fname_alloc_buffer(const struct inode *, u32, | |
143 | struct fscrypt_str *); | |
144 | extern void fscrypt_fname_free_buffer(struct fscrypt_str *); | |
145 | extern int fscrypt_fname_disk_to_usr(struct inode *, u32, u32, | |
146 | const struct fscrypt_str *, struct fscrypt_str *); | |
147 | ||
148 | #define FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE 32 | |
149 | ||
150 | /* Extracts the second-to-last ciphertext block; see explanation below */ | |
151 | #define FSCRYPT_FNAME_DIGEST(name, len) \ | |
152 | ((name) + round_down((len) - FS_CRYPTO_BLOCK_SIZE - 1, \ | |
153 | FS_CRYPTO_BLOCK_SIZE)) | |
154 | ||
155 | #define FSCRYPT_FNAME_DIGEST_SIZE FS_CRYPTO_BLOCK_SIZE | |
156 | ||
157 | /** | |
158 | * fscrypt_digested_name - alternate identifier for an on-disk filename | |
159 | * | |
160 | * When userspace lists an encrypted directory without access to the key, | |
161 | * filenames whose ciphertext is longer than FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE | |
162 | * bytes are shown in this abbreviated form (base64-encoded) rather than as the | |
163 | * full ciphertext (base64-encoded). This is necessary to allow supporting | |
164 | * filenames up to NAME_MAX bytes, since base64 encoding expands the length. | |
165 | * | |
166 | * To make it possible for filesystems to still find the correct directory entry | |
167 | * despite not knowing the full on-disk name, we encode any filesystem-specific | |
168 | * 'hash' and/or 'minor_hash' which the filesystem may need for its lookups, | |
169 | * followed by the second-to-last ciphertext block of the filename. Due to the | |
170 | * use of the CBC-CTS encryption mode, the second-to-last ciphertext block | |
171 | * depends on the full plaintext. (Note that ciphertext stealing causes the | |
172 | * last two blocks to appear "flipped".) This makes accidental collisions very | |
173 | * unlikely: just a 1 in 2^128 chance for two filenames to collide even if they | |
174 | * share the same filesystem-specific hashes. | |
175 | * | |
176 | * However, this scheme isn't immune to intentional collisions, which can be | |
177 | * created by anyone able to create arbitrary plaintext filenames and view them | |
178 | * without the key. Making the "digest" be a real cryptographic hash like | |
179 | * SHA-256 over the full ciphertext would prevent this, although it would be | |
180 | * less efficient and harder to implement, especially since the filesystem would | |
181 | * need to calculate it for each directory entry examined during a search. | |
182 | */ | |
183 | struct fscrypt_digested_name { | |
184 | u32 hash; | |
185 | u32 minor_hash; | |
186 | u8 digest[FSCRYPT_FNAME_DIGEST_SIZE]; | |
187 | }; | |
188 | ||
189 | /** | |
190 | * fscrypt_match_name() - test whether the given name matches a directory entry | |
191 | * @fname: the name being searched for | |
192 | * @de_name: the name from the directory entry | |
193 | * @de_name_len: the length of @de_name in bytes | |
194 | * | |
195 | * Normally @fname->disk_name will be set, and in that case we simply compare | |
196 | * that to the name stored in the directory entry. The only exception is that | |
197 | * if we don't have the key for an encrypted directory and a filename in it is | |
198 | * very long, then we won't have the full disk_name and we'll instead need to | |
199 | * match against the fscrypt_digested_name. | |
200 | * | |
201 | * Return: %true if the name matches, otherwise %false. | |
202 | */ | |
203 | static inline bool fscrypt_match_name(const struct fscrypt_name *fname, | |
204 | const u8 *de_name, u32 de_name_len) | |
205 | { | |
206 | if (unlikely(!fname->disk_name.name)) { | |
207 | const struct fscrypt_digested_name *n = | |
208 | (const void *)fname->crypto_buf.name; | |
209 | if (WARN_ON_ONCE(fname->usr_fname->name[0] != '_')) | |
210 | return false; | |
211 | if (de_name_len <= FSCRYPT_FNAME_MAX_UNDIGESTED_SIZE) | |
212 | return false; | |
213 | return !memcmp(FSCRYPT_FNAME_DIGEST(de_name, de_name_len), | |
214 | n->digest, FSCRYPT_FNAME_DIGEST_SIZE); | |
215 | } | |
216 | ||
217 | if (de_name_len != fname->disk_name.len) | |
218 | return false; | |
219 | return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len); | |
220 | } | |
221 | ||
222 | /* bio.c */ | |
223 | extern void fscrypt_decrypt_bio(struct bio *); | |
224 | extern void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx, | |
225 | struct bio *bio); | |
226 | extern void fscrypt_pullback_bio_page(struct page **, bool); | |
227 | extern int fscrypt_zeroout_range(const struct inode *, pgoff_t, sector_t, | |
228 | unsigned int); | |
229 | ||
230 | /* hooks.c */ | |
231 | extern int fscrypt_file_open(struct inode *inode, struct file *filp); | |
968dd6d0 EB |
232 | extern int __fscrypt_prepare_link(struct inode *inode, struct inode *dir, |
233 | struct dentry *dentry); | |
643fa961 CR |
234 | extern int __fscrypt_prepare_rename(struct inode *old_dir, |
235 | struct dentry *old_dentry, | |
236 | struct inode *new_dir, | |
237 | struct dentry *new_dentry, | |
238 | unsigned int flags); | |
b01531db EB |
239 | extern int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry, |
240 | struct fscrypt_name *fname); | |
643fa961 CR |
241 | extern int __fscrypt_prepare_symlink(struct inode *dir, unsigned int len, |
242 | unsigned int max_len, | |
243 | struct fscrypt_str *disk_link); | |
244 | extern int __fscrypt_encrypt_symlink(struct inode *inode, const char *target, | |
245 | unsigned int len, | |
246 | struct fscrypt_str *disk_link); | |
247 | extern const char *fscrypt_get_symlink(struct inode *inode, const void *caddr, | |
248 | unsigned int max_size, | |
249 | struct delayed_call *done); | |
eea2c05d SH |
250 | static inline void fscrypt_set_ops(struct super_block *sb, |
251 | const struct fscrypt_operations *s_cop) | |
252 | { | |
253 | sb->s_cop = s_cop; | |
254 | } | |
643fa961 CR |
255 | #else /* !CONFIG_FS_ENCRYPTION */ |
256 | ||
257 | static inline bool fscrypt_has_encryption_key(const struct inode *inode) | |
258 | { | |
259 | return false; | |
260 | } | |
261 | ||
262 | static inline bool fscrypt_dummy_context_enabled(struct inode *inode) | |
263 | { | |
264 | return false; | |
265 | } | |
266 | ||
0bf3d5c1 EB |
267 | static inline void fscrypt_handle_d_move(struct dentry *dentry) |
268 | { | |
269 | } | |
270 | ||
643fa961 CR |
271 | /* crypto.c */ |
272 | static inline void fscrypt_enqueue_decrypt_work(struct work_struct *work) | |
273 | { | |
274 | } | |
275 | ||
cd0265fc | 276 | static inline struct fscrypt_ctx *fscrypt_get_ctx(gfp_t gfp_flags) |
643fa961 CR |
277 | { |
278 | return ERR_PTR(-EOPNOTSUPP); | |
279 | } | |
280 | ||
281 | static inline void fscrypt_release_ctx(struct fscrypt_ctx *ctx) | |
282 | { | |
283 | return; | |
284 | } | |
285 | ||
286 | static inline struct page *fscrypt_encrypt_page(const struct inode *inode, | |
287 | struct page *page, | |
288 | unsigned int len, | |
289 | unsigned int offs, | |
290 | u64 lblk_num, gfp_t gfp_flags) | |
291 | { | |
292 | return ERR_PTR(-EOPNOTSUPP); | |
293 | } | |
294 | ||
295 | static inline int fscrypt_decrypt_page(const struct inode *inode, | |
296 | struct page *page, | |
297 | unsigned int len, unsigned int offs, | |
298 | u64 lblk_num) | |
299 | { | |
300 | return -EOPNOTSUPP; | |
301 | } | |
302 | ||
303 | static inline struct page *fscrypt_control_page(struct page *page) | |
304 | { | |
305 | WARN_ON_ONCE(1); | |
306 | return ERR_PTR(-EINVAL); | |
307 | } | |
308 | ||
309 | static inline void fscrypt_restore_control_page(struct page *page) | |
310 | { | |
311 | return; | |
312 | } | |
313 | ||
314 | /* policy.c */ | |
315 | static inline int fscrypt_ioctl_set_policy(struct file *filp, | |
316 | const void __user *arg) | |
317 | { | |
318 | return -EOPNOTSUPP; | |
319 | } | |
320 | ||
321 | static inline int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg) | |
322 | { | |
323 | return -EOPNOTSUPP; | |
324 | } | |
325 | ||
326 | static inline int fscrypt_has_permitted_context(struct inode *parent, | |
327 | struct inode *child) | |
328 | { | |
329 | return 0; | |
330 | } | |
331 | ||
332 | static inline int fscrypt_inherit_context(struct inode *parent, | |
333 | struct inode *child, | |
334 | void *fs_data, bool preload) | |
335 | { | |
336 | return -EOPNOTSUPP; | |
337 | } | |
338 | ||
339 | /* keyinfo.c */ | |
340 | static inline int fscrypt_get_encryption_info(struct inode *inode) | |
341 | { | |
342 | return -EOPNOTSUPP; | |
343 | } | |
344 | ||
345 | static inline void fscrypt_put_encryption_info(struct inode *inode) | |
346 | { | |
347 | return; | |
348 | } | |
349 | ||
2c58d548 EB |
350 | static inline void fscrypt_free_inode(struct inode *inode) |
351 | { | |
352 | } | |
353 | ||
643fa961 CR |
354 | /* fname.c */ |
355 | static inline int fscrypt_setup_filename(struct inode *dir, | |
356 | const struct qstr *iname, | |
357 | int lookup, struct fscrypt_name *fname) | |
358 | { | |
359 | if (IS_ENCRYPTED(dir)) | |
360 | return -EOPNOTSUPP; | |
361 | ||
b01531db | 362 | memset(fname, 0, sizeof(*fname)); |
643fa961 CR |
363 | fname->usr_fname = iname; |
364 | fname->disk_name.name = (unsigned char *)iname->name; | |
365 | fname->disk_name.len = iname->len; | |
366 | return 0; | |
367 | } | |
368 | ||
369 | static inline void fscrypt_free_filename(struct fscrypt_name *fname) | |
370 | { | |
371 | return; | |
372 | } | |
373 | ||
374 | static inline int fscrypt_fname_alloc_buffer(const struct inode *inode, | |
375 | u32 max_encrypted_len, | |
376 | struct fscrypt_str *crypto_str) | |
377 | { | |
378 | return -EOPNOTSUPP; | |
379 | } | |
380 | ||
381 | static inline void fscrypt_fname_free_buffer(struct fscrypt_str *crypto_str) | |
382 | { | |
383 | return; | |
384 | } | |
385 | ||
386 | static inline int fscrypt_fname_disk_to_usr(struct inode *inode, | |
387 | u32 hash, u32 minor_hash, | |
388 | const struct fscrypt_str *iname, | |
389 | struct fscrypt_str *oname) | |
390 | { | |
391 | return -EOPNOTSUPP; | |
392 | } | |
393 | ||
394 | static inline bool fscrypt_match_name(const struct fscrypt_name *fname, | |
395 | const u8 *de_name, u32 de_name_len) | |
396 | { | |
397 | /* Encryption support disabled; use standard comparison */ | |
398 | if (de_name_len != fname->disk_name.len) | |
399 | return false; | |
400 | return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len); | |
401 | } | |
402 | ||
403 | /* bio.c */ | |
404 | static inline void fscrypt_decrypt_bio(struct bio *bio) | |
405 | { | |
406 | } | |
407 | ||
408 | static inline void fscrypt_enqueue_decrypt_bio(struct fscrypt_ctx *ctx, | |
409 | struct bio *bio) | |
410 | { | |
411 | } | |
412 | ||
413 | static inline void fscrypt_pullback_bio_page(struct page **page, bool restore) | |
414 | { | |
415 | return; | |
416 | } | |
417 | ||
418 | static inline int fscrypt_zeroout_range(const struct inode *inode, pgoff_t lblk, | |
419 | sector_t pblk, unsigned int len) | |
420 | { | |
421 | return -EOPNOTSUPP; | |
422 | } | |
423 | ||
424 | /* hooks.c */ | |
425 | ||
426 | static inline int fscrypt_file_open(struct inode *inode, struct file *filp) | |
427 | { | |
428 | if (IS_ENCRYPTED(inode)) | |
429 | return -EOPNOTSUPP; | |
430 | return 0; | |
431 | } | |
432 | ||
968dd6d0 EB |
433 | static inline int __fscrypt_prepare_link(struct inode *inode, struct inode *dir, |
434 | struct dentry *dentry) | |
643fa961 CR |
435 | { |
436 | return -EOPNOTSUPP; | |
437 | } | |
438 | ||
439 | static inline int __fscrypt_prepare_rename(struct inode *old_dir, | |
440 | struct dentry *old_dentry, | |
441 | struct inode *new_dir, | |
442 | struct dentry *new_dentry, | |
443 | unsigned int flags) | |
444 | { | |
445 | return -EOPNOTSUPP; | |
446 | } | |
447 | ||
448 | static inline int __fscrypt_prepare_lookup(struct inode *dir, | |
b01531db EB |
449 | struct dentry *dentry, |
450 | struct fscrypt_name *fname) | |
643fa961 CR |
451 | { |
452 | return -EOPNOTSUPP; | |
453 | } | |
454 | ||
455 | static inline int __fscrypt_prepare_symlink(struct inode *dir, | |
456 | unsigned int len, | |
457 | unsigned int max_len, | |
458 | struct fscrypt_str *disk_link) | |
459 | { | |
460 | return -EOPNOTSUPP; | |
461 | } | |
462 | ||
463 | ||
464 | static inline int __fscrypt_encrypt_symlink(struct inode *inode, | |
465 | const char *target, | |
466 | unsigned int len, | |
467 | struct fscrypt_str *disk_link) | |
468 | { | |
469 | return -EOPNOTSUPP; | |
470 | } | |
471 | ||
472 | static inline const char *fscrypt_get_symlink(struct inode *inode, | |
473 | const void *caddr, | |
474 | unsigned int max_size, | |
475 | struct delayed_call *done) | |
476 | { | |
477 | return ERR_PTR(-EOPNOTSUPP); | |
478 | } | |
eea2c05d SH |
479 | |
480 | static inline void fscrypt_set_ops(struct super_block *sb, | |
481 | const struct fscrypt_operations *s_cop) | |
482 | { | |
483 | } | |
484 | ||
643fa961 | 485 | #endif /* !CONFIG_FS_ENCRYPTION */ |
734f0d24 | 486 | |
d293c3e4 EB |
487 | /** |
488 | * fscrypt_require_key - require an inode's encryption key | |
489 | * @inode: the inode we need the key for | |
490 | * | |
491 | * If the inode is encrypted, set up its encryption key if not already done. | |
492 | * Then require that the key be present and return -ENOKEY otherwise. | |
493 | * | |
494 | * No locks are needed, and the key will live as long as the struct inode --- so | |
495 | * it won't go away from under you. | |
496 | * | |
497 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code | |
498 | * if a problem occurred while setting up the encryption key. | |
499 | */ | |
500 | static inline int fscrypt_require_key(struct inode *inode) | |
501 | { | |
502 | if (IS_ENCRYPTED(inode)) { | |
503 | int err = fscrypt_get_encryption_info(inode); | |
504 | ||
505 | if (err) | |
506 | return err; | |
507 | if (!fscrypt_has_encryption_key(inode)) | |
508 | return -ENOKEY; | |
509 | } | |
510 | return 0; | |
511 | } | |
734f0d24 | 512 | |
0ea87a96 EB |
513 | /** |
514 | * fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory | |
515 | * @old_dentry: an existing dentry for the inode being linked | |
516 | * @dir: the target directory | |
517 | * @dentry: negative dentry for the target filename | |
518 | * | |
519 | * A new link can only be added to an encrypted directory if the directory's | |
520 | * encryption key is available --- since otherwise we'd have no way to encrypt | |
521 | * the filename. Therefore, we first set up the directory's encryption key (if | |
522 | * not already done) and return an error if it's unavailable. | |
523 | * | |
524 | * We also verify that the link will not violate the constraint that all files | |
525 | * in an encrypted directory tree use the same encryption policy. | |
526 | * | |
527 | * Return: 0 on success, -ENOKEY if the directory's encryption key is missing, | |
f5e55e77 | 528 | * -EXDEV if the link would result in an inconsistent encryption policy, or |
0ea87a96 EB |
529 | * another -errno code. |
530 | */ | |
531 | static inline int fscrypt_prepare_link(struct dentry *old_dentry, | |
532 | struct inode *dir, | |
533 | struct dentry *dentry) | |
534 | { | |
535 | if (IS_ENCRYPTED(dir)) | |
968dd6d0 | 536 | return __fscrypt_prepare_link(d_inode(old_dentry), dir, dentry); |
0ea87a96 EB |
537 | return 0; |
538 | } | |
539 | ||
94b26f36 EB |
540 | /** |
541 | * fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories | |
542 | * @old_dir: source directory | |
543 | * @old_dentry: dentry for source file | |
544 | * @new_dir: target directory | |
545 | * @new_dentry: dentry for target location (may be negative unless exchanging) | |
546 | * @flags: rename flags (we care at least about %RENAME_EXCHANGE) | |
547 | * | |
548 | * Prepare for ->rename() where the source and/or target directories may be | |
549 | * encrypted. A new link can only be added to an encrypted directory if the | |
550 | * directory's encryption key is available --- since otherwise we'd have no way | |
551 | * to encrypt the filename. A rename to an existing name, on the other hand, | |
552 | * *is* cryptographically possible without the key. However, we take the more | |
553 | * conservative approach and just forbid all no-key renames. | |
554 | * | |
555 | * We also verify that the rename will not violate the constraint that all files | |
556 | * in an encrypted directory tree use the same encryption policy. | |
557 | * | |
f5e55e77 | 558 | * Return: 0 on success, -ENOKEY if an encryption key is missing, -EXDEV if the |
94b26f36 EB |
559 | * rename would cause inconsistent encryption policies, or another -errno code. |
560 | */ | |
561 | static inline int fscrypt_prepare_rename(struct inode *old_dir, | |
562 | struct dentry *old_dentry, | |
563 | struct inode *new_dir, | |
564 | struct dentry *new_dentry, | |
565 | unsigned int flags) | |
566 | { | |
567 | if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir)) | |
568 | return __fscrypt_prepare_rename(old_dir, old_dentry, | |
569 | new_dir, new_dentry, flags); | |
570 | return 0; | |
571 | } | |
572 | ||
32c3cf02 EB |
573 | /** |
574 | * fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory | |
575 | * @dir: directory being searched | |
576 | * @dentry: filename being looked up | |
b01531db | 577 | * @fname: (output) the name to use to search the on-disk directory |
32c3cf02 | 578 | * |
b01531db EB |
579 | * Prepare for ->lookup() in a directory which may be encrypted by determining |
580 | * the name that will actually be used to search the directory on-disk. Lookups | |
581 | * can be done with or without the directory's encryption key; without the key, | |
32c3cf02 EB |
582 | * filenames are presented in encrypted form. Therefore, we'll try to set up |
583 | * the directory's encryption key, but even without it the lookup can continue. | |
584 | * | |
6cc24868 EB |
585 | * This also installs a custom ->d_revalidate() method which will invalidate the |
586 | * dentry if it was created without the key and the key is later added. | |
32c3cf02 | 587 | * |
b01531db EB |
588 | * Return: 0 on success; -ENOENT if key is unavailable but the filename isn't a |
589 | * correctly formed encoded ciphertext name, so a negative dentry should be | |
590 | * created; or another -errno code. | |
32c3cf02 EB |
591 | */ |
592 | static inline int fscrypt_prepare_lookup(struct inode *dir, | |
593 | struct dentry *dentry, | |
b01531db | 594 | struct fscrypt_name *fname) |
32c3cf02 EB |
595 | { |
596 | if (IS_ENCRYPTED(dir)) | |
b01531db EB |
597 | return __fscrypt_prepare_lookup(dir, dentry, fname); |
598 | ||
599 | memset(fname, 0, sizeof(*fname)); | |
600 | fname->usr_fname = &dentry->d_name; | |
601 | fname->disk_name.name = (unsigned char *)dentry->d_name.name; | |
602 | fname->disk_name.len = dentry->d_name.len; | |
32c3cf02 EB |
603 | return 0; |
604 | } | |
605 | ||
815dac33 EB |
606 | /** |
607 | * fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes | |
608 | * @dentry: dentry through which the inode is being changed | |
609 | * @attr: attributes to change | |
610 | * | |
611 | * Prepare for ->setattr() on a possibly-encrypted inode. On an encrypted file, | |
612 | * most attribute changes are allowed even without the encryption key. However, | |
613 | * without the encryption key we do have to forbid truncates. This is needed | |
614 | * because the size being truncated to may not be a multiple of the filesystem | |
615 | * block size, and in that case we'd have to decrypt the final block, zero the | |
616 | * portion past i_size, and re-encrypt it. (We *could* allow truncating to a | |
617 | * filesystem block boundary, but it's simpler to just forbid all truncates --- | |
618 | * and we already forbid all other contents modifications without the key.) | |
619 | * | |
620 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code | |
621 | * if a problem occurred while setting up the encryption key. | |
622 | */ | |
623 | static inline int fscrypt_prepare_setattr(struct dentry *dentry, | |
624 | struct iattr *attr) | |
625 | { | |
626 | if (attr->ia_valid & ATTR_SIZE) | |
627 | return fscrypt_require_key(d_inode(dentry)); | |
628 | return 0; | |
629 | } | |
630 | ||
76e81d6d EB |
631 | /** |
632 | * fscrypt_prepare_symlink - prepare to create a possibly-encrypted symlink | |
633 | * @dir: directory in which the symlink is being created | |
634 | * @target: plaintext symlink target | |
635 | * @len: length of @target excluding null terminator | |
636 | * @max_len: space the filesystem has available to store the symlink target | |
637 | * @disk_link: (out) the on-disk symlink target being prepared | |
638 | * | |
639 | * This function computes the size the symlink target will require on-disk, | |
640 | * stores it in @disk_link->len, and validates it against @max_len. An | |
641 | * encrypted symlink may be longer than the original. | |
642 | * | |
643 | * Additionally, @disk_link->name is set to @target if the symlink will be | |
644 | * unencrypted, but left NULL if the symlink will be encrypted. For encrypted | |
645 | * symlinks, the filesystem must call fscrypt_encrypt_symlink() to create the | |
646 | * on-disk target later. (The reason for the two-step process is that some | |
647 | * filesystems need to know the size of the symlink target before creating the | |
648 | * inode, e.g. to determine whether it will be a "fast" or "slow" symlink.) | |
649 | * | |
650 | * Return: 0 on success, -ENAMETOOLONG if the symlink target is too long, | |
651 | * -ENOKEY if the encryption key is missing, or another -errno code if a problem | |
652 | * occurred while setting up the encryption key. | |
653 | */ | |
654 | static inline int fscrypt_prepare_symlink(struct inode *dir, | |
655 | const char *target, | |
656 | unsigned int len, | |
657 | unsigned int max_len, | |
658 | struct fscrypt_str *disk_link) | |
659 | { | |
660 | if (IS_ENCRYPTED(dir) || fscrypt_dummy_context_enabled(dir)) | |
661 | return __fscrypt_prepare_symlink(dir, len, max_len, disk_link); | |
662 | ||
663 | disk_link->name = (unsigned char *)target; | |
664 | disk_link->len = len + 1; | |
665 | if (disk_link->len > max_len) | |
666 | return -ENAMETOOLONG; | |
667 | return 0; | |
668 | } | |
669 | ||
670 | /** | |
671 | * fscrypt_encrypt_symlink - encrypt the symlink target if needed | |
672 | * @inode: symlink inode | |
673 | * @target: plaintext symlink target | |
674 | * @len: length of @target excluding null terminator | |
675 | * @disk_link: (in/out) the on-disk symlink target being prepared | |
676 | * | |
677 | * If the symlink target needs to be encrypted, then this function encrypts it | |
678 | * into @disk_link->name. fscrypt_prepare_symlink() must have been called | |
679 | * previously to compute @disk_link->len. If the filesystem did not allocate a | |
680 | * buffer for @disk_link->name after calling fscrypt_prepare_link(), then one | |
681 | * will be kmalloc()'ed and the filesystem will be responsible for freeing it. | |
682 | * | |
683 | * Return: 0 on success, -errno on failure | |
684 | */ | |
685 | static inline int fscrypt_encrypt_symlink(struct inode *inode, | |
686 | const char *target, | |
687 | unsigned int len, | |
688 | struct fscrypt_str *disk_link) | |
689 | { | |
690 | if (IS_ENCRYPTED(inode)) | |
691 | return __fscrypt_encrypt_symlink(inode, target, len, disk_link); | |
692 | return 0; | |
693 | } | |
694 | ||
734f0d24 | 695 | #endif /* _LINUX_FSCRYPT_H */ |