[linux-block.git] / include / linux / fscrypt.h

/* SPDX-License-Identifier: GPL-2.0 */
/*
 * fscrypt.h: declarations for per-file encryption
 *
 * Filesystems that implement per-file encryption include this header
 * file with the __FS_HAS_ENCRYPTION set according to whether that filesystem
 * is being built with encryption support or not.
 *
 * Copyright (C) 2015, Google, Inc.
 *
 * Written by Michael Halcrow, 2015.
 * Modified by Jaegeuk Kim, 2015.
 */
#ifndef _LINUX_FSCRYPT_H
#define _LINUX_FSCRYPT_H

#include <linux/fs.h>

#define FS_CRYPTO_BLOCK_SIZE		16

struct fscrypt_ctx;
struct fscrypt_info;

struct fscrypt_str {
	unsigned char *name;
	u32 len;
};

struct fscrypt_name {
	const struct qstr *usr_fname;
	struct fscrypt_str disk_name;
	u32 hash;
	u32 minor_hash;
	struct fscrypt_str crypto_buf;
};

#define FSTR_INIT(n, l)		{ .name = n, .len = l }
#define FSTR_TO_QSTR(f)		QSTR_INIT((f)->name, (f)->len)
#define fname_name(p)		((p)->disk_name.name)
#define fname_len(p)		((p)->disk_name.len)

/* Maximum value for the third parameter of fscrypt_operations.set_context(). */
#define FSCRYPT_SET_CONTEXT_MAX_SIZE	28

#if __FS_HAS_ENCRYPTION
#include <linux/fscrypt_supp.h>
#else
#include <linux/fscrypt_notsupp.h>
#endif

/**
 * fscrypt_require_key - require an inode's encryption key
 * @inode: the inode we need the key for
 *
 * If the inode is encrypted, set up its encryption key if not already done.
 * Then require that the key be present and return -ENOKEY otherwise.
 *
 * No locks are needed, and the key will live as long as the struct inode --- so
 * it won't go away from under you.
 *
 * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
 * if a problem occurred while setting up the encryption key.
 */
static inline int fscrypt_require_key(struct inode *inode)
{
	if (IS_ENCRYPTED(inode)) {
		int err = fscrypt_get_encryption_info(inode);

		if (err)
			return err;
		if (!fscrypt_has_encryption_key(inode))
			return -ENOKEY;
	}
	return 0;
}

/**
 * fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory
 * @old_dentry: an existing dentry for the inode being linked
 * @dir: the target directory
 * @dentry: negative dentry for the target filename
 *
 * A new link can only be added to an encrypted directory if the directory's
 * encryption key is available --- since otherwise we'd have no way to encrypt
 * the filename.  Therefore, we first set up the directory's encryption key (if
 * not already done) and return an error if it's unavailable.
 *
 * We also verify that the link will not violate the constraint that all files
 * in an encrypted directory tree use the same encryption policy.
 *
 * Return: 0 on success, -ENOKEY if the directory's encryption key is missing,
 * -EPERM if the link would result in an inconsistent encryption policy, or
 * another -errno code.
 */
static inline int fscrypt_prepare_link(struct dentry *old_dentry,
				       struct inode *dir,
				       struct dentry *dentry)
{
	if (IS_ENCRYPTED(dir))
		return __fscrypt_prepare_link(d_inode(old_dentry), dir);
	return 0;
}

/**
 * fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories
 * @old_dir: source directory
 * @old_dentry: dentry for source file
 * @new_dir: target directory
 * @new_dentry: dentry for target location (may be negative unless exchanging)
 * @flags: rename flags (we care at least about %RENAME_EXCHANGE)
 *
 * Prepare for ->rename() where the source and/or target directories may be
 * encrypted.  A new link can only be added to an encrypted directory if the
 * directory's encryption key is available --- since otherwise we'd have no way
 * to encrypt the filename.  A rename to an existing name, on the other hand,
 * *is* cryptographically possible without the key.  However, we take the more
 * conservative approach and just forbid all no-key renames.
 *
 * We also verify that the rename will not violate the constraint that all files
 * in an encrypted directory tree use the same encryption policy.
 *
 * Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the
 * rename would cause inconsistent encryption policies, or another -errno code.
 */
static inline int fscrypt_prepare_rename(struct inode *old_dir,
					 struct dentry *old_dentry,
					 struct inode *new_dir,
					 struct dentry *new_dentry,
					 unsigned int flags)
{
	if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir))
		return __fscrypt_prepare_rename(old_dir, old_dentry,
						new_dir, new_dentry, flags);
	return 0;
}

/**
 * fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory
 * @dir: directory being searched
 * @dentry: filename being looked up
 * @flags: lookup flags
 *
 * Prepare for ->lookup() in a directory which may be encrypted.  Lookups can be
 * done with or without the directory's encryption key; without the key,
 * filenames are presented in encrypted form.  Therefore, we'll try to set up
 * the directory's encryption key, but even without it the lookup can continue.
 *
 * To allow invalidating stale dentries if the directory's encryption key is
 * added later, we also install a custom ->d_revalidate() method and use the
 * DCACHE_ENCRYPTED_WITH_KEY flag to indicate whether a given dentry is a
 * plaintext name (flag set) or a ciphertext name (flag cleared).
 *
 * Return: 0 on success, -errno if a problem occurred while setting up the
 * encryption key
 */
static inline int fscrypt_prepare_lookup(struct inode *dir,
					 struct dentry *dentry,
					 unsigned int flags)
{
	if (IS_ENCRYPTED(dir))
		return __fscrypt_prepare_lookup(dir, dentry);
	return 0;
}

/**
 * fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes
 * @dentry: dentry through which the inode is being changed
 * @attr: attributes to change
 *
 * Prepare for ->setattr() on a possibly-encrypted inode.  On an encrypted file,
 * most attribute changes are allowed even without the encryption key.  However,
 * without the encryption key we do have to forbid truncates.  This is needed
 * because the size being truncated to may not be a multiple of the filesystem
 * block size, and in that case we'd have to decrypt the final block, zero the
 * portion past i_size, and re-encrypt it.  (We *could* allow truncating to a
 * filesystem block boundary, but it's simpler to just forbid all truncates ---
 * and we already forbid all other contents modifications without the key.)
 *
 * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
 * if a problem occurred while setting up the encryption key.
 */
static inline int fscrypt_prepare_setattr(struct dentry *dentry,
					  struct iattr *attr)
{
	if (attr->ia_valid & ATTR_SIZE)
		return fscrypt_require_key(d_inode(dentry));
	return 0;
}

/**
 * fscrypt_prepare_symlink - prepare to create a possibly-encrypted symlink
 * @dir: directory in which the symlink is being created
 * @target: plaintext symlink target
 * @len: length of @target excluding null terminator
 * @max_len: space the filesystem has available to store the symlink target
 * @disk_link: (out) the on-disk symlink target being prepared
 *
 * This function computes the size the symlink target will require on-disk,
 * stores it in @disk_link->len, and validates it against @max_len.  An
 * encrypted symlink may be longer than the original.
 *
 * Additionally, @disk_link->name is set to @target if the symlink will be
 * unencrypted, but left NULL if the symlink will be encrypted.  For encrypted
 * symlinks, the filesystem must call fscrypt_encrypt_symlink() to create the
 * on-disk target later.  (The reason for the two-step process is that some
 * filesystems need to know the size of the symlink target before creating the
 * inode, e.g. to determine whether it will be a "fast" or "slow" symlink.)
 *
 * Return: 0 on success, -ENAMETOOLONG if the symlink target is too long,
 * -ENOKEY if the encryption key is missing, or another -errno code if a problem
 * occurred while setting up the encryption key.
 */
static inline int fscrypt_prepare_symlink(struct inode *dir,
					  const char *target,
					  unsigned int len,
					  unsigned int max_len,
					  struct fscrypt_str *disk_link)
{
	if (IS_ENCRYPTED(dir) || fscrypt_dummy_context_enabled(dir))
		return __fscrypt_prepare_symlink(dir, len, max_len, disk_link);

	disk_link->name = (unsigned char *)target;
	disk_link->len = len + 1;
	if (disk_link->len > max_len)
		return -ENAMETOOLONG;
	return 0;
}

/**
 * fscrypt_encrypt_symlink - encrypt the symlink target if needed
 * @inode: symlink inode
 * @target: plaintext symlink target
 * @len: length of @target excluding null terminator
 * @disk_link: (in/out) the on-disk symlink target being prepared
 *
 * If the symlink target needs to be encrypted, then this function encrypts it
 * into @disk_link->name.  fscrypt_prepare_symlink() must have been called
 * previously to compute @disk_link->len.  If the filesystem did not allocate a
 * buffer for @disk_link->name after calling fscrypt_prepare_link(), then one
 * will be kmalloc()'ed and the filesystem will be responsible for freeing it.
 *
 * Return: 0 on success, -errno on failure
 */
static inline int fscrypt_encrypt_symlink(struct inode *inode,
					  const char *target,
					  unsigned int len,
					  struct fscrypt_str *disk_link)
{
	if (IS_ENCRYPTED(inode))
		return __fscrypt_encrypt_symlink(inode, target, len, disk_link);
	return 0;
}

#endif	/* _LINUX_FSCRYPT_H */
Commit	Line	Data
32190f0a	1	/* SPDX-License-Identifier: GPL-2.0 */
46f47e48	2	/*
734f0d24 DC	3	* fscrypt.h: declarations for per-file encryption
	4	*
	5	* Filesystems that implement per-file encryption include this header
	6	* file with the __FS_HAS_ENCRYPTION set according to whether that filesystem
	7	* is being built with encryption support or not.
46f47e48 EB	8	*
	9	* Copyright (C) 2015, Google, Inc.
	10	*
	11	* Written by Michael Halcrow, 2015.
	12	* Modified by Jaegeuk Kim, 2015.
	13	*/
734f0d24 DC	14	#ifndef _LINUX_FSCRYPT_H
734f0d24 DC	15	#define _LINUX_FSCRYPT_H
46f47e48	16
46f47e48	17	#include <linux/fs.h>
46f47e48 EB	18
	19	#define FS_CRYPTO_BLOCK_SIZE 16
	20
542060c0	21	struct fscrypt_ctx;
46f47e48 EB	22	struct fscrypt_info;
46f47e48 EB	23
46f47e48 EB	24	struct fscrypt_str {
	25	unsigned char *name;
	26	u32 len;
	27	};
	28
	29	struct fscrypt_name {
	30	const struct qstr *usr_fname;
	31	struct fscrypt_str disk_name;
	32	u32 hash;
	33	u32 minor_hash;
	34	struct fscrypt_str crypto_buf;
	35	};
	36
	37	#define FSTR_INIT(n, l) { .name = n, .len = l }
	38	#define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len)
	39	#define fname_name(p) ((p)->disk_name.name)
	40	#define fname_len(p) ((p)->disk_name.len)
	41
af65207c TE	42	/* Maximum value for the third parameter of fscrypt_operations.set_context(). */
	43	#define FSCRYPT_SET_CONTEXT_MAX_SIZE 28
	44
734f0d24	45	#if __FS_HAS_ENCRYPTION
734f0d24	46	#include <linux/fscrypt_supp.h>
4fd4b15c	47	#else
734f0d24	48	#include <linux/fscrypt_notsupp.h>
4fd4b15c	49	#endif
734f0d24	50
d293c3e4 EB	51	/**
	52	* fscrypt_require_key - require an inode's encryption key
	53	* @inode: the inode we need the key for
	54	*
	55	* If the inode is encrypted, set up its encryption key if not already done.
	56	* Then require that the key be present and return -ENOKEY otherwise.
	57	*
	58	* No locks are needed, and the key will live as long as the struct inode --- so
	59	* it won't go away from under you.
	60	*
	61	* Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
	62	* if a problem occurred while setting up the encryption key.
	63	*/
	64	static inline int fscrypt_require_key(struct inode *inode)
	65	{
	66	if (IS_ENCRYPTED(inode)) {
	67	int err = fscrypt_get_encryption_info(inode);
	68
	69	if (err)
	70	return err;
	71	if (!fscrypt_has_encryption_key(inode))
	72	return -ENOKEY;
	73	}
	74	return 0;
	75	}
734f0d24	76
0ea87a96 EB	77	/**
	78	* fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory
	79	* @old_dentry: an existing dentry for the inode being linked
	80	* @dir: the target directory
	81	* @dentry: negative dentry for the target filename
	82	*
	83	* A new link can only be added to an encrypted directory if the directory's
	84	* encryption key is available --- since otherwise we'd have no way to encrypt
	85	* the filename. Therefore, we first set up the directory's encryption key (if
	86	* not already done) and return an error if it's unavailable.
	87	*
	88	* We also verify that the link will not violate the constraint that all files
	89	* in an encrypted directory tree use the same encryption policy.
	90	*
	91	* Return: 0 on success, -ENOKEY if the directory's encryption key is missing,
	92	* -EPERM if the link would result in an inconsistent encryption policy, or
	93	* another -errno code.
	94	*/
	95	static inline int fscrypt_prepare_link(struct dentry *old_dentry,
	96	struct inode *dir,
	97	struct dentry *dentry)
	98	{
	99	if (IS_ENCRYPTED(dir))
	100	return __fscrypt_prepare_link(d_inode(old_dentry), dir);
	101	return 0;
	102	}
	103
94b26f36 EB	104	/**
	105	* fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories
	106	* @old_dir: source directory
	107	* @old_dentry: dentry for source file
	108	* @new_dir: target directory
	109	* @new_dentry: dentry for target location (may be negative unless exchanging)
	110	* @flags: rename flags (we care at least about %RENAME_EXCHANGE)
	111	*
	112	* Prepare for ->rename() where the source and/or target directories may be
	113	* encrypted. A new link can only be added to an encrypted directory if the
	114	* directory's encryption key is available --- since otherwise we'd have no way
	115	* to encrypt the filename. A rename to an existing name, on the other hand,
	116	* is cryptographically possible without the key. However, we take the more
	117	* conservative approach and just forbid all no-key renames.
	118	*
	119	* We also verify that the rename will not violate the constraint that all files
	120	* in an encrypted directory tree use the same encryption policy.
	121	*
	122	* Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the
	123	* rename would cause inconsistent encryption policies, or another -errno code.
	124	*/
	125	static inline int fscrypt_prepare_rename(struct inode *old_dir,
	126	struct dentry *old_dentry,
	127	struct inode *new_dir,
	128	struct dentry *new_dentry,
	129	unsigned int flags)
	130	{
	131	if (IS_ENCRYPTED(old_dir) \|\| IS_ENCRYPTED(new_dir))
	132	return __fscrypt_prepare_rename(old_dir, old_dentry,
	133	new_dir, new_dentry, flags);
	134	return 0;
	135	}
	136
32c3cf02 EB	137	/**
	138	* fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory
	139	* @dir: directory being searched
	140	* @dentry: filename being looked up
	141	* @flags: lookup flags
	142	*
	143	* Prepare for ->lookup() in a directory which may be encrypted. Lookups can be
	144	* done with or without the directory's encryption key; without the key,
	145	* filenames are presented in encrypted form. Therefore, we'll try to set up
	146	* the directory's encryption key, but even without it the lookup can continue.
	147	*
	148	* To allow invalidating stale dentries if the directory's encryption key is
	149	* added later, we also install a custom ->d_revalidate() method and use the
	150	* DCACHE_ENCRYPTED_WITH_KEY flag to indicate whether a given dentry is a
	151	* plaintext name (flag set) or a ciphertext name (flag cleared).
	152	*
	153	* Return: 0 on success, -errno if a problem occurred while setting up the
	154	* encryption key
	155	*/
	156	static inline int fscrypt_prepare_lookup(struct inode *dir,
	157	struct dentry *dentry,
	158	unsigned int flags)
	159	{
	160	if (IS_ENCRYPTED(dir))
	161	return __fscrypt_prepare_lookup(dir, dentry);
	162	return 0;
	163	}
	164
815dac33 EB	165	/**
	166	* fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes
	167	* @dentry: dentry through which the inode is being changed
	168	* @attr: attributes to change
	169	*
	170	* Prepare for ->setattr() on a possibly-encrypted inode. On an encrypted file,
	171	* most attribute changes are allowed even without the encryption key. However,
	172	* without the encryption key we do have to forbid truncates. This is needed
	173	* because the size being truncated to may not be a multiple of the filesystem
	174	* block size, and in that case we'd have to decrypt the final block, zero the
	175	* portion past i_size, and re-encrypt it. (We could allow truncating to a
	176	* filesystem block boundary, but it's simpler to just forbid all truncates ---
	177	* and we already forbid all other contents modifications without the key.)
	178	*
	179	* Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
	180	* if a problem occurred while setting up the encryption key.
	181	*/
	182	static inline int fscrypt_prepare_setattr(struct dentry *dentry,
	183	struct iattr *attr)
	184	{
	185	if (attr->ia_valid & ATTR_SIZE)
	186	return fscrypt_require_key(d_inode(dentry));
	187	return 0;
	188	}
	189
76e81d6d EB	190	/**
	191	* fscrypt_prepare_symlink - prepare to create a possibly-encrypted symlink
	192	* @dir: directory in which the symlink is being created
	193	* @target: plaintext symlink target
	194	* @len: length of @target excluding null terminator
	195	* @max_len: space the filesystem has available to store the symlink target
	196	* @disk_link: (out) the on-disk symlink target being prepared
	197	*
	198	* This function computes the size the symlink target will require on-disk,
	199	* stores it in @disk_link->len, and validates it against @max_len. An
	200	* encrypted symlink may be longer than the original.
	201	*
	202	* Additionally, @disk_link->name is set to @target if the symlink will be
	203	* unencrypted, but left NULL if the symlink will be encrypted. For encrypted
	204	* symlinks, the filesystem must call fscrypt_encrypt_symlink() to create the
	205	* on-disk target later. (The reason for the two-step process is that some
	206	* filesystems need to know the size of the symlink target before creating the
	207	* inode, e.g. to determine whether it will be a "fast" or "slow" symlink.)
	208	*
	209	* Return: 0 on success, -ENAMETOOLONG if the symlink target is too long,
	210	* -ENOKEY if the encryption key is missing, or another -errno code if a problem
	211	* occurred while setting up the encryption key.
	212	*/
	213	static inline int fscrypt_prepare_symlink(struct inode *dir,
	214	const char *target,
	215	unsigned int len,
	216	unsigned int max_len,
	217	struct fscrypt_str *disk_link)
	218	{
	219	if (IS_ENCRYPTED(dir) \|\| fscrypt_dummy_context_enabled(dir))
	220	return __fscrypt_prepare_symlink(dir, len, max_len, disk_link);
	221
	222	disk_link->name = (unsigned char *)target;
	223	disk_link->len = len + 1;
	224	if (disk_link->len > max_len)
	225	return -ENAMETOOLONG;
	226	return 0;
	227	}
	228
	229	/**
	230	* fscrypt_encrypt_symlink - encrypt the symlink target if needed
	231	* @inode: symlink inode
	232	* @target: plaintext symlink target
	233	* @len: length of @target excluding null terminator
	234	* @disk_link: (in/out) the on-disk symlink target being prepared
	235	*
	236	* If the symlink target needs to be encrypted, then this function encrypts it
	237	* into @disk_link->name. fscrypt_prepare_symlink() must have been called
	238	* previously to compute @disk_link->len. If the filesystem did not allocate a
	239	* buffer for @disk_link->name after calling fscrypt_prepare_link(), then one
	240	* will be kmalloc()'ed and the filesystem will be responsible for freeing it.
	241	*
	242	* Return: 0 on success, -errno on failure
	243	*/
	244	static inline int fscrypt_encrypt_symlink(struct inode *inode,
	245	const char *target,
	246	unsigned int len,
	247	struct fscrypt_str *disk_link)
	248	{
	249	if (IS_ENCRYPTED(inode))
	250	return __fscrypt_encrypt_symlink(inode, target, len, disk_link);
	251	return 0;
	252	}
	253
734f0d24	254	#endif /* _LINUX_FSCRYPT_H */