Commit | Line | Data |
---|---|---|
46f47e48 | 1 | /* |
734f0d24 DC |
2 | * fscrypt.h: declarations for per-file encryption |
3 | * | |
4 | * Filesystems that implement per-file encryption include this header | |
5 | * file with the __FS_HAS_ENCRYPTION set according to whether that filesystem | |
6 | * is being built with encryption support or not. | |
46f47e48 EB |
7 | * |
8 | * Copyright (C) 2015, Google, Inc. | |
9 | * | |
10 | * Written by Michael Halcrow, 2015. | |
11 | * Modified by Jaegeuk Kim, 2015. | |
12 | */ | |
734f0d24 DC |
13 | #ifndef _LINUX_FSCRYPT_H |
14 | #define _LINUX_FSCRYPT_H | |
46f47e48 EB |
15 | |
16 | #include <linux/key.h> | |
17 | #include <linux/fs.h> | |
18 | #include <linux/mm.h> | |
19 | #include <linux/bio.h> | |
20 | #include <linux/dcache.h> | |
21 | #include <crypto/skcipher.h> | |
22 | #include <uapi/linux/fs.h> | |
23 | ||
24 | #define FS_CRYPTO_BLOCK_SIZE 16 | |
25 | ||
26 | struct fscrypt_info; | |
27 | ||
28 | struct fscrypt_ctx { | |
29 | union { | |
30 | struct { | |
31 | struct page *bounce_page; /* Ciphertext page */ | |
32 | struct page *control_page; /* Original page */ | |
33 | } w; | |
34 | struct { | |
35 | struct bio *bio; | |
36 | struct work_struct work; | |
37 | } r; | |
38 | struct list_head free_list; /* Free list */ | |
39 | }; | |
40 | u8 flags; /* Flags */ | |
41 | }; | |
42 | ||
43 | /** | |
44 | * For encrypted symlinks, the ciphertext length is stored at the beginning | |
45 | * of the string in little-endian format. | |
46 | */ | |
47 | struct fscrypt_symlink_data { | |
48 | __le16 len; | |
49 | char encrypted_path[1]; | |
50 | } __packed; | |
51 | ||
46f47e48 EB |
52 | struct fscrypt_str { |
53 | unsigned char *name; | |
54 | u32 len; | |
55 | }; | |
56 | ||
57 | struct fscrypt_name { | |
58 | const struct qstr *usr_fname; | |
59 | struct fscrypt_str disk_name; | |
60 | u32 hash; | |
61 | u32 minor_hash; | |
62 | struct fscrypt_str crypto_buf; | |
63 | }; | |
64 | ||
65 | #define FSTR_INIT(n, l) { .name = n, .len = l } | |
66 | #define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len) | |
67 | #define fname_name(p) ((p)->disk_name.name) | |
68 | #define fname_len(p) ((p)->disk_name.len) | |
69 | ||
70 | /* | |
71 | * fscrypt superblock flags | |
72 | */ | |
73 | #define FS_CFLG_OWN_PAGES (1U << 1) | |
74 | ||
75 | /* | |
76 | * crypto opertions for filesystems | |
77 | */ | |
78 | struct fscrypt_operations { | |
79 | unsigned int flags; | |
80 | const char *key_prefix; | |
81 | int (*get_context)(struct inode *, void *, size_t); | |
46f47e48 | 82 | int (*set_context)(struct inode *, const void *, size_t, void *); |
c250b7dd | 83 | bool (*dummy_context)(struct inode *); |
46f47e48 EB |
84 | bool (*empty_dir)(struct inode *); |
85 | unsigned (*max_namelen)(struct inode *); | |
86 | }; | |
87 | ||
af65207c TE |
88 | /* Maximum value for the third parameter of fscrypt_operations.set_context(). */ |
89 | #define FSCRYPT_SET_CONTEXT_MAX_SIZE 28 | |
90 | ||
46f47e48 EB |
91 | static inline bool fscrypt_dummy_context_enabled(struct inode *inode) |
92 | { | |
93 | if (inode->i_sb->s_cop->dummy_context && | |
94 | inode->i_sb->s_cop->dummy_context(inode)) | |
95 | return true; | |
96 | return false; | |
97 | } | |
98 | ||
b7e7cf7a DW |
99 | static inline bool fscrypt_valid_enc_modes(u32 contents_mode, |
100 | u32 filenames_mode) | |
46f47e48 | 101 | { |
b7e7cf7a DW |
102 | if (contents_mode == FS_ENCRYPTION_MODE_AES_128_CBC && |
103 | filenames_mode == FS_ENCRYPTION_MODE_AES_128_CTS) | |
104 | return true; | |
46f47e48 | 105 | |
b7e7cf7a DW |
106 | if (contents_mode == FS_ENCRYPTION_MODE_AES_256_XTS && |
107 | filenames_mode == FS_ENCRYPTION_MODE_AES_256_CTS) | |
108 | return true; | |
109 | ||
110 | return false; | |
46f47e48 EB |
111 | } |
112 | ||
113 | static inline bool fscrypt_is_dot_dotdot(const struct qstr *str) | |
114 | { | |
115 | if (str->len == 1 && str->name[0] == '.') | |
116 | return true; | |
117 | ||
118 | if (str->len == 2 && str->name[0] == '.' && str->name[1] == '.') | |
119 | return true; | |
120 | ||
121 | return false; | |
122 | } | |
123 | ||
734f0d24 DC |
124 | #if __FS_HAS_ENCRYPTION |
125 | ||
46f47e48 EB |
126 | static inline struct page *fscrypt_control_page(struct page *page) |
127 | { | |
46f47e48 | 128 | return ((struct fscrypt_ctx *)page_private(page))->w.control_page; |
734f0d24 DC |
129 | } |
130 | ||
131 | static inline bool fscrypt_has_encryption_key(const struct inode *inode) | |
132 | { | |
133 | return (inode->i_crypt_info != NULL); | |
134 | } | |
135 | ||
136 | #include <linux/fscrypt_supp.h> | |
137 | ||
138 | #else /* !__FS_HAS_ENCRYPTION */ | |
139 | ||
140 | static inline struct page *fscrypt_control_page(struct page *page) | |
141 | { | |
46f47e48 EB |
142 | WARN_ON_ONCE(1); |
143 | return ERR_PTR(-EINVAL); | |
46f47e48 EB |
144 | } |
145 | ||
734f0d24 | 146 | static inline bool fscrypt_has_encryption_key(const struct inode *inode) |
46f47e48 | 147 | { |
46f47e48 | 148 | return 0; |
46f47e48 EB |
149 | } |
150 | ||
734f0d24 DC |
151 | #include <linux/fscrypt_notsupp.h> |
152 | #endif /* __FS_HAS_ENCRYPTION */ | |
153 | ||
d293c3e4 EB |
154 | /** |
155 | * fscrypt_require_key - require an inode's encryption key | |
156 | * @inode: the inode we need the key for | |
157 | * | |
158 | * If the inode is encrypted, set up its encryption key if not already done. | |
159 | * Then require that the key be present and return -ENOKEY otherwise. | |
160 | * | |
161 | * No locks are needed, and the key will live as long as the struct inode --- so | |
162 | * it won't go away from under you. | |
163 | * | |
164 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code | |
165 | * if a problem occurred while setting up the encryption key. | |
166 | */ | |
167 | static inline int fscrypt_require_key(struct inode *inode) | |
168 | { | |
169 | if (IS_ENCRYPTED(inode)) { | |
170 | int err = fscrypt_get_encryption_info(inode); | |
171 | ||
172 | if (err) | |
173 | return err; | |
174 | if (!fscrypt_has_encryption_key(inode)) | |
175 | return -ENOKEY; | |
176 | } | |
177 | return 0; | |
178 | } | |
734f0d24 | 179 | |
0ea87a96 EB |
180 | /** |
181 | * fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory | |
182 | * @old_dentry: an existing dentry for the inode being linked | |
183 | * @dir: the target directory | |
184 | * @dentry: negative dentry for the target filename | |
185 | * | |
186 | * A new link can only be added to an encrypted directory if the directory's | |
187 | * encryption key is available --- since otherwise we'd have no way to encrypt | |
188 | * the filename. Therefore, we first set up the directory's encryption key (if | |
189 | * not already done) and return an error if it's unavailable. | |
190 | * | |
191 | * We also verify that the link will not violate the constraint that all files | |
192 | * in an encrypted directory tree use the same encryption policy. | |
193 | * | |
194 | * Return: 0 on success, -ENOKEY if the directory's encryption key is missing, | |
195 | * -EPERM if the link would result in an inconsistent encryption policy, or | |
196 | * another -errno code. | |
197 | */ | |
198 | static inline int fscrypt_prepare_link(struct dentry *old_dentry, | |
199 | struct inode *dir, | |
200 | struct dentry *dentry) | |
201 | { | |
202 | if (IS_ENCRYPTED(dir)) | |
203 | return __fscrypt_prepare_link(d_inode(old_dentry), dir); | |
204 | return 0; | |
205 | } | |
206 | ||
94b26f36 EB |
207 | /** |
208 | * fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories | |
209 | * @old_dir: source directory | |
210 | * @old_dentry: dentry for source file | |
211 | * @new_dir: target directory | |
212 | * @new_dentry: dentry for target location (may be negative unless exchanging) | |
213 | * @flags: rename flags (we care at least about %RENAME_EXCHANGE) | |
214 | * | |
215 | * Prepare for ->rename() where the source and/or target directories may be | |
216 | * encrypted. A new link can only be added to an encrypted directory if the | |
217 | * directory's encryption key is available --- since otherwise we'd have no way | |
218 | * to encrypt the filename. A rename to an existing name, on the other hand, | |
219 | * *is* cryptographically possible without the key. However, we take the more | |
220 | * conservative approach and just forbid all no-key renames. | |
221 | * | |
222 | * We also verify that the rename will not violate the constraint that all files | |
223 | * in an encrypted directory tree use the same encryption policy. | |
224 | * | |
225 | * Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the | |
226 | * rename would cause inconsistent encryption policies, or another -errno code. | |
227 | */ | |
228 | static inline int fscrypt_prepare_rename(struct inode *old_dir, | |
229 | struct dentry *old_dentry, | |
230 | struct inode *new_dir, | |
231 | struct dentry *new_dentry, | |
232 | unsigned int flags) | |
233 | { | |
234 | if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir)) | |
235 | return __fscrypt_prepare_rename(old_dir, old_dentry, | |
236 | new_dir, new_dentry, flags); | |
237 | return 0; | |
238 | } | |
239 | ||
32c3cf02 EB |
240 | /** |
241 | * fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory | |
242 | * @dir: directory being searched | |
243 | * @dentry: filename being looked up | |
244 | * @flags: lookup flags | |
245 | * | |
246 | * Prepare for ->lookup() in a directory which may be encrypted. Lookups can be | |
247 | * done with or without the directory's encryption key; without the key, | |
248 | * filenames are presented in encrypted form. Therefore, we'll try to set up | |
249 | * the directory's encryption key, but even without it the lookup can continue. | |
250 | * | |
251 | * To allow invalidating stale dentries if the directory's encryption key is | |
252 | * added later, we also install a custom ->d_revalidate() method and use the | |
253 | * DCACHE_ENCRYPTED_WITH_KEY flag to indicate whether a given dentry is a | |
254 | * plaintext name (flag set) or a ciphertext name (flag cleared). | |
255 | * | |
256 | * Return: 0 on success, -errno if a problem occurred while setting up the | |
257 | * encryption key | |
258 | */ | |
259 | static inline int fscrypt_prepare_lookup(struct inode *dir, | |
260 | struct dentry *dentry, | |
261 | unsigned int flags) | |
262 | { | |
263 | if (IS_ENCRYPTED(dir)) | |
264 | return __fscrypt_prepare_lookup(dir, dentry); | |
265 | return 0; | |
266 | } | |
267 | ||
815dac33 EB |
268 | /** |
269 | * fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes | |
270 | * @dentry: dentry through which the inode is being changed | |
271 | * @attr: attributes to change | |
272 | * | |
273 | * Prepare for ->setattr() on a possibly-encrypted inode. On an encrypted file, | |
274 | * most attribute changes are allowed even without the encryption key. However, | |
275 | * without the encryption key we do have to forbid truncates. This is needed | |
276 | * because the size being truncated to may not be a multiple of the filesystem | |
277 | * block size, and in that case we'd have to decrypt the final block, zero the | |
278 | * portion past i_size, and re-encrypt it. (We *could* allow truncating to a | |
279 | * filesystem block boundary, but it's simpler to just forbid all truncates --- | |
280 | * and we already forbid all other contents modifications without the key.) | |
281 | * | |
282 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code | |
283 | * if a problem occurred while setting up the encryption key. | |
284 | */ | |
285 | static inline int fscrypt_prepare_setattr(struct dentry *dentry, | |
286 | struct iattr *attr) | |
287 | { | |
288 | if (attr->ia_valid & ATTR_SIZE) | |
289 | return fscrypt_require_key(d_inode(dentry)); | |
290 | return 0; | |
291 | } | |
292 | ||
734f0d24 | 293 | #endif /* _LINUX_FSCRYPT_H */ |