Thomas Gleixner | 457c899 | 2019-05-19 13:08:55 +0100 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0-only |
Eric Biggers | efcc7ae | 2017-10-09 12:15:40 -0700 | [diff] [blame] | 2 | /* |
| 3 | * fs/crypto/hooks.c |
| 4 | * |
| 5 | * Encryption hooks for higher-level filesystem operations. |
| 6 | */ |
| 7 | |
Daniel Rosenberg | aa408f8 | 2020-01-20 14:31:57 -0800 | [diff] [blame] | 8 | #include <linux/key.h> |
| 9 | |
Eric Biggers | efcc7ae | 2017-10-09 12:15:40 -0700 | [diff] [blame] | 10 | #include "fscrypt_private.h" |
| 11 | |
| 12 | /** |
Eric Biggers | d2fe975 | 2020-05-11 12:13:56 -0700 | [diff] [blame] | 13 | * fscrypt_file_open() - prepare to open a possibly-encrypted regular file |
Eric Biggers | efcc7ae | 2017-10-09 12:15:40 -0700 | [diff] [blame] | 14 | * @inode: the inode being opened |
| 15 | * @filp: the struct file being set up |
| 16 | * |
| 17 | * Currently, an encrypted regular file can only be opened if its encryption key |
| 18 | * is available; access to the raw encrypted contents is not supported. |
| 19 | * Therefore, we first set up the inode's encryption key (if not already done) |
| 20 | * and return an error if it's unavailable. |
| 21 | * |
| 22 | * We also verify that if the parent directory (from the path via which the file |
| 23 | * is being opened) is encrypted, then the inode being opened uses the same |
| 24 | * encryption policy. This is needed as part of the enforcement that all files |
| 25 | * in an encrypted directory tree use the same encryption policy, as a |
| 26 | * protection against certain types of offline attacks. Note that this check is |
| 27 | * needed even when opening an *unencrypted* file, since it's forbidden to have |
| 28 | * an unencrypted file in an encrypted directory. |
| 29 | * |
| 30 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code |
| 31 | */ |
| 32 | int fscrypt_file_open(struct inode *inode, struct file *filp) |
| 33 | { |
| 34 | int err; |
| 35 | struct dentry *dir; |
| 36 | |
| 37 | err = fscrypt_require_key(inode); |
| 38 | if (err) |
| 39 | return err; |
| 40 | |
| 41 | dir = dget_parent(file_dentry(filp)); |
| 42 | if (IS_ENCRYPTED(d_inode(dir)) && |
| 43 | !fscrypt_has_permitted_context(d_inode(dir), inode)) { |
Eric Biggers | 886da8b | 2019-07-24 11:07:58 -0700 | [diff] [blame] | 44 | fscrypt_warn(inode, |
| 45 | "Inconsistent encryption context (parent directory: %lu)", |
| 46 | d_inode(dir)->i_ino); |
Eric Biggers | efcc7ae | 2017-10-09 12:15:40 -0700 | [diff] [blame] | 47 | err = -EPERM; |
| 48 | } |
| 49 | dput(dir); |
| 50 | return err; |
| 51 | } |
| 52 | EXPORT_SYMBOL_GPL(fscrypt_file_open); |
Eric Biggers | 0ea87a9 | 2017-10-09 12:15:41 -0700 | [diff] [blame] | 53 | |
Eric Biggers | 968dd6d | 2019-03-20 11:39:10 -0700 | [diff] [blame] | 54 | int __fscrypt_prepare_link(struct inode *inode, struct inode *dir, |
| 55 | struct dentry *dentry) |
Eric Biggers | 0ea87a9 | 2017-10-09 12:15:41 -0700 | [diff] [blame] | 56 | { |
| 57 | int err; |
| 58 | |
| 59 | err = fscrypt_require_key(dir); |
| 60 | if (err) |
| 61 | return err; |
| 62 | |
Eric Biggers | 70fb261 | 2020-09-23 21:26:23 -0700 | [diff] [blame] | 63 | /* ... in case we looked up no-key name before key was added */ |
Eric Biggers | 501e43f | 2020-09-23 21:26:24 -0700 | [diff] [blame^] | 64 | if (dentry->d_flags & DCACHE_NOKEY_NAME) |
Eric Biggers | 968dd6d | 2019-03-20 11:39:10 -0700 | [diff] [blame] | 65 | return -ENOKEY; |
| 66 | |
Eric Biggers | 0ea87a9 | 2017-10-09 12:15:41 -0700 | [diff] [blame] | 67 | if (!fscrypt_has_permitted_context(dir, inode)) |
Eric Biggers | f5e55e7 | 2019-01-22 16:20:21 -0800 | [diff] [blame] | 68 | return -EXDEV; |
Eric Biggers | 0ea87a9 | 2017-10-09 12:15:41 -0700 | [diff] [blame] | 69 | |
| 70 | return 0; |
| 71 | } |
| 72 | EXPORT_SYMBOL_GPL(__fscrypt_prepare_link); |
Eric Biggers | 94b26f3 | 2017-10-09 12:15:42 -0700 | [diff] [blame] | 73 | |
| 74 | int __fscrypt_prepare_rename(struct inode *old_dir, struct dentry *old_dentry, |
| 75 | struct inode *new_dir, struct dentry *new_dentry, |
| 76 | unsigned int flags) |
| 77 | { |
| 78 | int err; |
| 79 | |
| 80 | err = fscrypt_require_key(old_dir); |
| 81 | if (err) |
| 82 | return err; |
| 83 | |
| 84 | err = fscrypt_require_key(new_dir); |
| 85 | if (err) |
| 86 | return err; |
| 87 | |
Eric Biggers | 70fb261 | 2020-09-23 21:26:23 -0700 | [diff] [blame] | 88 | /* ... in case we looked up no-key name(s) before key was added */ |
Eric Biggers | 501e43f | 2020-09-23 21:26:24 -0700 | [diff] [blame^] | 89 | if ((old_dentry->d_flags | new_dentry->d_flags) & DCACHE_NOKEY_NAME) |
Eric Biggers | 968dd6d | 2019-03-20 11:39:10 -0700 | [diff] [blame] | 90 | return -ENOKEY; |
| 91 | |
Eric Biggers | 94b26f3 | 2017-10-09 12:15:42 -0700 | [diff] [blame] | 92 | if (old_dir != new_dir) { |
| 93 | if (IS_ENCRYPTED(new_dir) && |
| 94 | !fscrypt_has_permitted_context(new_dir, |
| 95 | d_inode(old_dentry))) |
Eric Biggers | f5e55e7 | 2019-01-22 16:20:21 -0800 | [diff] [blame] | 96 | return -EXDEV; |
Eric Biggers | 94b26f3 | 2017-10-09 12:15:42 -0700 | [diff] [blame] | 97 | |
| 98 | if ((flags & RENAME_EXCHANGE) && |
| 99 | IS_ENCRYPTED(old_dir) && |
| 100 | !fscrypt_has_permitted_context(old_dir, |
| 101 | d_inode(new_dentry))) |
Eric Biggers | f5e55e7 | 2019-01-22 16:20:21 -0800 | [diff] [blame] | 102 | return -EXDEV; |
Eric Biggers | 94b26f3 | 2017-10-09 12:15:42 -0700 | [diff] [blame] | 103 | } |
| 104 | return 0; |
| 105 | } |
| 106 | EXPORT_SYMBOL_GPL(__fscrypt_prepare_rename); |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 107 | |
Eric Biggers | b01531d | 2019-03-20 11:39:13 -0700 | [diff] [blame] | 108 | int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry, |
| 109 | struct fscrypt_name *fname) |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 110 | { |
Eric Biggers | b01531d | 2019-03-20 11:39:13 -0700 | [diff] [blame] | 111 | int err = fscrypt_setup_filename(dir, &dentry->d_name, 1, fname); |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 112 | |
Eric Biggers | b01531d | 2019-03-20 11:39:13 -0700 | [diff] [blame] | 113 | if (err && err != -ENOENT) |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 114 | return err; |
| 115 | |
Eric Biggers | 70fb261 | 2020-09-23 21:26:23 -0700 | [diff] [blame] | 116 | if (fname->is_nokey_name) { |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 117 | spin_lock(&dentry->d_lock); |
Eric Biggers | 501e43f | 2020-09-23 21:26:24 -0700 | [diff] [blame^] | 118 | dentry->d_flags |= DCACHE_NOKEY_NAME; |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 119 | spin_unlock(&dentry->d_lock); |
Eric Biggers | d456a33 | 2019-03-20 11:39:12 -0700 | [diff] [blame] | 120 | d_set_d_op(dentry, &fscrypt_d_ops); |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 121 | } |
Eric Biggers | b01531d | 2019-03-20 11:39:13 -0700 | [diff] [blame] | 122 | return err; |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 123 | } |
| 124 | EXPORT_SYMBOL_GPL(__fscrypt_prepare_lookup); |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 125 | |
Daniel Rosenberg | 6e1918c | 2020-01-20 14:31:56 -0800 | [diff] [blame] | 126 | /** |
| 127 | * fscrypt_prepare_setflags() - prepare to change flags with FS_IOC_SETFLAGS |
| 128 | * @inode: the inode on which flags are being changed |
| 129 | * @oldflags: the old flags |
| 130 | * @flags: the new flags |
| 131 | * |
| 132 | * The caller should be holding i_rwsem for write. |
| 133 | * |
| 134 | * Return: 0 on success; -errno if the flags change isn't allowed or if |
| 135 | * another error occurs. |
| 136 | */ |
| 137 | int fscrypt_prepare_setflags(struct inode *inode, |
| 138 | unsigned int oldflags, unsigned int flags) |
| 139 | { |
| 140 | struct fscrypt_info *ci; |
Daniel Rosenberg | aa408f8 | 2020-01-20 14:31:57 -0800 | [diff] [blame] | 141 | struct fscrypt_master_key *mk; |
Daniel Rosenberg | 6e1918c | 2020-01-20 14:31:56 -0800 | [diff] [blame] | 142 | int err; |
| 143 | |
Daniel Rosenberg | aa408f8 | 2020-01-20 14:31:57 -0800 | [diff] [blame] | 144 | /* |
| 145 | * When the CASEFOLD flag is set on an encrypted directory, we must |
| 146 | * derive the secret key needed for the dirhash. This is only possible |
| 147 | * if the directory uses a v2 encryption policy. |
| 148 | */ |
Daniel Rosenberg | 6e1918c | 2020-01-20 14:31:56 -0800 | [diff] [blame] | 149 | if (IS_ENCRYPTED(inode) && (flags & ~oldflags & FS_CASEFOLD_FL)) { |
| 150 | err = fscrypt_require_key(inode); |
| 151 | if (err) |
| 152 | return err; |
| 153 | ci = inode->i_crypt_info; |
| 154 | if (ci->ci_policy.version != FSCRYPT_POLICY_V2) |
| 155 | return -EINVAL; |
Daniel Rosenberg | aa408f8 | 2020-01-20 14:31:57 -0800 | [diff] [blame] | 156 | mk = ci->ci_master_key->payload.data[0]; |
| 157 | down_read(&mk->mk_secret_sem); |
| 158 | if (is_master_key_secret_present(&mk->mk_secret)) |
| 159 | err = fscrypt_derive_dirhash_key(ci, mk); |
| 160 | else |
| 161 | err = -ENOKEY; |
| 162 | up_read(&mk->mk_secret_sem); |
| 163 | return err; |
Daniel Rosenberg | 6e1918c | 2020-01-20 14:31:56 -0800 | [diff] [blame] | 164 | } |
| 165 | return 0; |
| 166 | } |
| 167 | |
Eric Biggers | 3111472 | 2020-09-16 21:11:34 -0700 | [diff] [blame] | 168 | /** |
| 169 | * fscrypt_prepare_symlink() - prepare to create a possibly-encrypted symlink |
| 170 | * @dir: directory in which the symlink is being created |
| 171 | * @target: plaintext symlink target |
| 172 | * @len: length of @target excluding null terminator |
| 173 | * @max_len: space the filesystem has available to store the symlink target |
| 174 | * @disk_link: (out) the on-disk symlink target being prepared |
| 175 | * |
| 176 | * This function computes the size the symlink target will require on-disk, |
| 177 | * stores it in @disk_link->len, and validates it against @max_len. An |
| 178 | * encrypted symlink may be longer than the original. |
| 179 | * |
| 180 | * Additionally, @disk_link->name is set to @target if the symlink will be |
| 181 | * unencrypted, but left NULL if the symlink will be encrypted. For encrypted |
| 182 | * symlinks, the filesystem must call fscrypt_encrypt_symlink() to create the |
| 183 | * on-disk target later. (The reason for the two-step process is that some |
| 184 | * filesystems need to know the size of the symlink target before creating the |
| 185 | * inode, e.g. to determine whether it will be a "fast" or "slow" symlink.) |
| 186 | * |
| 187 | * Return: 0 on success, -ENAMETOOLONG if the symlink target is too long, |
| 188 | * -ENOKEY if the encryption key is missing, or another -errno code if a problem |
| 189 | * occurred while setting up the encryption key. |
| 190 | */ |
| 191 | int fscrypt_prepare_symlink(struct inode *dir, const char *target, |
| 192 | unsigned int len, unsigned int max_len, |
| 193 | struct fscrypt_str *disk_link) |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 194 | { |
Eric Biggers | ac4acb1 | 2020-09-16 21:11:35 -0700 | [diff] [blame] | 195 | const union fscrypt_policy *policy; |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 196 | |
Eric Biggers | ac4acb1 | 2020-09-16 21:11:35 -0700 | [diff] [blame] | 197 | /* |
| 198 | * To calculate the size of the encrypted symlink target we need to know |
| 199 | * the amount of NUL padding, which is determined by the flags set in |
| 200 | * the encryption policy which will be inherited from the directory. |
| 201 | */ |
| 202 | policy = fscrypt_policy_to_inherit(dir); |
| 203 | if (policy == NULL) { |
| 204 | /* Not encrypted */ |
Eric Biggers | 3111472 | 2020-09-16 21:11:34 -0700 | [diff] [blame] | 205 | disk_link->name = (unsigned char *)target; |
| 206 | disk_link->len = len + 1; |
| 207 | if (disk_link->len > max_len) |
| 208 | return -ENAMETOOLONG; |
| 209 | return 0; |
| 210 | } |
Eric Biggers | ac4acb1 | 2020-09-16 21:11:35 -0700 | [diff] [blame] | 211 | if (IS_ERR(policy)) |
| 212 | return PTR_ERR(policy); |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 213 | |
| 214 | /* |
| 215 | * Calculate the size of the encrypted symlink and verify it won't |
| 216 | * exceed max_len. Note that for historical reasons, encrypted symlink |
| 217 | * targets are prefixed with the ciphertext length, despite this |
| 218 | * actually being redundant with i_size. This decreases by 2 bytes the |
| 219 | * longest symlink target we can accept. |
| 220 | * |
| 221 | * We could recover 1 byte by not counting a null terminator, but |
| 222 | * counting it (even though it is meaningless for ciphertext) is simpler |
| 223 | * for now since filesystems will assume it is there and subtract it. |
| 224 | */ |
Eric Biggers | ac4acb1 | 2020-09-16 21:11:35 -0700 | [diff] [blame] | 225 | if (!fscrypt_fname_encrypted_size(policy, len, |
Eric Biggers | b9db0b4 | 2018-01-11 23:30:08 -0500 | [diff] [blame] | 226 | max_len - sizeof(struct fscrypt_symlink_data), |
| 227 | &disk_link->len)) |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 228 | return -ENAMETOOLONG; |
Eric Biggers | b9db0b4 | 2018-01-11 23:30:08 -0500 | [diff] [blame] | 229 | disk_link->len += sizeof(struct fscrypt_symlink_data); |
| 230 | |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 231 | disk_link->name = NULL; |
| 232 | return 0; |
| 233 | } |
Eric Biggers | 3111472 | 2020-09-16 21:11:34 -0700 | [diff] [blame] | 234 | EXPORT_SYMBOL_GPL(fscrypt_prepare_symlink); |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 235 | |
| 236 | int __fscrypt_encrypt_symlink(struct inode *inode, const char *target, |
| 237 | unsigned int len, struct fscrypt_str *disk_link) |
| 238 | { |
| 239 | int err; |
Eric Biggers | 0b1dfa4 | 2018-01-19 13:45:24 -0800 | [diff] [blame] | 240 | struct qstr iname = QSTR_INIT(target, len); |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 241 | struct fscrypt_symlink_data *sd; |
| 242 | unsigned int ciphertext_len; |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 243 | |
Eric Biggers | 4cc1a3e | 2020-09-16 21:11:31 -0700 | [diff] [blame] | 244 | /* |
| 245 | * fscrypt_prepare_new_inode() should have already set up the new |
| 246 | * symlink inode's encryption key. We don't wait until now to do it, |
| 247 | * since we may be in a filesystem transaction now. |
| 248 | */ |
| 249 | if (WARN_ON_ONCE(!fscrypt_has_encryption_key(inode))) |
| 250 | return -ENOKEY; |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 251 | |
| 252 | if (disk_link->name) { |
| 253 | /* filesystem-provided buffer */ |
| 254 | sd = (struct fscrypt_symlink_data *)disk_link->name; |
| 255 | } else { |
| 256 | sd = kmalloc(disk_link->len, GFP_NOFS); |
| 257 | if (!sd) |
| 258 | return -ENOMEM; |
| 259 | } |
| 260 | ciphertext_len = disk_link->len - sizeof(*sd); |
| 261 | sd->len = cpu_to_le16(ciphertext_len); |
| 262 | |
Eric Biggers | 1b3b827 | 2020-01-19 23:17:36 -0800 | [diff] [blame] | 263 | err = fscrypt_fname_encrypt(inode, &iname, sd->encrypted_path, |
| 264 | ciphertext_len); |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 265 | if (err) |
| 266 | goto err_free_sd; |
| 267 | |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 268 | /* |
| 269 | * Null-terminating the ciphertext doesn't make sense, but we still |
| 270 | * count the null terminator in the length, so we might as well |
| 271 | * initialize it just in case the filesystem writes it out. |
| 272 | */ |
| 273 | sd->encrypted_path[ciphertext_len] = '\0'; |
| 274 | |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 275 | /* Cache the plaintext symlink target for later use by get_link() */ |
| 276 | err = -ENOMEM; |
| 277 | inode->i_link = kmemdup(target, len + 1, GFP_NOFS); |
| 278 | if (!inode->i_link) |
| 279 | goto err_free_sd; |
| 280 | |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 281 | if (!disk_link->name) |
| 282 | disk_link->name = (unsigned char *)sd; |
| 283 | return 0; |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 284 | |
| 285 | err_free_sd: |
| 286 | if (!disk_link->name) |
| 287 | kfree(sd); |
| 288 | return err; |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 289 | } |
| 290 | EXPORT_SYMBOL_GPL(__fscrypt_encrypt_symlink); |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 291 | |
| 292 | /** |
Eric Biggers | d2fe975 | 2020-05-11 12:13:56 -0700 | [diff] [blame] | 293 | * fscrypt_get_symlink() - get the target of an encrypted symlink |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 294 | * @inode: the symlink inode |
| 295 | * @caddr: the on-disk contents of the symlink |
| 296 | * @max_size: size of @caddr buffer |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 297 | * @done: if successful, will be set up to free the returned target if needed |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 298 | * |
| 299 | * If the symlink's encryption key is available, we decrypt its target. |
| 300 | * Otherwise, we encode its target for presentation. |
| 301 | * |
| 302 | * This may sleep, so the filesystem must have dropped out of RCU mode already. |
| 303 | * |
| 304 | * Return: the presentable symlink target or an ERR_PTR() |
| 305 | */ |
| 306 | const char *fscrypt_get_symlink(struct inode *inode, const void *caddr, |
| 307 | unsigned int max_size, |
| 308 | struct delayed_call *done) |
| 309 | { |
| 310 | const struct fscrypt_symlink_data *sd; |
| 311 | struct fscrypt_str cstr, pstr; |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 312 | bool has_key; |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 313 | int err; |
| 314 | |
| 315 | /* This is for encrypted symlinks only */ |
| 316 | if (WARN_ON(!IS_ENCRYPTED(inode))) |
| 317 | return ERR_PTR(-EINVAL); |
| 318 | |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 319 | /* If the decrypted target is already cached, just return it. */ |
| 320 | pstr.name = READ_ONCE(inode->i_link); |
| 321 | if (pstr.name) |
| 322 | return pstr.name; |
| 323 | |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 324 | /* |
| 325 | * Try to set up the symlink's encryption key, but we can continue |
| 326 | * regardless of whether the key is available or not. |
| 327 | */ |
| 328 | err = fscrypt_get_encryption_info(inode); |
| 329 | if (err) |
| 330 | return ERR_PTR(err); |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 331 | has_key = fscrypt_has_encryption_key(inode); |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 332 | |
| 333 | /* |
| 334 | * For historical reasons, encrypted symlink targets are prefixed with |
| 335 | * the ciphertext length, even though this is redundant with i_size. |
| 336 | */ |
| 337 | |
| 338 | if (max_size < sizeof(*sd)) |
| 339 | return ERR_PTR(-EUCLEAN); |
| 340 | sd = caddr; |
| 341 | cstr.name = (unsigned char *)sd->encrypted_path; |
| 342 | cstr.len = le16_to_cpu(sd->len); |
| 343 | |
| 344 | if (cstr.len == 0) |
| 345 | return ERR_PTR(-EUCLEAN); |
| 346 | |
| 347 | if (cstr.len + sizeof(*sd) - 1 > max_size) |
| 348 | return ERR_PTR(-EUCLEAN); |
| 349 | |
Jeff Layton | 8b10fe6 | 2020-08-10 10:21:39 -0400 | [diff] [blame] | 350 | err = fscrypt_fname_alloc_buffer(cstr.len, &pstr); |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 351 | if (err) |
| 352 | return ERR_PTR(err); |
| 353 | |
| 354 | err = fscrypt_fname_disk_to_usr(inode, 0, 0, &cstr, &pstr); |
| 355 | if (err) |
| 356 | goto err_kfree; |
| 357 | |
| 358 | err = -EUCLEAN; |
| 359 | if (pstr.name[0] == '\0') |
| 360 | goto err_kfree; |
| 361 | |
| 362 | pstr.name[pstr.len] = '\0'; |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 363 | |
| 364 | /* |
| 365 | * Cache decrypted symlink targets in i_link for later use. Don't cache |
| 366 | * symlink targets encoded without the key, since those become outdated |
| 367 | * once the key is added. This pairs with the READ_ONCE() above and in |
| 368 | * the VFS path lookup code. |
| 369 | */ |
| 370 | if (!has_key || |
| 371 | cmpxchg_release(&inode->i_link, NULL, pstr.name) != NULL) |
| 372 | set_delayed_call(done, kfree_link, pstr.name); |
| 373 | |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 374 | return pstr.name; |
| 375 | |
| 376 | err_kfree: |
| 377 | kfree(pstr.name); |
| 378 | return ERR_PTR(err); |
| 379 | } |
| 380 | EXPORT_SYMBOL_GPL(fscrypt_get_symlink); |