Greg Kroah-Hartman | b244131 | 2017-11-01 15:07:57 +0100 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0 |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 2 | /* |
| 3 | * Encryption policy functions for per-file encryption support. |
| 4 | * |
| 5 | * Copyright (C) 2015, Google, Inc. |
| 6 | * Copyright (C) 2015, Motorola Mobility. |
| 7 | * |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 8 | * Originally written by Michael Halcrow, 2015. |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 9 | * Modified by Jaegeuk Kim, 2015. |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 10 | * Modified by Eric Biggers, 2019 for v2 policy support. |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 11 | */ |
| 12 | |
| 13 | #include <linux/random.h> |
| 14 | #include <linux/string.h> |
Eric Biggers | ba63f23 | 2016-09-08 14:20:38 -0700 | [diff] [blame] | 15 | #include <linux/mount.h> |
Theodore Ts'o | cc4e0df | 2016-11-26 22:05:18 -0500 | [diff] [blame] | 16 | #include "fscrypt_private.h" |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 17 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 18 | /** |
| 19 | * fscrypt_policies_equal - check whether two encryption policies are the same |
| 20 | * |
| 21 | * Return: %true if equal, else %false |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 22 | */ |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 23 | bool fscrypt_policies_equal(const union fscrypt_policy *policy1, |
| 24 | const union fscrypt_policy *policy2) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 25 | { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 26 | if (policy1->version != policy2->version) |
| 27 | return false; |
| 28 | |
| 29 | return !memcmp(policy1, policy2, fscrypt_policy_size(policy1)); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 30 | } |
| 31 | |
Eric Biggers | ef5b18b | 2019-12-09 13:18:28 -0800 | [diff] [blame] | 32 | static bool fscrypt_valid_enc_modes(u32 contents_mode, u32 filenames_mode) |
| 33 | { |
| 34 | if (contents_mode == FSCRYPT_MODE_AES_256_XTS && |
| 35 | filenames_mode == FSCRYPT_MODE_AES_256_CTS) |
| 36 | return true; |
| 37 | |
| 38 | if (contents_mode == FSCRYPT_MODE_AES_128_CBC && |
| 39 | filenames_mode == FSCRYPT_MODE_AES_128_CTS) |
| 40 | return true; |
| 41 | |
| 42 | if (contents_mode == FSCRYPT_MODE_ADIANTUM && |
| 43 | filenames_mode == FSCRYPT_MODE_ADIANTUM) |
| 44 | return true; |
| 45 | |
| 46 | return false; |
| 47 | } |
| 48 | |
Eric Biggers | 85af90e | 2019-12-09 13:18:27 -0800 | [diff] [blame] | 49 | static bool supported_direct_key_modes(const struct inode *inode, |
| 50 | u32 contents_mode, u32 filenames_mode) |
| 51 | { |
| 52 | const struct fscrypt_mode *mode; |
| 53 | |
| 54 | if (contents_mode != filenames_mode) { |
| 55 | fscrypt_warn(inode, |
| 56 | "Direct key flag not allowed with different contents and filenames modes"); |
| 57 | return false; |
| 58 | } |
| 59 | mode = &fscrypt_modes[contents_mode]; |
| 60 | |
| 61 | if (mode->ivsize < offsetofend(union fscrypt_iv, nonce)) { |
| 62 | fscrypt_warn(inode, "Direct key flag not allowed with %s", |
| 63 | mode->friendly_name); |
| 64 | return false; |
| 65 | } |
| 66 | return true; |
| 67 | } |
| 68 | |
Eric Biggers | b103fb7 | 2019-10-24 14:54:36 -0700 | [diff] [blame] | 69 | static bool supported_iv_ino_lblk_64_policy( |
| 70 | const struct fscrypt_policy_v2 *policy, |
| 71 | const struct inode *inode) |
| 72 | { |
| 73 | struct super_block *sb = inode->i_sb; |
| 74 | int ino_bits = 64, lblk_bits = 64; |
| 75 | |
| 76 | if (policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) { |
| 77 | fscrypt_warn(inode, |
| 78 | "The DIRECT_KEY and IV_INO_LBLK_64 flags are mutually exclusive"); |
| 79 | return false; |
| 80 | } |
| 81 | /* |
| 82 | * It's unsafe to include inode numbers in the IVs if the filesystem can |
| 83 | * potentially renumber inodes, e.g. via filesystem shrinking. |
| 84 | */ |
| 85 | if (!sb->s_cop->has_stable_inodes || |
| 86 | !sb->s_cop->has_stable_inodes(sb)) { |
| 87 | fscrypt_warn(inode, |
| 88 | "Can't use IV_INO_LBLK_64 policy on filesystem '%s' because it doesn't have stable inode numbers", |
| 89 | sb->s_id); |
| 90 | return false; |
| 91 | } |
| 92 | if (sb->s_cop->get_ino_and_lblk_bits) |
| 93 | sb->s_cop->get_ino_and_lblk_bits(sb, &ino_bits, &lblk_bits); |
| 94 | if (ino_bits > 32 || lblk_bits > 32) { |
| 95 | fscrypt_warn(inode, |
| 96 | "Can't use IV_INO_LBLK_64 policy on filesystem '%s' because it doesn't use 32-bit inode and block numbers", |
| 97 | sb->s_id); |
| 98 | return false; |
| 99 | } |
| 100 | return true; |
| 101 | } |
| 102 | |
Eric Biggers | 393a24a | 2019-12-09 13:18:26 -0800 | [diff] [blame] | 103 | static bool fscrypt_supported_v1_policy(const struct fscrypt_policy_v1 *policy, |
| 104 | const struct inode *inode) |
| 105 | { |
| 106 | if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode, |
| 107 | policy->filenames_encryption_mode)) { |
| 108 | fscrypt_warn(inode, |
| 109 | "Unsupported encryption modes (contents %d, filenames %d)", |
| 110 | policy->contents_encryption_mode, |
| 111 | policy->filenames_encryption_mode); |
| 112 | return false; |
| 113 | } |
| 114 | |
| 115 | if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK | |
| 116 | FSCRYPT_POLICY_FLAG_DIRECT_KEY)) { |
| 117 | fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", |
| 118 | policy->flags); |
| 119 | return false; |
| 120 | } |
| 121 | |
Eric Biggers | 85af90e | 2019-12-09 13:18:27 -0800 | [diff] [blame] | 122 | if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) && |
| 123 | !supported_direct_key_modes(inode, policy->contents_encryption_mode, |
| 124 | policy->filenames_encryption_mode)) |
| 125 | return false; |
| 126 | |
Daniel Rosenberg | 6e1918c | 2020-01-20 14:31:56 -0800 | [diff] [blame] | 127 | if (IS_CASEFOLDED(inode)) { |
| 128 | /* With v1, there's no way to derive dirhash keys. */ |
| 129 | fscrypt_warn(inode, |
| 130 | "v1 policies can't be used on casefolded directories"); |
| 131 | return false; |
| 132 | } |
| 133 | |
Eric Biggers | 393a24a | 2019-12-09 13:18:26 -0800 | [diff] [blame] | 134 | return true; |
| 135 | } |
| 136 | |
| 137 | static bool fscrypt_supported_v2_policy(const struct fscrypt_policy_v2 *policy, |
| 138 | const struct inode *inode) |
| 139 | { |
| 140 | if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode, |
| 141 | policy->filenames_encryption_mode)) { |
| 142 | fscrypt_warn(inode, |
| 143 | "Unsupported encryption modes (contents %d, filenames %d)", |
| 144 | policy->contents_encryption_mode, |
| 145 | policy->filenames_encryption_mode); |
| 146 | return false; |
| 147 | } |
| 148 | |
| 149 | if (policy->flags & ~FSCRYPT_POLICY_FLAGS_VALID) { |
| 150 | fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)", |
| 151 | policy->flags); |
| 152 | return false; |
| 153 | } |
| 154 | |
Eric Biggers | 85af90e | 2019-12-09 13:18:27 -0800 | [diff] [blame] | 155 | if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) && |
| 156 | !supported_direct_key_modes(inode, policy->contents_encryption_mode, |
| 157 | policy->filenames_encryption_mode)) |
| 158 | return false; |
| 159 | |
Eric Biggers | 393a24a | 2019-12-09 13:18:26 -0800 | [diff] [blame] | 160 | if ((policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) && |
| 161 | !supported_iv_ino_lblk_64_policy(policy, inode)) |
| 162 | return false; |
| 163 | |
| 164 | if (memchr_inv(policy->__reserved, 0, sizeof(policy->__reserved))) { |
| 165 | fscrypt_warn(inode, "Reserved bits set in encryption policy"); |
| 166 | return false; |
| 167 | } |
| 168 | |
| 169 | return true; |
| 170 | } |
| 171 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 172 | /** |
| 173 | * fscrypt_supported_policy - check whether an encryption policy is supported |
| 174 | * |
| 175 | * Given an encryption policy, check whether all its encryption modes and other |
Eric Biggers | 393a24a | 2019-12-09 13:18:26 -0800 | [diff] [blame] | 176 | * settings are supported by this kernel on the given inode. (But we don't |
| 177 | * currently don't check for crypto API support here, so attempting to use an |
| 178 | * algorithm not configured into the crypto API will still fail later.) |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 179 | * |
| 180 | * Return: %true if supported, else %false |
| 181 | */ |
| 182 | bool fscrypt_supported_policy(const union fscrypt_policy *policy_u, |
| 183 | const struct inode *inode) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 184 | { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 185 | switch (policy_u->version) { |
Eric Biggers | 393a24a | 2019-12-09 13:18:26 -0800 | [diff] [blame] | 186 | case FSCRYPT_POLICY_V1: |
| 187 | return fscrypt_supported_v1_policy(&policy_u->v1, inode); |
| 188 | case FSCRYPT_POLICY_V2: |
| 189 | return fscrypt_supported_v2_policy(&policy_u->v2, inode); |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 190 | } |
| 191 | return false; |
| 192 | } |
| 193 | |
| 194 | /** |
| 195 | * fscrypt_new_context_from_policy - create a new fscrypt_context from a policy |
| 196 | * |
| 197 | * Create an fscrypt_context for an inode that is being assigned the given |
| 198 | * encryption policy. A new nonce is randomly generated. |
| 199 | * |
| 200 | * Return: the size of the new context in bytes. |
| 201 | */ |
| 202 | static int fscrypt_new_context_from_policy(union fscrypt_context *ctx_u, |
| 203 | const union fscrypt_policy *policy_u) |
| 204 | { |
| 205 | memset(ctx_u, 0, sizeof(*ctx_u)); |
| 206 | |
| 207 | switch (policy_u->version) { |
| 208 | case FSCRYPT_POLICY_V1: { |
| 209 | const struct fscrypt_policy_v1 *policy = &policy_u->v1; |
| 210 | struct fscrypt_context_v1 *ctx = &ctx_u->v1; |
| 211 | |
| 212 | ctx->version = FSCRYPT_CONTEXT_V1; |
| 213 | ctx->contents_encryption_mode = |
| 214 | policy->contents_encryption_mode; |
| 215 | ctx->filenames_encryption_mode = |
| 216 | policy->filenames_encryption_mode; |
| 217 | ctx->flags = policy->flags; |
| 218 | memcpy(ctx->master_key_descriptor, |
| 219 | policy->master_key_descriptor, |
| 220 | sizeof(ctx->master_key_descriptor)); |
| 221 | get_random_bytes(ctx->nonce, sizeof(ctx->nonce)); |
| 222 | return sizeof(*ctx); |
| 223 | } |
| 224 | case FSCRYPT_POLICY_V2: { |
| 225 | const struct fscrypt_policy_v2 *policy = &policy_u->v2; |
| 226 | struct fscrypt_context_v2 *ctx = &ctx_u->v2; |
| 227 | |
| 228 | ctx->version = FSCRYPT_CONTEXT_V2; |
| 229 | ctx->contents_encryption_mode = |
| 230 | policy->contents_encryption_mode; |
| 231 | ctx->filenames_encryption_mode = |
| 232 | policy->filenames_encryption_mode; |
| 233 | ctx->flags = policy->flags; |
| 234 | memcpy(ctx->master_key_identifier, |
| 235 | policy->master_key_identifier, |
| 236 | sizeof(ctx->master_key_identifier)); |
| 237 | get_random_bytes(ctx->nonce, sizeof(ctx->nonce)); |
| 238 | return sizeof(*ctx); |
| 239 | } |
| 240 | } |
| 241 | BUG(); |
| 242 | } |
| 243 | |
| 244 | /** |
| 245 | * fscrypt_policy_from_context - convert an fscrypt_context to an fscrypt_policy |
| 246 | * |
| 247 | * Given an fscrypt_context, build the corresponding fscrypt_policy. |
| 248 | * |
| 249 | * Return: 0 on success, or -EINVAL if the fscrypt_context has an unrecognized |
| 250 | * version number or size. |
| 251 | * |
| 252 | * This does *not* validate the settings within the policy itself, e.g. the |
| 253 | * modes, flags, and reserved bits. Use fscrypt_supported_policy() for that. |
| 254 | */ |
| 255 | int fscrypt_policy_from_context(union fscrypt_policy *policy_u, |
| 256 | const union fscrypt_context *ctx_u, |
| 257 | int ctx_size) |
| 258 | { |
| 259 | memset(policy_u, 0, sizeof(*policy_u)); |
| 260 | |
| 261 | if (ctx_size <= 0 || ctx_size != fscrypt_context_size(ctx_u)) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 262 | return -EINVAL; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 263 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 264 | switch (ctx_u->version) { |
| 265 | case FSCRYPT_CONTEXT_V1: { |
| 266 | const struct fscrypt_context_v1 *ctx = &ctx_u->v1; |
| 267 | struct fscrypt_policy_v1 *policy = &policy_u->v1; |
| 268 | |
| 269 | policy->version = FSCRYPT_POLICY_V1; |
| 270 | policy->contents_encryption_mode = |
| 271 | ctx->contents_encryption_mode; |
| 272 | policy->filenames_encryption_mode = |
| 273 | ctx->filenames_encryption_mode; |
| 274 | policy->flags = ctx->flags; |
| 275 | memcpy(policy->master_key_descriptor, |
| 276 | ctx->master_key_descriptor, |
| 277 | sizeof(policy->master_key_descriptor)); |
| 278 | return 0; |
| 279 | } |
| 280 | case FSCRYPT_CONTEXT_V2: { |
| 281 | const struct fscrypt_context_v2 *ctx = &ctx_u->v2; |
| 282 | struct fscrypt_policy_v2 *policy = &policy_u->v2; |
| 283 | |
| 284 | policy->version = FSCRYPT_POLICY_V2; |
| 285 | policy->contents_encryption_mode = |
| 286 | ctx->contents_encryption_mode; |
| 287 | policy->filenames_encryption_mode = |
| 288 | ctx->filenames_encryption_mode; |
| 289 | policy->flags = ctx->flags; |
| 290 | memcpy(policy->__reserved, ctx->__reserved, |
| 291 | sizeof(policy->__reserved)); |
| 292 | memcpy(policy->master_key_identifier, |
| 293 | ctx->master_key_identifier, |
| 294 | sizeof(policy->master_key_identifier)); |
| 295 | return 0; |
| 296 | } |
| 297 | } |
| 298 | /* unreachable */ |
| 299 | return -EINVAL; |
| 300 | } |
| 301 | |
| 302 | /* Retrieve an inode's encryption policy */ |
| 303 | static int fscrypt_get_policy(struct inode *inode, union fscrypt_policy *policy) |
| 304 | { |
| 305 | const struct fscrypt_info *ci; |
| 306 | union fscrypt_context ctx; |
| 307 | int ret; |
| 308 | |
| 309 | ci = READ_ONCE(inode->i_crypt_info); |
| 310 | if (ci) { |
| 311 | /* key available, use the cached policy */ |
| 312 | *policy = ci->ci_policy; |
| 313 | return 0; |
| 314 | } |
| 315 | |
| 316 | if (!IS_ENCRYPTED(inode)) |
| 317 | return -ENODATA; |
| 318 | |
| 319 | ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); |
| 320 | if (ret < 0) |
| 321 | return (ret == -ERANGE) ? -EINVAL : ret; |
| 322 | |
| 323 | return fscrypt_policy_from_context(policy, &ctx, ret); |
| 324 | } |
| 325 | |
| 326 | static int set_encryption_policy(struct inode *inode, |
| 327 | const union fscrypt_policy *policy) |
| 328 | { |
| 329 | union fscrypt_context ctx; |
| 330 | int ctxsize; |
Eric Biggers | 5ab7189 | 2019-08-04 19:35:48 -0700 | [diff] [blame] | 331 | int err; |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 332 | |
| 333 | if (!fscrypt_supported_policy(policy, inode)) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 334 | return -EINVAL; |
| 335 | |
Eric Biggers | 5ab7189 | 2019-08-04 19:35:48 -0700 | [diff] [blame] | 336 | switch (policy->version) { |
| 337 | case FSCRYPT_POLICY_V1: |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 338 | /* |
| 339 | * The original encryption policy version provided no way of |
| 340 | * verifying that the correct master key was supplied, which was |
| 341 | * insecure in scenarios where multiple users have access to the |
| 342 | * same encrypted files (even just read-only access). The new |
| 343 | * encryption policy version fixes this and also implies use of |
| 344 | * an improved key derivation function and allows non-root users |
| 345 | * to securely remove keys. So as long as compatibility with |
| 346 | * old kernels isn't required, it is recommended to use the new |
| 347 | * policy version for all new encrypted directories. |
| 348 | */ |
| 349 | pr_warn_once("%s (pid %d) is setting deprecated v1 encryption policy; recommend upgrading to v2.\n", |
| 350 | current->comm, current->pid); |
Eric Biggers | 5ab7189 | 2019-08-04 19:35:48 -0700 | [diff] [blame] | 351 | break; |
| 352 | case FSCRYPT_POLICY_V2: |
| 353 | err = fscrypt_verify_key_added(inode->i_sb, |
| 354 | policy->v2.master_key_identifier); |
| 355 | if (err) |
| 356 | return err; |
| 357 | break; |
| 358 | default: |
| 359 | WARN_ON(1); |
| 360 | return -EINVAL; |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 361 | } |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 362 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 363 | ctxsize = fscrypt_new_context_from_policy(&ctx, policy); |
| 364 | |
| 365 | return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, NULL); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 366 | } |
| 367 | |
Eric Biggers | db717d8 | 2016-11-26 19:07:49 -0500 | [diff] [blame] | 368 | int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 369 | { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 370 | union fscrypt_policy policy; |
| 371 | union fscrypt_policy existing_policy; |
Eric Biggers | ba63f23 | 2016-09-08 14:20:38 -0700 | [diff] [blame] | 372 | struct inode *inode = file_inode(filp); |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 373 | u8 version; |
| 374 | int size; |
Eric Biggers | ba63f23 | 2016-09-08 14:20:38 -0700 | [diff] [blame] | 375 | int ret; |
| 376 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 377 | if (get_user(policy.version, (const u8 __user *)arg)) |
Eric Biggers | db717d8 | 2016-11-26 19:07:49 -0500 | [diff] [blame] | 378 | return -EFAULT; |
| 379 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 380 | size = fscrypt_policy_size(&policy); |
| 381 | if (size <= 0) |
| 382 | return -EINVAL; |
| 383 | |
| 384 | /* |
| 385 | * We should just copy the remaining 'size - 1' bytes here, but a |
| 386 | * bizarre bug in gcc 7 and earlier (fixed by gcc r255731) causes gcc to |
| 387 | * think that size can be 0 here (despite the check above!) *and* that |
| 388 | * it's a compile-time constant. Thus it would think copy_from_user() |
| 389 | * is passed compile-time constant ULONG_MAX, causing the compile-time |
| 390 | * buffer overflow check to fail, breaking the build. This only occurred |
| 391 | * when building an i386 kernel with -Os and branch profiling enabled. |
| 392 | * |
| 393 | * Work around it by just copying the first byte again... |
| 394 | */ |
| 395 | version = policy.version; |
| 396 | if (copy_from_user(&policy, arg, size)) |
| 397 | return -EFAULT; |
| 398 | policy.version = version; |
| 399 | |
Eric Biggers | 163ae1c | 2016-09-08 10:57:08 -0700 | [diff] [blame] | 400 | if (!inode_owner_or_capable(inode)) |
| 401 | return -EACCES; |
| 402 | |
Eric Biggers | ba63f23 | 2016-09-08 14:20:38 -0700 | [diff] [blame] | 403 | ret = mnt_want_write_file(filp); |
| 404 | if (ret) |
| 405 | return ret; |
| 406 | |
Eric Biggers | 8906a82 | 2016-10-15 09:48:50 -0400 | [diff] [blame] | 407 | inode_lock(inode); |
| 408 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 409 | ret = fscrypt_get_policy(inode, &existing_policy); |
Eric Biggers | efee590e | 2016-12-05 11:12:48 -0800 | [diff] [blame] | 410 | if (ret == -ENODATA) { |
Eric Biggers | 002ced4 | 2016-09-08 11:36:39 -0700 | [diff] [blame] | 411 | if (!S_ISDIR(inode->i_mode)) |
Eric Biggers | dffd0cf | 2016-12-05 11:12:45 -0800 | [diff] [blame] | 412 | ret = -ENOTDIR; |
Hongjie Fang | 5858bda | 2019-05-22 10:02:53 +0800 | [diff] [blame] | 413 | else if (IS_DEADDIR(inode)) |
| 414 | ret = -ENOENT; |
Eric Biggers | ba63f23 | 2016-09-08 14:20:38 -0700 | [diff] [blame] | 415 | else if (!inode->i_sb->s_cop->empty_dir(inode)) |
| 416 | ret = -ENOTEMPTY; |
| 417 | else |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 418 | ret = set_encryption_policy(inode, &policy); |
| 419 | } else if (ret == -EINVAL || |
| 420 | (ret == 0 && !fscrypt_policies_equal(&policy, |
| 421 | &existing_policy))) { |
Eric Biggers | efee590e | 2016-12-05 11:12:48 -0800 | [diff] [blame] | 422 | /* The file already uses a different encryption policy. */ |
Eric Biggers | 8488cd9 | 2016-12-05 11:12:46 -0800 | [diff] [blame] | 423 | ret = -EEXIST; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 424 | } |
| 425 | |
Eric Biggers | 8906a82 | 2016-10-15 09:48:50 -0400 | [diff] [blame] | 426 | inode_unlock(inode); |
| 427 | |
Eric Biggers | ba63f23 | 2016-09-08 14:20:38 -0700 | [diff] [blame] | 428 | mnt_drop_write_file(filp); |
| 429 | return ret; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 430 | } |
Eric Biggers | db717d8 | 2016-11-26 19:07:49 -0500 | [diff] [blame] | 431 | EXPORT_SYMBOL(fscrypt_ioctl_set_policy); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 432 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 433 | /* Original ioctl version; can only get the original policy version */ |
Eric Biggers | db717d8 | 2016-11-26 19:07:49 -0500 | [diff] [blame] | 434 | int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 435 | { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 436 | union fscrypt_policy policy; |
| 437 | int err; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 438 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 439 | err = fscrypt_get_policy(file_inode(filp), &policy); |
| 440 | if (err) |
| 441 | return err; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 442 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 443 | if (policy.version != FSCRYPT_POLICY_V1) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 444 | return -EINVAL; |
| 445 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 446 | if (copy_to_user(arg, &policy, sizeof(policy.v1))) |
Eric Biggers | db717d8 | 2016-11-26 19:07:49 -0500 | [diff] [blame] | 447 | return -EFAULT; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 448 | return 0; |
| 449 | } |
Eric Biggers | db717d8 | 2016-11-26 19:07:49 -0500 | [diff] [blame] | 450 | EXPORT_SYMBOL(fscrypt_ioctl_get_policy); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 451 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 452 | /* Extended ioctl version; can get policies of any version */ |
| 453 | int fscrypt_ioctl_get_policy_ex(struct file *filp, void __user *uarg) |
| 454 | { |
| 455 | struct fscrypt_get_policy_ex_arg arg; |
| 456 | union fscrypt_policy *policy = (union fscrypt_policy *)&arg.policy; |
| 457 | size_t policy_size; |
| 458 | int err; |
| 459 | |
| 460 | /* arg is policy_size, then policy */ |
| 461 | BUILD_BUG_ON(offsetof(typeof(arg), policy_size) != 0); |
| 462 | BUILD_BUG_ON(offsetofend(typeof(arg), policy_size) != |
| 463 | offsetof(typeof(arg), policy)); |
| 464 | BUILD_BUG_ON(sizeof(arg.policy) != sizeof(*policy)); |
| 465 | |
| 466 | err = fscrypt_get_policy(file_inode(filp), policy); |
| 467 | if (err) |
| 468 | return err; |
| 469 | policy_size = fscrypt_policy_size(policy); |
| 470 | |
| 471 | if (copy_from_user(&arg, uarg, sizeof(arg.policy_size))) |
| 472 | return -EFAULT; |
| 473 | |
| 474 | if (policy_size > arg.policy_size) |
| 475 | return -EOVERFLOW; |
| 476 | arg.policy_size = policy_size; |
| 477 | |
| 478 | if (copy_to_user(uarg, &arg, sizeof(arg.policy_size) + policy_size)) |
| 479 | return -EFAULT; |
| 480 | return 0; |
| 481 | } |
| 482 | EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_policy_ex); |
| 483 | |
Eric Biggers | 272f98f | 2017-04-07 10:58:37 -0700 | [diff] [blame] | 484 | /** |
| 485 | * fscrypt_has_permitted_context() - is a file's encryption policy permitted |
| 486 | * within its directory? |
| 487 | * |
| 488 | * @parent: inode for parent directory |
| 489 | * @child: inode for file being looked up, opened, or linked into @parent |
| 490 | * |
| 491 | * Filesystems must call this before permitting access to an inode in a |
| 492 | * situation where the parent directory is encrypted (either before allowing |
| 493 | * ->lookup() to succeed, or for a regular file before allowing it to be opened) |
| 494 | * and before any operation that involves linking an inode into an encrypted |
| 495 | * directory, including link, rename, and cross rename. It enforces the |
| 496 | * constraint that within a given encrypted directory tree, all files use the |
| 497 | * same encryption policy. The pre-access check is needed to detect potentially |
| 498 | * malicious offline violations of this constraint, while the link and rename |
| 499 | * checks are needed to prevent online violations of this constraint. |
| 500 | * |
Eric Biggers | f5e55e7 | 2019-01-22 16:20:21 -0800 | [diff] [blame] | 501 | * Return: 1 if permitted, 0 if forbidden. |
Eric Biggers | 272f98f | 2017-04-07 10:58:37 -0700 | [diff] [blame] | 502 | */ |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 503 | int fscrypt_has_permitted_context(struct inode *parent, struct inode *child) |
| 504 | { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 505 | union fscrypt_policy parent_policy, child_policy; |
| 506 | int err; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 507 | |
Eric Biggers | 42d97eb | 2016-12-19 14:20:13 -0800 | [diff] [blame] | 508 | /* No restrictions on file types which are never encrypted */ |
| 509 | if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) && |
| 510 | !S_ISLNK(child->i_mode)) |
| 511 | return 1; |
| 512 | |
Eric Biggers | 272f98f | 2017-04-07 10:58:37 -0700 | [diff] [blame] | 513 | /* No restrictions if the parent directory is unencrypted */ |
Eric Biggers | e0428a2 | 2017-10-09 12:15:36 -0700 | [diff] [blame] | 514 | if (!IS_ENCRYPTED(parent)) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 515 | return 1; |
Eric Biggers | 272f98f | 2017-04-07 10:58:37 -0700 | [diff] [blame] | 516 | |
| 517 | /* Encrypted directories must not contain unencrypted files */ |
Eric Biggers | e0428a2 | 2017-10-09 12:15:36 -0700 | [diff] [blame] | 518 | if (!IS_ENCRYPTED(child)) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 519 | return 0; |
Eric Biggers | 272f98f | 2017-04-07 10:58:37 -0700 | [diff] [blame] | 520 | |
| 521 | /* |
| 522 | * Both parent and child are encrypted, so verify they use the same |
| 523 | * encryption policy. Compare the fscrypt_info structs if the keys are |
| 524 | * available, otherwise retrieve and compare the fscrypt_contexts. |
| 525 | * |
| 526 | * Note that the fscrypt_context retrieval will be required frequently |
| 527 | * when accessing an encrypted directory tree without the key. |
| 528 | * Performance-wise this is not a big deal because we already don't |
| 529 | * really optimize for file access without the key (to the extent that |
| 530 | * such access is even possible), given that any attempted access |
| 531 | * already causes a fscrypt_context retrieval and keyring search. |
| 532 | * |
| 533 | * In any case, if an unexpected error occurs, fall back to "forbidden". |
| 534 | */ |
| 535 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 536 | err = fscrypt_get_encryption_info(parent); |
| 537 | if (err) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 538 | return 0; |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 539 | err = fscrypt_get_encryption_info(child); |
| 540 | if (err) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 541 | return 0; |
| 542 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 543 | err = fscrypt_get_policy(parent, &parent_policy); |
| 544 | if (err) |
Eric Biggers | 272f98f | 2017-04-07 10:58:37 -0700 | [diff] [blame] | 545 | return 0; |
| 546 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 547 | err = fscrypt_get_policy(child, &child_policy); |
| 548 | if (err) |
| 549 | return 0; |
| 550 | |
| 551 | return fscrypt_policies_equal(&parent_policy, &child_policy); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 552 | } |
| 553 | EXPORT_SYMBOL(fscrypt_has_permitted_context); |
| 554 | |
| 555 | /** |
| 556 | * fscrypt_inherit_context() - Sets a child context from its parent |
| 557 | * @parent: Parent inode from which the context is inherited. |
| 558 | * @child: Child inode that inherits the context from @parent. |
| 559 | * @fs_data: private data given by FS. |
Theodore Ts'o | 5bbdcbb | 2017-01-02 15:12:17 -0500 | [diff] [blame] | 560 | * @preload: preload child i_crypt_info if true |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 561 | * |
Theodore Ts'o | 5bbdcbb | 2017-01-02 15:12:17 -0500 | [diff] [blame] | 562 | * Return: 0 on success, -errno on failure |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 563 | */ |
| 564 | int fscrypt_inherit_context(struct inode *parent, struct inode *child, |
| 565 | void *fs_data, bool preload) |
| 566 | { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 567 | union fscrypt_context ctx; |
| 568 | int ctxsize; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 569 | struct fscrypt_info *ci; |
| 570 | int res; |
| 571 | |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 572 | res = fscrypt_get_encryption_info(parent); |
| 573 | if (res < 0) |
| 574 | return res; |
| 575 | |
Eric Biggers | e37a784 | 2019-04-11 14:32:15 -0700 | [diff] [blame] | 576 | ci = READ_ONCE(parent->i_crypt_info); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 577 | if (ci == NULL) |
| 578 | return -ENOKEY; |
| 579 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 580 | ctxsize = fscrypt_new_context_from_policy(&ctx, &ci->ci_policy); |
| 581 | |
Tahsin Erdogan | af65207 | 2017-07-06 00:01:59 -0400 | [diff] [blame] | 582 | BUILD_BUG_ON(sizeof(ctx) != FSCRYPT_SET_CONTEXT_MAX_SIZE); |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 583 | res = parent->i_sb->s_cop->set_context(child, &ctx, ctxsize, fs_data); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 584 | if (res) |
| 585 | return res; |
| 586 | return preload ? fscrypt_get_encryption_info(child): 0; |
| 587 | } |
| 588 | EXPORT_SYMBOL(fscrypt_inherit_context); |