Greg Kroah-Hartman | b244131 | 2017-11-01 15:07:57 +0100 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0 |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 2 | /* |
| 3 | * Encryption policy functions for per-file encryption support. |
| 4 | * |
| 5 | * Copyright (C) 2015, Google, Inc. |
| 6 | * Copyright (C) 2015, Motorola Mobility. |
| 7 | * |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 8 | * Originally written by Michael Halcrow, 2015. |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 9 | * Modified by Jaegeuk Kim, 2015. |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 10 | * Modified by Eric Biggers, 2019 for v2 policy support. |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 11 | */ |
| 12 | |
| 13 | #include <linux/random.h> |
| 14 | #include <linux/string.h> |
Eric Biggers | ba63f23 | 2016-09-08 14:20:38 -0700 | [diff] [blame] | 15 | #include <linux/mount.h> |
Theodore Ts'o | cc4e0df | 2016-11-26 22:05:18 -0500 | [diff] [blame] | 16 | #include "fscrypt_private.h" |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 17 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 18 | /** |
| 19 | * fscrypt_policies_equal - check whether two encryption policies are the same |
| 20 | * |
| 21 | * Return: %true if equal, else %false |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 22 | */ |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 23 | bool fscrypt_policies_equal(const union fscrypt_policy *policy1, |
| 24 | const union fscrypt_policy *policy2) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 25 | { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 26 | if (policy1->version != policy2->version) |
| 27 | return false; |
| 28 | |
| 29 | return !memcmp(policy1, policy2, fscrypt_policy_size(policy1)); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 30 | } |
| 31 | |
Eric Biggers | b103fb7 | 2019-10-24 14:54:36 -0700 | [diff] [blame] | 32 | static bool supported_iv_ino_lblk_64_policy( |
| 33 | const struct fscrypt_policy_v2 *policy, |
| 34 | const struct inode *inode) |
| 35 | { |
| 36 | struct super_block *sb = inode->i_sb; |
| 37 | int ino_bits = 64, lblk_bits = 64; |
| 38 | |
| 39 | if (policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) { |
| 40 | fscrypt_warn(inode, |
| 41 | "The DIRECT_KEY and IV_INO_LBLK_64 flags are mutually exclusive"); |
| 42 | return false; |
| 43 | } |
| 44 | /* |
| 45 | * It's unsafe to include inode numbers in the IVs if the filesystem can |
| 46 | * potentially renumber inodes, e.g. via filesystem shrinking. |
| 47 | */ |
| 48 | if (!sb->s_cop->has_stable_inodes || |
| 49 | !sb->s_cop->has_stable_inodes(sb)) { |
| 50 | fscrypt_warn(inode, |
| 51 | "Can't use IV_INO_LBLK_64 policy on filesystem '%s' because it doesn't have stable inode numbers", |
| 52 | sb->s_id); |
| 53 | return false; |
| 54 | } |
| 55 | if (sb->s_cop->get_ino_and_lblk_bits) |
| 56 | sb->s_cop->get_ino_and_lblk_bits(sb, &ino_bits, &lblk_bits); |
| 57 | if (ino_bits > 32 || lblk_bits > 32) { |
| 58 | fscrypt_warn(inode, |
| 59 | "Can't use IV_INO_LBLK_64 policy on filesystem '%s' because it doesn't use 32-bit inode and block numbers", |
| 60 | sb->s_id); |
| 61 | return false; |
| 62 | } |
| 63 | return true; |
| 64 | } |
| 65 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 66 | /** |
| 67 | * fscrypt_supported_policy - check whether an encryption policy is supported |
| 68 | * |
| 69 | * Given an encryption policy, check whether all its encryption modes and other |
| 70 | * settings are supported by this kernel. (But we don't currently don't check |
| 71 | * for crypto API support here, so attempting to use an algorithm not configured |
| 72 | * into the crypto API will still fail later.) |
| 73 | * |
| 74 | * Return: %true if supported, else %false |
| 75 | */ |
| 76 | bool fscrypt_supported_policy(const union fscrypt_policy *policy_u, |
| 77 | const struct inode *inode) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 78 | { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 79 | switch (policy_u->version) { |
| 80 | case FSCRYPT_POLICY_V1: { |
| 81 | const struct fscrypt_policy_v1 *policy = &policy_u->v1; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 82 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 83 | if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode, |
| 84 | policy->filenames_encryption_mode)) { |
| 85 | fscrypt_warn(inode, |
| 86 | "Unsupported encryption modes (contents %d, filenames %d)", |
| 87 | policy->contents_encryption_mode, |
| 88 | policy->filenames_encryption_mode); |
| 89 | return false; |
| 90 | } |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 91 | |
Eric Biggers | b103fb7 | 2019-10-24 14:54:36 -0700 | [diff] [blame] | 92 | if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK | |
| 93 | FSCRYPT_POLICY_FLAG_DIRECT_KEY)) { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 94 | fscrypt_warn(inode, |
| 95 | "Unsupported encryption flags (0x%02x)", |
| 96 | policy->flags); |
| 97 | return false; |
| 98 | } |
| 99 | |
| 100 | return true; |
| 101 | } |
| 102 | case FSCRYPT_POLICY_V2: { |
| 103 | const struct fscrypt_policy_v2 *policy = &policy_u->v2; |
| 104 | |
| 105 | if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode, |
| 106 | policy->filenames_encryption_mode)) { |
| 107 | fscrypt_warn(inode, |
| 108 | "Unsupported encryption modes (contents %d, filenames %d)", |
| 109 | policy->contents_encryption_mode, |
| 110 | policy->filenames_encryption_mode); |
| 111 | return false; |
| 112 | } |
| 113 | |
| 114 | if (policy->flags & ~FSCRYPT_POLICY_FLAGS_VALID) { |
| 115 | fscrypt_warn(inode, |
| 116 | "Unsupported encryption flags (0x%02x)", |
| 117 | policy->flags); |
| 118 | return false; |
| 119 | } |
| 120 | |
Eric Biggers | b103fb7 | 2019-10-24 14:54:36 -0700 | [diff] [blame] | 121 | if ((policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64) && |
| 122 | !supported_iv_ino_lblk_64_policy(policy, inode)) |
| 123 | return false; |
| 124 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 125 | if (memchr_inv(policy->__reserved, 0, |
| 126 | sizeof(policy->__reserved))) { |
| 127 | fscrypt_warn(inode, |
| 128 | "Reserved bits set in encryption policy"); |
| 129 | return false; |
| 130 | } |
| 131 | |
| 132 | return true; |
| 133 | } |
| 134 | } |
| 135 | return false; |
| 136 | } |
| 137 | |
| 138 | /** |
| 139 | * fscrypt_new_context_from_policy - create a new fscrypt_context from a policy |
| 140 | * |
| 141 | * Create an fscrypt_context for an inode that is being assigned the given |
| 142 | * encryption policy. A new nonce is randomly generated. |
| 143 | * |
| 144 | * Return: the size of the new context in bytes. |
| 145 | */ |
| 146 | static int fscrypt_new_context_from_policy(union fscrypt_context *ctx_u, |
| 147 | const union fscrypt_policy *policy_u) |
| 148 | { |
| 149 | memset(ctx_u, 0, sizeof(*ctx_u)); |
| 150 | |
| 151 | switch (policy_u->version) { |
| 152 | case FSCRYPT_POLICY_V1: { |
| 153 | const struct fscrypt_policy_v1 *policy = &policy_u->v1; |
| 154 | struct fscrypt_context_v1 *ctx = &ctx_u->v1; |
| 155 | |
| 156 | ctx->version = FSCRYPT_CONTEXT_V1; |
| 157 | ctx->contents_encryption_mode = |
| 158 | policy->contents_encryption_mode; |
| 159 | ctx->filenames_encryption_mode = |
| 160 | policy->filenames_encryption_mode; |
| 161 | ctx->flags = policy->flags; |
| 162 | memcpy(ctx->master_key_descriptor, |
| 163 | policy->master_key_descriptor, |
| 164 | sizeof(ctx->master_key_descriptor)); |
| 165 | get_random_bytes(ctx->nonce, sizeof(ctx->nonce)); |
| 166 | return sizeof(*ctx); |
| 167 | } |
| 168 | case FSCRYPT_POLICY_V2: { |
| 169 | const struct fscrypt_policy_v2 *policy = &policy_u->v2; |
| 170 | struct fscrypt_context_v2 *ctx = &ctx_u->v2; |
| 171 | |
| 172 | ctx->version = FSCRYPT_CONTEXT_V2; |
| 173 | ctx->contents_encryption_mode = |
| 174 | policy->contents_encryption_mode; |
| 175 | ctx->filenames_encryption_mode = |
| 176 | policy->filenames_encryption_mode; |
| 177 | ctx->flags = policy->flags; |
| 178 | memcpy(ctx->master_key_identifier, |
| 179 | policy->master_key_identifier, |
| 180 | sizeof(ctx->master_key_identifier)); |
| 181 | get_random_bytes(ctx->nonce, sizeof(ctx->nonce)); |
| 182 | return sizeof(*ctx); |
| 183 | } |
| 184 | } |
| 185 | BUG(); |
| 186 | } |
| 187 | |
| 188 | /** |
| 189 | * fscrypt_policy_from_context - convert an fscrypt_context to an fscrypt_policy |
| 190 | * |
| 191 | * Given an fscrypt_context, build the corresponding fscrypt_policy. |
| 192 | * |
| 193 | * Return: 0 on success, or -EINVAL if the fscrypt_context has an unrecognized |
| 194 | * version number or size. |
| 195 | * |
| 196 | * This does *not* validate the settings within the policy itself, e.g. the |
| 197 | * modes, flags, and reserved bits. Use fscrypt_supported_policy() for that. |
| 198 | */ |
| 199 | int fscrypt_policy_from_context(union fscrypt_policy *policy_u, |
| 200 | const union fscrypt_context *ctx_u, |
| 201 | int ctx_size) |
| 202 | { |
| 203 | memset(policy_u, 0, sizeof(*policy_u)); |
| 204 | |
| 205 | if (ctx_size <= 0 || ctx_size != fscrypt_context_size(ctx_u)) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 206 | return -EINVAL; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 207 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 208 | switch (ctx_u->version) { |
| 209 | case FSCRYPT_CONTEXT_V1: { |
| 210 | const struct fscrypt_context_v1 *ctx = &ctx_u->v1; |
| 211 | struct fscrypt_policy_v1 *policy = &policy_u->v1; |
| 212 | |
| 213 | policy->version = FSCRYPT_POLICY_V1; |
| 214 | policy->contents_encryption_mode = |
| 215 | ctx->contents_encryption_mode; |
| 216 | policy->filenames_encryption_mode = |
| 217 | ctx->filenames_encryption_mode; |
| 218 | policy->flags = ctx->flags; |
| 219 | memcpy(policy->master_key_descriptor, |
| 220 | ctx->master_key_descriptor, |
| 221 | sizeof(policy->master_key_descriptor)); |
| 222 | return 0; |
| 223 | } |
| 224 | case FSCRYPT_CONTEXT_V2: { |
| 225 | const struct fscrypt_context_v2 *ctx = &ctx_u->v2; |
| 226 | struct fscrypt_policy_v2 *policy = &policy_u->v2; |
| 227 | |
| 228 | policy->version = FSCRYPT_POLICY_V2; |
| 229 | policy->contents_encryption_mode = |
| 230 | ctx->contents_encryption_mode; |
| 231 | policy->filenames_encryption_mode = |
| 232 | ctx->filenames_encryption_mode; |
| 233 | policy->flags = ctx->flags; |
| 234 | memcpy(policy->__reserved, ctx->__reserved, |
| 235 | sizeof(policy->__reserved)); |
| 236 | memcpy(policy->master_key_identifier, |
| 237 | ctx->master_key_identifier, |
| 238 | sizeof(policy->master_key_identifier)); |
| 239 | return 0; |
| 240 | } |
| 241 | } |
| 242 | /* unreachable */ |
| 243 | return -EINVAL; |
| 244 | } |
| 245 | |
| 246 | /* Retrieve an inode's encryption policy */ |
| 247 | static int fscrypt_get_policy(struct inode *inode, union fscrypt_policy *policy) |
| 248 | { |
| 249 | const struct fscrypt_info *ci; |
| 250 | union fscrypt_context ctx; |
| 251 | int ret; |
| 252 | |
| 253 | ci = READ_ONCE(inode->i_crypt_info); |
| 254 | if (ci) { |
| 255 | /* key available, use the cached policy */ |
| 256 | *policy = ci->ci_policy; |
| 257 | return 0; |
| 258 | } |
| 259 | |
| 260 | if (!IS_ENCRYPTED(inode)) |
| 261 | return -ENODATA; |
| 262 | |
| 263 | ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); |
| 264 | if (ret < 0) |
| 265 | return (ret == -ERANGE) ? -EINVAL : ret; |
| 266 | |
| 267 | return fscrypt_policy_from_context(policy, &ctx, ret); |
| 268 | } |
| 269 | |
| 270 | static int set_encryption_policy(struct inode *inode, |
| 271 | const union fscrypt_policy *policy) |
| 272 | { |
| 273 | union fscrypt_context ctx; |
| 274 | int ctxsize; |
Eric Biggers | 5ab7189 | 2019-08-04 19:35:48 -0700 | [diff] [blame] | 275 | int err; |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 276 | |
| 277 | if (!fscrypt_supported_policy(policy, inode)) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 278 | return -EINVAL; |
| 279 | |
Eric Biggers | 5ab7189 | 2019-08-04 19:35:48 -0700 | [diff] [blame] | 280 | switch (policy->version) { |
| 281 | case FSCRYPT_POLICY_V1: |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 282 | /* |
| 283 | * The original encryption policy version provided no way of |
| 284 | * verifying that the correct master key was supplied, which was |
| 285 | * insecure in scenarios where multiple users have access to the |
| 286 | * same encrypted files (even just read-only access). The new |
| 287 | * encryption policy version fixes this and also implies use of |
| 288 | * an improved key derivation function and allows non-root users |
| 289 | * to securely remove keys. So as long as compatibility with |
| 290 | * old kernels isn't required, it is recommended to use the new |
| 291 | * policy version for all new encrypted directories. |
| 292 | */ |
| 293 | pr_warn_once("%s (pid %d) is setting deprecated v1 encryption policy; recommend upgrading to v2.\n", |
| 294 | current->comm, current->pid); |
Eric Biggers | 5ab7189 | 2019-08-04 19:35:48 -0700 | [diff] [blame] | 295 | break; |
| 296 | case FSCRYPT_POLICY_V2: |
| 297 | err = fscrypt_verify_key_added(inode->i_sb, |
| 298 | policy->v2.master_key_identifier); |
| 299 | if (err) |
| 300 | return err; |
| 301 | break; |
| 302 | default: |
| 303 | WARN_ON(1); |
| 304 | return -EINVAL; |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 305 | } |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 306 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 307 | ctxsize = fscrypt_new_context_from_policy(&ctx, policy); |
| 308 | |
| 309 | return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, NULL); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 310 | } |
| 311 | |
Eric Biggers | db717d8 | 2016-11-26 19:07:49 -0500 | [diff] [blame] | 312 | int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 313 | { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 314 | union fscrypt_policy policy; |
| 315 | union fscrypt_policy existing_policy; |
Eric Biggers | ba63f23 | 2016-09-08 14:20:38 -0700 | [diff] [blame] | 316 | struct inode *inode = file_inode(filp); |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 317 | u8 version; |
| 318 | int size; |
Eric Biggers | ba63f23 | 2016-09-08 14:20:38 -0700 | [diff] [blame] | 319 | int ret; |
| 320 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 321 | if (get_user(policy.version, (const u8 __user *)arg)) |
Eric Biggers | db717d8 | 2016-11-26 19:07:49 -0500 | [diff] [blame] | 322 | return -EFAULT; |
| 323 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 324 | size = fscrypt_policy_size(&policy); |
| 325 | if (size <= 0) |
| 326 | return -EINVAL; |
| 327 | |
| 328 | /* |
| 329 | * We should just copy the remaining 'size - 1' bytes here, but a |
| 330 | * bizarre bug in gcc 7 and earlier (fixed by gcc r255731) causes gcc to |
| 331 | * think that size can be 0 here (despite the check above!) *and* that |
| 332 | * it's a compile-time constant. Thus it would think copy_from_user() |
| 333 | * is passed compile-time constant ULONG_MAX, causing the compile-time |
| 334 | * buffer overflow check to fail, breaking the build. This only occurred |
| 335 | * when building an i386 kernel with -Os and branch profiling enabled. |
| 336 | * |
| 337 | * Work around it by just copying the first byte again... |
| 338 | */ |
| 339 | version = policy.version; |
| 340 | if (copy_from_user(&policy, arg, size)) |
| 341 | return -EFAULT; |
| 342 | policy.version = version; |
| 343 | |
Eric Biggers | 163ae1c | 2016-09-08 10:57:08 -0700 | [diff] [blame] | 344 | if (!inode_owner_or_capable(inode)) |
| 345 | return -EACCES; |
| 346 | |
Eric Biggers | ba63f23 | 2016-09-08 14:20:38 -0700 | [diff] [blame] | 347 | ret = mnt_want_write_file(filp); |
| 348 | if (ret) |
| 349 | return ret; |
| 350 | |
Eric Biggers | 8906a82 | 2016-10-15 09:48:50 -0400 | [diff] [blame] | 351 | inode_lock(inode); |
| 352 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 353 | ret = fscrypt_get_policy(inode, &existing_policy); |
Eric Biggers | efee590e | 2016-12-05 11:12:48 -0800 | [diff] [blame] | 354 | if (ret == -ENODATA) { |
Eric Biggers | 002ced4 | 2016-09-08 11:36:39 -0700 | [diff] [blame] | 355 | if (!S_ISDIR(inode->i_mode)) |
Eric Biggers | dffd0cf | 2016-12-05 11:12:45 -0800 | [diff] [blame] | 356 | ret = -ENOTDIR; |
Hongjie Fang | 5858bda | 2019-05-22 10:02:53 +0800 | [diff] [blame] | 357 | else if (IS_DEADDIR(inode)) |
| 358 | ret = -ENOENT; |
Eric Biggers | ba63f23 | 2016-09-08 14:20:38 -0700 | [diff] [blame] | 359 | else if (!inode->i_sb->s_cop->empty_dir(inode)) |
| 360 | ret = -ENOTEMPTY; |
| 361 | else |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 362 | ret = set_encryption_policy(inode, &policy); |
| 363 | } else if (ret == -EINVAL || |
| 364 | (ret == 0 && !fscrypt_policies_equal(&policy, |
| 365 | &existing_policy))) { |
Eric Biggers | efee590e | 2016-12-05 11:12:48 -0800 | [diff] [blame] | 366 | /* The file already uses a different encryption policy. */ |
Eric Biggers | 8488cd9 | 2016-12-05 11:12:46 -0800 | [diff] [blame] | 367 | ret = -EEXIST; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 368 | } |
| 369 | |
Eric Biggers | 8906a82 | 2016-10-15 09:48:50 -0400 | [diff] [blame] | 370 | inode_unlock(inode); |
| 371 | |
Eric Biggers | ba63f23 | 2016-09-08 14:20:38 -0700 | [diff] [blame] | 372 | mnt_drop_write_file(filp); |
| 373 | return ret; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 374 | } |
Eric Biggers | db717d8 | 2016-11-26 19:07:49 -0500 | [diff] [blame] | 375 | EXPORT_SYMBOL(fscrypt_ioctl_set_policy); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 376 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 377 | /* Original ioctl version; can only get the original policy version */ |
Eric Biggers | db717d8 | 2016-11-26 19:07:49 -0500 | [diff] [blame] | 378 | int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 379 | { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 380 | union fscrypt_policy policy; |
| 381 | int err; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 382 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 383 | err = fscrypt_get_policy(file_inode(filp), &policy); |
| 384 | if (err) |
| 385 | return err; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 386 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 387 | if (policy.version != FSCRYPT_POLICY_V1) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 388 | return -EINVAL; |
| 389 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 390 | if (copy_to_user(arg, &policy, sizeof(policy.v1))) |
Eric Biggers | db717d8 | 2016-11-26 19:07:49 -0500 | [diff] [blame] | 391 | return -EFAULT; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 392 | return 0; |
| 393 | } |
Eric Biggers | db717d8 | 2016-11-26 19:07:49 -0500 | [diff] [blame] | 394 | EXPORT_SYMBOL(fscrypt_ioctl_get_policy); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 395 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 396 | /* Extended ioctl version; can get policies of any version */ |
| 397 | int fscrypt_ioctl_get_policy_ex(struct file *filp, void __user *uarg) |
| 398 | { |
| 399 | struct fscrypt_get_policy_ex_arg arg; |
| 400 | union fscrypt_policy *policy = (union fscrypt_policy *)&arg.policy; |
| 401 | size_t policy_size; |
| 402 | int err; |
| 403 | |
| 404 | /* arg is policy_size, then policy */ |
| 405 | BUILD_BUG_ON(offsetof(typeof(arg), policy_size) != 0); |
| 406 | BUILD_BUG_ON(offsetofend(typeof(arg), policy_size) != |
| 407 | offsetof(typeof(arg), policy)); |
| 408 | BUILD_BUG_ON(sizeof(arg.policy) != sizeof(*policy)); |
| 409 | |
| 410 | err = fscrypt_get_policy(file_inode(filp), policy); |
| 411 | if (err) |
| 412 | return err; |
| 413 | policy_size = fscrypt_policy_size(policy); |
| 414 | |
| 415 | if (copy_from_user(&arg, uarg, sizeof(arg.policy_size))) |
| 416 | return -EFAULT; |
| 417 | |
| 418 | if (policy_size > arg.policy_size) |
| 419 | return -EOVERFLOW; |
| 420 | arg.policy_size = policy_size; |
| 421 | |
| 422 | if (copy_to_user(uarg, &arg, sizeof(arg.policy_size) + policy_size)) |
| 423 | return -EFAULT; |
| 424 | return 0; |
| 425 | } |
| 426 | EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_policy_ex); |
| 427 | |
Eric Biggers | 272f98f | 2017-04-07 10:58:37 -0700 | [diff] [blame] | 428 | /** |
| 429 | * fscrypt_has_permitted_context() - is a file's encryption policy permitted |
| 430 | * within its directory? |
| 431 | * |
| 432 | * @parent: inode for parent directory |
| 433 | * @child: inode for file being looked up, opened, or linked into @parent |
| 434 | * |
| 435 | * Filesystems must call this before permitting access to an inode in a |
| 436 | * situation where the parent directory is encrypted (either before allowing |
| 437 | * ->lookup() to succeed, or for a regular file before allowing it to be opened) |
| 438 | * and before any operation that involves linking an inode into an encrypted |
| 439 | * directory, including link, rename, and cross rename. It enforces the |
| 440 | * constraint that within a given encrypted directory tree, all files use the |
| 441 | * same encryption policy. The pre-access check is needed to detect potentially |
| 442 | * malicious offline violations of this constraint, while the link and rename |
| 443 | * checks are needed to prevent online violations of this constraint. |
| 444 | * |
Eric Biggers | f5e55e7 | 2019-01-22 16:20:21 -0800 | [diff] [blame] | 445 | * Return: 1 if permitted, 0 if forbidden. |
Eric Biggers | 272f98f | 2017-04-07 10:58:37 -0700 | [diff] [blame] | 446 | */ |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 447 | int fscrypt_has_permitted_context(struct inode *parent, struct inode *child) |
| 448 | { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 449 | union fscrypt_policy parent_policy, child_policy; |
| 450 | int err; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 451 | |
Eric Biggers | 42d97eb | 2016-12-19 14:20:13 -0800 | [diff] [blame] | 452 | /* No restrictions on file types which are never encrypted */ |
| 453 | if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) && |
| 454 | !S_ISLNK(child->i_mode)) |
| 455 | return 1; |
| 456 | |
Eric Biggers | 272f98f | 2017-04-07 10:58:37 -0700 | [diff] [blame] | 457 | /* No restrictions if the parent directory is unencrypted */ |
Eric Biggers | e0428a2 | 2017-10-09 12:15:36 -0700 | [diff] [blame] | 458 | if (!IS_ENCRYPTED(parent)) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 459 | return 1; |
Eric Biggers | 272f98f | 2017-04-07 10:58:37 -0700 | [diff] [blame] | 460 | |
| 461 | /* Encrypted directories must not contain unencrypted files */ |
Eric Biggers | e0428a2 | 2017-10-09 12:15:36 -0700 | [diff] [blame] | 462 | if (!IS_ENCRYPTED(child)) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 463 | return 0; |
Eric Biggers | 272f98f | 2017-04-07 10:58:37 -0700 | [diff] [blame] | 464 | |
| 465 | /* |
| 466 | * Both parent and child are encrypted, so verify they use the same |
| 467 | * encryption policy. Compare the fscrypt_info structs if the keys are |
| 468 | * available, otherwise retrieve and compare the fscrypt_contexts. |
| 469 | * |
| 470 | * Note that the fscrypt_context retrieval will be required frequently |
| 471 | * when accessing an encrypted directory tree without the key. |
| 472 | * Performance-wise this is not a big deal because we already don't |
| 473 | * really optimize for file access without the key (to the extent that |
| 474 | * such access is even possible), given that any attempted access |
| 475 | * already causes a fscrypt_context retrieval and keyring search. |
| 476 | * |
| 477 | * In any case, if an unexpected error occurs, fall back to "forbidden". |
| 478 | */ |
| 479 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 480 | err = fscrypt_get_encryption_info(parent); |
| 481 | if (err) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 482 | return 0; |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 483 | err = fscrypt_get_encryption_info(child); |
| 484 | if (err) |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 485 | return 0; |
| 486 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 487 | err = fscrypt_get_policy(parent, &parent_policy); |
| 488 | if (err) |
Eric Biggers | 272f98f | 2017-04-07 10:58:37 -0700 | [diff] [blame] | 489 | return 0; |
| 490 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 491 | err = fscrypt_get_policy(child, &child_policy); |
| 492 | if (err) |
| 493 | return 0; |
| 494 | |
| 495 | return fscrypt_policies_equal(&parent_policy, &child_policy); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 496 | } |
| 497 | EXPORT_SYMBOL(fscrypt_has_permitted_context); |
| 498 | |
| 499 | /** |
| 500 | * fscrypt_inherit_context() - Sets a child context from its parent |
| 501 | * @parent: Parent inode from which the context is inherited. |
| 502 | * @child: Child inode that inherits the context from @parent. |
| 503 | * @fs_data: private data given by FS. |
Theodore Ts'o | 5bbdcbb | 2017-01-02 15:12:17 -0500 | [diff] [blame] | 504 | * @preload: preload child i_crypt_info if true |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 505 | * |
Theodore Ts'o | 5bbdcbb | 2017-01-02 15:12:17 -0500 | [diff] [blame] | 506 | * Return: 0 on success, -errno on failure |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 507 | */ |
| 508 | int fscrypt_inherit_context(struct inode *parent, struct inode *child, |
| 509 | void *fs_data, bool preload) |
| 510 | { |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 511 | union fscrypt_context ctx; |
| 512 | int ctxsize; |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 513 | struct fscrypt_info *ci; |
| 514 | int res; |
| 515 | |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 516 | res = fscrypt_get_encryption_info(parent); |
| 517 | if (res < 0) |
| 518 | return res; |
| 519 | |
Eric Biggers | e37a784 | 2019-04-11 14:32:15 -0700 | [diff] [blame] | 520 | ci = READ_ONCE(parent->i_crypt_info); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 521 | if (ci == NULL) |
| 522 | return -ENOKEY; |
| 523 | |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 524 | ctxsize = fscrypt_new_context_from_policy(&ctx, &ci->ci_policy); |
| 525 | |
Tahsin Erdogan | af65207 | 2017-07-06 00:01:59 -0400 | [diff] [blame] | 526 | BUILD_BUG_ON(sizeof(ctx) != FSCRYPT_SET_CONTEXT_MAX_SIZE); |
Eric Biggers | 5dae460 | 2019-08-04 19:35:47 -0700 | [diff] [blame] | 527 | res = parent->i_sb->s_cop->set_context(child, &ctx, ctxsize, fs_data); |
Jaegeuk Kim | 0b81d07 | 2015-05-15 16:26:10 -0700 | [diff] [blame] | 528 | if (res) |
| 529 | return res; |
| 530 | return preload ? fscrypt_get_encryption_info(child): 0; |
| 531 | } |
| 532 | EXPORT_SYMBOL(fscrypt_inherit_context); |