Thomas Gleixner | 457c899 | 2019-05-19 13:08:55 +0100 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0-only |
Eric Biggers | efcc7ae | 2017-10-09 12:15:40 -0700 | [diff] [blame] | 2 | /* |
| 3 | * fs/crypto/hooks.c |
| 4 | * |
| 5 | * Encryption hooks for higher-level filesystem operations. |
| 6 | */ |
| 7 | |
Daniel Rosenberg | aa408f8 | 2020-01-20 14:31:57 -0800 | [diff] [blame] | 8 | #include <linux/key.h> |
| 9 | |
Eric Biggers | efcc7ae | 2017-10-09 12:15:40 -0700 | [diff] [blame] | 10 | #include "fscrypt_private.h" |
| 11 | |
| 12 | /** |
Eric Biggers | d2fe975 | 2020-05-11 12:13:56 -0700 | [diff] [blame^] | 13 | * fscrypt_file_open() - prepare to open a possibly-encrypted regular file |
Eric Biggers | efcc7ae | 2017-10-09 12:15:40 -0700 | [diff] [blame] | 14 | * @inode: the inode being opened |
| 15 | * @filp: the struct file being set up |
| 16 | * |
| 17 | * Currently, an encrypted regular file can only be opened if its encryption key |
| 18 | * is available; access to the raw encrypted contents is not supported. |
| 19 | * Therefore, we first set up the inode's encryption key (if not already done) |
| 20 | * and return an error if it's unavailable. |
| 21 | * |
| 22 | * We also verify that if the parent directory (from the path via which the file |
| 23 | * is being opened) is encrypted, then the inode being opened uses the same |
| 24 | * encryption policy. This is needed as part of the enforcement that all files |
| 25 | * in an encrypted directory tree use the same encryption policy, as a |
| 26 | * protection against certain types of offline attacks. Note that this check is |
| 27 | * needed even when opening an *unencrypted* file, since it's forbidden to have |
| 28 | * an unencrypted file in an encrypted directory. |
| 29 | * |
| 30 | * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code |
| 31 | */ |
| 32 | int fscrypt_file_open(struct inode *inode, struct file *filp) |
| 33 | { |
| 34 | int err; |
| 35 | struct dentry *dir; |
| 36 | |
| 37 | err = fscrypt_require_key(inode); |
| 38 | if (err) |
| 39 | return err; |
| 40 | |
| 41 | dir = dget_parent(file_dentry(filp)); |
| 42 | if (IS_ENCRYPTED(d_inode(dir)) && |
| 43 | !fscrypt_has_permitted_context(d_inode(dir), inode)) { |
Eric Biggers | 886da8b | 2019-07-24 11:07:58 -0700 | [diff] [blame] | 44 | fscrypt_warn(inode, |
| 45 | "Inconsistent encryption context (parent directory: %lu)", |
| 46 | d_inode(dir)->i_ino); |
Eric Biggers | efcc7ae | 2017-10-09 12:15:40 -0700 | [diff] [blame] | 47 | err = -EPERM; |
| 48 | } |
| 49 | dput(dir); |
| 50 | return err; |
| 51 | } |
| 52 | EXPORT_SYMBOL_GPL(fscrypt_file_open); |
Eric Biggers | 0ea87a9 | 2017-10-09 12:15:41 -0700 | [diff] [blame] | 53 | |
Eric Biggers | 968dd6d | 2019-03-20 11:39:10 -0700 | [diff] [blame] | 54 | int __fscrypt_prepare_link(struct inode *inode, struct inode *dir, |
| 55 | struct dentry *dentry) |
Eric Biggers | 0ea87a9 | 2017-10-09 12:15:41 -0700 | [diff] [blame] | 56 | { |
| 57 | int err; |
| 58 | |
| 59 | err = fscrypt_require_key(dir); |
| 60 | if (err) |
| 61 | return err; |
| 62 | |
Eric Biggers | 968dd6d | 2019-03-20 11:39:10 -0700 | [diff] [blame] | 63 | /* ... in case we looked up ciphertext name before key was added */ |
| 64 | if (dentry->d_flags & DCACHE_ENCRYPTED_NAME) |
| 65 | return -ENOKEY; |
| 66 | |
Eric Biggers | 0ea87a9 | 2017-10-09 12:15:41 -0700 | [diff] [blame] | 67 | if (!fscrypt_has_permitted_context(dir, inode)) |
Eric Biggers | f5e55e7 | 2019-01-22 16:20:21 -0800 | [diff] [blame] | 68 | return -EXDEV; |
Eric Biggers | 0ea87a9 | 2017-10-09 12:15:41 -0700 | [diff] [blame] | 69 | |
| 70 | return 0; |
| 71 | } |
| 72 | EXPORT_SYMBOL_GPL(__fscrypt_prepare_link); |
Eric Biggers | 94b26f3 | 2017-10-09 12:15:42 -0700 | [diff] [blame] | 73 | |
| 74 | int __fscrypt_prepare_rename(struct inode *old_dir, struct dentry *old_dentry, |
| 75 | struct inode *new_dir, struct dentry *new_dentry, |
| 76 | unsigned int flags) |
| 77 | { |
| 78 | int err; |
| 79 | |
| 80 | err = fscrypt_require_key(old_dir); |
| 81 | if (err) |
| 82 | return err; |
| 83 | |
| 84 | err = fscrypt_require_key(new_dir); |
| 85 | if (err) |
| 86 | return err; |
| 87 | |
Eric Biggers | 968dd6d | 2019-03-20 11:39:10 -0700 | [diff] [blame] | 88 | /* ... in case we looked up ciphertext name(s) before key was added */ |
| 89 | if ((old_dentry->d_flags | new_dentry->d_flags) & |
| 90 | DCACHE_ENCRYPTED_NAME) |
| 91 | return -ENOKEY; |
| 92 | |
Eric Biggers | 94b26f3 | 2017-10-09 12:15:42 -0700 | [diff] [blame] | 93 | if (old_dir != new_dir) { |
| 94 | if (IS_ENCRYPTED(new_dir) && |
| 95 | !fscrypt_has_permitted_context(new_dir, |
| 96 | d_inode(old_dentry))) |
Eric Biggers | f5e55e7 | 2019-01-22 16:20:21 -0800 | [diff] [blame] | 97 | return -EXDEV; |
Eric Biggers | 94b26f3 | 2017-10-09 12:15:42 -0700 | [diff] [blame] | 98 | |
| 99 | if ((flags & RENAME_EXCHANGE) && |
| 100 | IS_ENCRYPTED(old_dir) && |
| 101 | !fscrypt_has_permitted_context(old_dir, |
| 102 | d_inode(new_dentry))) |
Eric Biggers | f5e55e7 | 2019-01-22 16:20:21 -0800 | [diff] [blame] | 103 | return -EXDEV; |
Eric Biggers | 94b26f3 | 2017-10-09 12:15:42 -0700 | [diff] [blame] | 104 | } |
| 105 | return 0; |
| 106 | } |
| 107 | EXPORT_SYMBOL_GPL(__fscrypt_prepare_rename); |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 108 | |
Eric Biggers | b01531d | 2019-03-20 11:39:13 -0700 | [diff] [blame] | 109 | int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry, |
| 110 | struct fscrypt_name *fname) |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 111 | { |
Eric Biggers | b01531d | 2019-03-20 11:39:13 -0700 | [diff] [blame] | 112 | int err = fscrypt_setup_filename(dir, &dentry->d_name, 1, fname); |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 113 | |
Eric Biggers | b01531d | 2019-03-20 11:39:13 -0700 | [diff] [blame] | 114 | if (err && err != -ENOENT) |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 115 | return err; |
| 116 | |
Eric Biggers | b01531d | 2019-03-20 11:39:13 -0700 | [diff] [blame] | 117 | if (fname->is_ciphertext_name) { |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 118 | spin_lock(&dentry->d_lock); |
Eric Biggers | 6cc2486 | 2019-03-20 11:39:09 -0700 | [diff] [blame] | 119 | dentry->d_flags |= DCACHE_ENCRYPTED_NAME; |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 120 | spin_unlock(&dentry->d_lock); |
Eric Biggers | d456a33 | 2019-03-20 11:39:12 -0700 | [diff] [blame] | 121 | d_set_d_op(dentry, &fscrypt_d_ops); |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 122 | } |
Eric Biggers | b01531d | 2019-03-20 11:39:13 -0700 | [diff] [blame] | 123 | return err; |
Eric Biggers | 32c3cf0 | 2017-10-09 12:15:43 -0700 | [diff] [blame] | 124 | } |
| 125 | EXPORT_SYMBOL_GPL(__fscrypt_prepare_lookup); |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 126 | |
Daniel Rosenberg | 6e1918c | 2020-01-20 14:31:56 -0800 | [diff] [blame] | 127 | /** |
| 128 | * fscrypt_prepare_setflags() - prepare to change flags with FS_IOC_SETFLAGS |
| 129 | * @inode: the inode on which flags are being changed |
| 130 | * @oldflags: the old flags |
| 131 | * @flags: the new flags |
| 132 | * |
| 133 | * The caller should be holding i_rwsem for write. |
| 134 | * |
| 135 | * Return: 0 on success; -errno if the flags change isn't allowed or if |
| 136 | * another error occurs. |
| 137 | */ |
| 138 | int fscrypt_prepare_setflags(struct inode *inode, |
| 139 | unsigned int oldflags, unsigned int flags) |
| 140 | { |
| 141 | struct fscrypt_info *ci; |
Daniel Rosenberg | aa408f8 | 2020-01-20 14:31:57 -0800 | [diff] [blame] | 142 | struct fscrypt_master_key *mk; |
Daniel Rosenberg | 6e1918c | 2020-01-20 14:31:56 -0800 | [diff] [blame] | 143 | int err; |
| 144 | |
Daniel Rosenberg | aa408f8 | 2020-01-20 14:31:57 -0800 | [diff] [blame] | 145 | /* |
| 146 | * When the CASEFOLD flag is set on an encrypted directory, we must |
| 147 | * derive the secret key needed for the dirhash. This is only possible |
| 148 | * if the directory uses a v2 encryption policy. |
| 149 | */ |
Daniel Rosenberg | 6e1918c | 2020-01-20 14:31:56 -0800 | [diff] [blame] | 150 | if (IS_ENCRYPTED(inode) && (flags & ~oldflags & FS_CASEFOLD_FL)) { |
| 151 | err = fscrypt_require_key(inode); |
| 152 | if (err) |
| 153 | return err; |
| 154 | ci = inode->i_crypt_info; |
| 155 | if (ci->ci_policy.version != FSCRYPT_POLICY_V2) |
| 156 | return -EINVAL; |
Daniel Rosenberg | aa408f8 | 2020-01-20 14:31:57 -0800 | [diff] [blame] | 157 | mk = ci->ci_master_key->payload.data[0]; |
| 158 | down_read(&mk->mk_secret_sem); |
| 159 | if (is_master_key_secret_present(&mk->mk_secret)) |
| 160 | err = fscrypt_derive_dirhash_key(ci, mk); |
| 161 | else |
| 162 | err = -ENOKEY; |
| 163 | up_read(&mk->mk_secret_sem); |
| 164 | return err; |
Daniel Rosenberg | 6e1918c | 2020-01-20 14:31:56 -0800 | [diff] [blame] | 165 | } |
| 166 | return 0; |
| 167 | } |
| 168 | |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 169 | int __fscrypt_prepare_symlink(struct inode *dir, unsigned int len, |
| 170 | unsigned int max_len, |
| 171 | struct fscrypt_str *disk_link) |
| 172 | { |
| 173 | int err; |
| 174 | |
| 175 | /* |
| 176 | * To calculate the size of the encrypted symlink target we need to know |
| 177 | * the amount of NUL padding, which is determined by the flags set in |
| 178 | * the encryption policy which will be inherited from the directory. |
| 179 | * The easiest way to get access to this is to just load the directory's |
| 180 | * fscrypt_info, since we'll need it to create the dir_entry anyway. |
| 181 | * |
| 182 | * Note: in test_dummy_encryption mode, @dir may be unencrypted. |
| 183 | */ |
| 184 | err = fscrypt_get_encryption_info(dir); |
| 185 | if (err) |
| 186 | return err; |
| 187 | if (!fscrypt_has_encryption_key(dir)) |
| 188 | return -ENOKEY; |
| 189 | |
| 190 | /* |
| 191 | * Calculate the size of the encrypted symlink and verify it won't |
| 192 | * exceed max_len. Note that for historical reasons, encrypted symlink |
| 193 | * targets are prefixed with the ciphertext length, despite this |
| 194 | * actually being redundant with i_size. This decreases by 2 bytes the |
| 195 | * longest symlink target we can accept. |
| 196 | * |
| 197 | * We could recover 1 byte by not counting a null terminator, but |
| 198 | * counting it (even though it is meaningless for ciphertext) is simpler |
| 199 | * for now since filesystems will assume it is there and subtract it. |
| 200 | */ |
Eric Biggers | b9db0b4 | 2018-01-11 23:30:08 -0500 | [diff] [blame] | 201 | if (!fscrypt_fname_encrypted_size(dir, len, |
| 202 | max_len - sizeof(struct fscrypt_symlink_data), |
| 203 | &disk_link->len)) |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 204 | return -ENAMETOOLONG; |
Eric Biggers | b9db0b4 | 2018-01-11 23:30:08 -0500 | [diff] [blame] | 205 | disk_link->len += sizeof(struct fscrypt_symlink_data); |
| 206 | |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 207 | disk_link->name = NULL; |
| 208 | return 0; |
| 209 | } |
| 210 | EXPORT_SYMBOL_GPL(__fscrypt_prepare_symlink); |
| 211 | |
| 212 | int __fscrypt_encrypt_symlink(struct inode *inode, const char *target, |
| 213 | unsigned int len, struct fscrypt_str *disk_link) |
| 214 | { |
| 215 | int err; |
Eric Biggers | 0b1dfa4 | 2018-01-19 13:45:24 -0800 | [diff] [blame] | 216 | struct qstr iname = QSTR_INIT(target, len); |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 217 | struct fscrypt_symlink_data *sd; |
| 218 | unsigned int ciphertext_len; |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 219 | |
| 220 | err = fscrypt_require_key(inode); |
| 221 | if (err) |
| 222 | return err; |
| 223 | |
| 224 | if (disk_link->name) { |
| 225 | /* filesystem-provided buffer */ |
| 226 | sd = (struct fscrypt_symlink_data *)disk_link->name; |
| 227 | } else { |
| 228 | sd = kmalloc(disk_link->len, GFP_NOFS); |
| 229 | if (!sd) |
| 230 | return -ENOMEM; |
| 231 | } |
| 232 | ciphertext_len = disk_link->len - sizeof(*sd); |
| 233 | sd->len = cpu_to_le16(ciphertext_len); |
| 234 | |
Eric Biggers | 1b3b827 | 2020-01-19 23:17:36 -0800 | [diff] [blame] | 235 | err = fscrypt_fname_encrypt(inode, &iname, sd->encrypted_path, |
| 236 | ciphertext_len); |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 237 | if (err) |
| 238 | goto err_free_sd; |
| 239 | |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 240 | /* |
| 241 | * Null-terminating the ciphertext doesn't make sense, but we still |
| 242 | * count the null terminator in the length, so we might as well |
| 243 | * initialize it just in case the filesystem writes it out. |
| 244 | */ |
| 245 | sd->encrypted_path[ciphertext_len] = '\0'; |
| 246 | |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 247 | /* Cache the plaintext symlink target for later use by get_link() */ |
| 248 | err = -ENOMEM; |
| 249 | inode->i_link = kmemdup(target, len + 1, GFP_NOFS); |
| 250 | if (!inode->i_link) |
| 251 | goto err_free_sd; |
| 252 | |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 253 | if (!disk_link->name) |
| 254 | disk_link->name = (unsigned char *)sd; |
| 255 | return 0; |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 256 | |
| 257 | err_free_sd: |
| 258 | if (!disk_link->name) |
| 259 | kfree(sd); |
| 260 | return err; |
Eric Biggers | 76e81d6 | 2018-01-05 10:45:01 -0800 | [diff] [blame] | 261 | } |
| 262 | EXPORT_SYMBOL_GPL(__fscrypt_encrypt_symlink); |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 263 | |
| 264 | /** |
Eric Biggers | d2fe975 | 2020-05-11 12:13:56 -0700 | [diff] [blame^] | 265 | * fscrypt_get_symlink() - get the target of an encrypted symlink |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 266 | * @inode: the symlink inode |
| 267 | * @caddr: the on-disk contents of the symlink |
| 268 | * @max_size: size of @caddr buffer |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 269 | * @done: if successful, will be set up to free the returned target if needed |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 270 | * |
| 271 | * If the symlink's encryption key is available, we decrypt its target. |
| 272 | * Otherwise, we encode its target for presentation. |
| 273 | * |
| 274 | * This may sleep, so the filesystem must have dropped out of RCU mode already. |
| 275 | * |
| 276 | * Return: the presentable symlink target or an ERR_PTR() |
| 277 | */ |
| 278 | const char *fscrypt_get_symlink(struct inode *inode, const void *caddr, |
| 279 | unsigned int max_size, |
| 280 | struct delayed_call *done) |
| 281 | { |
| 282 | const struct fscrypt_symlink_data *sd; |
| 283 | struct fscrypt_str cstr, pstr; |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 284 | bool has_key; |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 285 | int err; |
| 286 | |
| 287 | /* This is for encrypted symlinks only */ |
| 288 | if (WARN_ON(!IS_ENCRYPTED(inode))) |
| 289 | return ERR_PTR(-EINVAL); |
| 290 | |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 291 | /* If the decrypted target is already cached, just return it. */ |
| 292 | pstr.name = READ_ONCE(inode->i_link); |
| 293 | if (pstr.name) |
| 294 | return pstr.name; |
| 295 | |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 296 | /* |
| 297 | * Try to set up the symlink's encryption key, but we can continue |
| 298 | * regardless of whether the key is available or not. |
| 299 | */ |
| 300 | err = fscrypt_get_encryption_info(inode); |
| 301 | if (err) |
| 302 | return ERR_PTR(err); |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 303 | has_key = fscrypt_has_encryption_key(inode); |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 304 | |
| 305 | /* |
| 306 | * For historical reasons, encrypted symlink targets are prefixed with |
| 307 | * the ciphertext length, even though this is redundant with i_size. |
| 308 | */ |
| 309 | |
| 310 | if (max_size < sizeof(*sd)) |
| 311 | return ERR_PTR(-EUCLEAN); |
| 312 | sd = caddr; |
| 313 | cstr.name = (unsigned char *)sd->encrypted_path; |
| 314 | cstr.len = le16_to_cpu(sd->len); |
| 315 | |
| 316 | if (cstr.len == 0) |
| 317 | return ERR_PTR(-EUCLEAN); |
| 318 | |
| 319 | if (cstr.len + sizeof(*sd) - 1 > max_size) |
| 320 | return ERR_PTR(-EUCLEAN); |
| 321 | |
| 322 | err = fscrypt_fname_alloc_buffer(inode, cstr.len, &pstr); |
| 323 | if (err) |
| 324 | return ERR_PTR(err); |
| 325 | |
| 326 | err = fscrypt_fname_disk_to_usr(inode, 0, 0, &cstr, &pstr); |
| 327 | if (err) |
| 328 | goto err_kfree; |
| 329 | |
| 330 | err = -EUCLEAN; |
| 331 | if (pstr.name[0] == '\0') |
| 332 | goto err_kfree; |
| 333 | |
| 334 | pstr.name[pstr.len] = '\0'; |
Eric Biggers | 2c58d54 | 2019-04-10 13:21:15 -0700 | [diff] [blame] | 335 | |
| 336 | /* |
| 337 | * Cache decrypted symlink targets in i_link for later use. Don't cache |
| 338 | * symlink targets encoded without the key, since those become outdated |
| 339 | * once the key is added. This pairs with the READ_ONCE() above and in |
| 340 | * the VFS path lookup code. |
| 341 | */ |
| 342 | if (!has_key || |
| 343 | cmpxchg_release(&inode->i_link, NULL, pstr.name) != NULL) |
| 344 | set_delayed_call(done, kfree_link, pstr.name); |
| 345 | |
Eric Biggers | 3b0d883 | 2018-01-05 10:45:02 -0800 | [diff] [blame] | 346 | return pstr.name; |
| 347 | |
| 348 | err_kfree: |
| 349 | kfree(pstr.name); |
| 350 | return ERR_PTR(err); |
| 351 | } |
| 352 | EXPORT_SYMBOL_GPL(fscrypt_get_symlink); |