^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) // SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) * fs/crypto/hooks.c
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) * Encryption hooks for higher-level filesystem operations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) #include <linux/key.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) #include "fscrypt_private.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) * fscrypt_file_open() - prepare to open a possibly-encrypted regular file
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) * @inode: the inode being opened
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) * @filp: the struct file being set up
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) * Currently, an encrypted regular file can only be opened if its encryption key
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) * is available; access to the raw encrypted contents is not supported.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) * Therefore, we first set up the inode's encryption key (if not already done)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) * and return an error if it's unavailable.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) * We also verify that if the parent directory (from the path via which the file
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) * is being opened) is encrypted, then the inode being opened uses the same
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) * encryption policy. This is needed as part of the enforcement that all files
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) * in an encrypted directory tree use the same encryption policy, as a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) * protection against certain types of offline attacks. Note that this check is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) * needed even when opening an *unencrypted* file, since it's forbidden to have
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) * an unencrypted file in an encrypted directory.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) int fscrypt_file_open(struct inode *inode, struct file *filp)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) struct dentry *dir;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) err = fscrypt_require_key(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) dir = dget_parent(file_dentry(filp));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) if (IS_ENCRYPTED(d_inode(dir)) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) !fscrypt_has_permitted_context(d_inode(dir), inode)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) fscrypt_warn(inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) "Inconsistent encryption context (parent directory: %lu)",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) d_inode(dir)->i_ino);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) err = -EPERM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) dput(dir);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) EXPORT_SYMBOL_GPL(fscrypt_file_open);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) int __fscrypt_prepare_link(struct inode *inode, struct inode *dir,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) struct dentry *dentry)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) if (fscrypt_is_nokey_name(dentry))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) return -ENOKEY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) * We don't need to separately check that the directory inode's key is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) * available, as it's implied by the dentry not being a no-key name.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) if (!fscrypt_has_permitted_context(dir, inode))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) return -EXDEV;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) EXPORT_SYMBOL_GPL(__fscrypt_prepare_link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) int __fscrypt_prepare_rename(struct inode *old_dir, struct dentry *old_dentry,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) struct inode *new_dir, struct dentry *new_dentry,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) unsigned int flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) if (fscrypt_is_nokey_name(old_dentry) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) fscrypt_is_nokey_name(new_dentry))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) return -ENOKEY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) * We don't need to separately check that the directory inodes' keys are
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) * available, as it's implied by the dentries not being no-key names.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) if (old_dir != new_dir) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) if (IS_ENCRYPTED(new_dir) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) !fscrypt_has_permitted_context(new_dir,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) d_inode(old_dentry)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) return -EXDEV;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) if ((flags & RENAME_EXCHANGE) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) IS_ENCRYPTED(old_dir) &&
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) !fscrypt_has_permitted_context(old_dir,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) d_inode(new_dentry)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) return -EXDEV;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) EXPORT_SYMBOL_GPL(__fscrypt_prepare_rename);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) struct fscrypt_name *fname)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) int err = fscrypt_setup_filename(dir, &dentry->d_name, 1, fname);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) if (err && err != -ENOENT)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) if (fname->is_nokey_name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) spin_lock(&dentry->d_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) dentry->d_flags |= DCACHE_NOKEY_NAME;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) spin_unlock(&dentry->d_lock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) EXPORT_SYMBOL_GPL(__fscrypt_prepare_lookup);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) int __fscrypt_prepare_readdir(struct inode *dir)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) return fscrypt_get_encryption_info(dir, true);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) EXPORT_SYMBOL_GPL(__fscrypt_prepare_readdir);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) int __fscrypt_prepare_setattr(struct dentry *dentry, struct iattr *attr)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) if (attr->ia_valid & ATTR_SIZE)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) return fscrypt_require_key(d_inode(dentry));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) EXPORT_SYMBOL_GPL(__fscrypt_prepare_setattr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) * fscrypt_prepare_setflags() - prepare to change flags with FS_IOC_SETFLAGS
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) * @inode: the inode on which flags are being changed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) * @oldflags: the old flags
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) * @flags: the new flags
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) * The caller should be holding i_rwsem for write.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) * Return: 0 on success; -errno if the flags change isn't allowed or if
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) * another error occurs.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) int fscrypt_prepare_setflags(struct inode *inode,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) unsigned int oldflags, unsigned int flags)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) struct fscrypt_info *ci;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) struct key *key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) struct fscrypt_master_key *mk;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) * When the CASEFOLD flag is set on an encrypted directory, we must
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) * derive the secret key needed for the dirhash. This is only possible
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) * if the directory uses a v2 encryption policy.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) if (IS_ENCRYPTED(inode) && (flags & ~oldflags & FS_CASEFOLD_FL)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) err = fscrypt_require_key(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) ci = inode->i_crypt_info;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) if (ci->ci_policy.version != FSCRYPT_POLICY_V2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) return -EINVAL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) key = ci->ci_master_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) mk = key->payload.data[0];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) down_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) if (is_master_key_secret_present(&mk->mk_secret))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) err = fscrypt_derive_dirhash_key(ci, mk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) err = -ENOKEY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) up_read(&key->sem);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) * fscrypt_prepare_symlink() - prepare to create a possibly-encrypted symlink
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) * @dir: directory in which the symlink is being created
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) * @target: plaintext symlink target
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) * @len: length of @target excluding null terminator
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) * @max_len: space the filesystem has available to store the symlink target
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) * @disk_link: (out) the on-disk symlink target being prepared
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) * This function computes the size the symlink target will require on-disk,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) * stores it in @disk_link->len, and validates it against @max_len. An
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) * encrypted symlink may be longer than the original.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) * Additionally, @disk_link->name is set to @target if the symlink will be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) * unencrypted, but left NULL if the symlink will be encrypted. For encrypted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) * symlinks, the filesystem must call fscrypt_encrypt_symlink() to create the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) * on-disk target later. (The reason for the two-step process is that some
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) * filesystems need to know the size of the symlink target before creating the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) * inode, e.g. to determine whether it will be a "fast" or "slow" symlink.)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) * Return: 0 on success, -ENAMETOOLONG if the symlink target is too long,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) * -ENOKEY if the encryption key is missing, or another -errno code if a problem
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) * occurred while setting up the encryption key.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) int fscrypt_prepare_symlink(struct inode *dir, const char *target,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) unsigned int len, unsigned int max_len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) struct fscrypt_str *disk_link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) const union fscrypt_policy *policy;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) * To calculate the size of the encrypted symlink target we need to know
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) * the amount of NUL padding, which is determined by the flags set in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) * the encryption policy which will be inherited from the directory.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) policy = fscrypt_policy_to_inherit(dir);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) if (policy == NULL) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) /* Not encrypted */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) disk_link->name = (unsigned char *)target;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) disk_link->len = len + 1;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) if (disk_link->len > max_len)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) return -ENAMETOOLONG;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) if (IS_ERR(policy))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) return PTR_ERR(policy);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) * Calculate the size of the encrypted symlink and verify it won't
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) * exceed max_len. Note that for historical reasons, encrypted symlink
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) * targets are prefixed with the ciphertext length, despite this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) * actually being redundant with i_size. This decreases by 2 bytes the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) * longest symlink target we can accept.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) * We could recover 1 byte by not counting a null terminator, but
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) * counting it (even though it is meaningless for ciphertext) is simpler
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) * for now since filesystems will assume it is there and subtract it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) if (!fscrypt_fname_encrypted_size(policy, len,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) max_len - sizeof(struct fscrypt_symlink_data),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) &disk_link->len))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) return -ENAMETOOLONG;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) disk_link->len += sizeof(struct fscrypt_symlink_data);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) disk_link->name = NULL;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) EXPORT_SYMBOL_GPL(fscrypt_prepare_symlink);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) int __fscrypt_encrypt_symlink(struct inode *inode, const char *target,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) unsigned int len, struct fscrypt_str *disk_link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) struct qstr iname = QSTR_INIT(target, len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) struct fscrypt_symlink_data *sd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) unsigned int ciphertext_len;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) * fscrypt_prepare_new_inode() should have already set up the new
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) * symlink inode's encryption key. We don't wait until now to do it,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) * since we may be in a filesystem transaction now.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) if (WARN_ON_ONCE(!fscrypt_has_encryption_key(inode)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) return -ENOKEY;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) if (disk_link->name) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) /* filesystem-provided buffer */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) sd = (struct fscrypt_symlink_data *)disk_link->name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) } else {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) sd = kmalloc(disk_link->len, GFP_NOFS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) if (!sd)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) return -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) ciphertext_len = disk_link->len - sizeof(*sd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) sd->len = cpu_to_le16(ciphertext_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) err = fscrypt_fname_encrypt(inode, &iname, sd->encrypted_path,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) ciphertext_len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) goto err_free_sd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) * Null-terminating the ciphertext doesn't make sense, but we still
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) * count the null terminator in the length, so we might as well
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) * initialize it just in case the filesystem writes it out.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279) sd->encrypted_path[ciphertext_len] = '\0';
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) /* Cache the plaintext symlink target for later use by get_link() */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) err = -ENOMEM;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) inode->i_link = kmemdup(target, len + 1, GFP_NOFS);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284) if (!inode->i_link)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) goto err_free_sd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) if (!disk_link->name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288) disk_link->name = (unsigned char *)sd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) err_free_sd:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) if (!disk_link->name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) kfree(sd);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294) return err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) EXPORT_SYMBOL_GPL(__fscrypt_encrypt_symlink);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299) * fscrypt_get_symlink() - get the target of an encrypted symlink
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300) * @inode: the symlink inode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) * @caddr: the on-disk contents of the symlink
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) * @max_size: size of @caddr buffer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) * @done: if successful, will be set up to free the returned target if needed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) * If the symlink's encryption key is available, we decrypt its target.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) * Otherwise, we encode its target for presentation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) * This may sleep, so the filesystem must have dropped out of RCU mode already.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310) * Return: the presentable symlink target or an ERR_PTR()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) const char *fscrypt_get_symlink(struct inode *inode, const void *caddr,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) unsigned int max_size,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314) struct delayed_call *done)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) const struct fscrypt_symlink_data *sd;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) struct fscrypt_str cstr, pstr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) bool has_key;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) int err;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) /* This is for encrypted symlinks only */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) if (WARN_ON(!IS_ENCRYPTED(inode)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323) return ERR_PTR(-EINVAL);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) /* If the decrypted target is already cached, just return it. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) pstr.name = READ_ONCE(inode->i_link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) if (pstr.name)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) return pstr.name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) * Try to set up the symlink's encryption key, but we can continue
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332) * regardless of whether the key is available or not.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) err = fscrypt_get_encryption_info(inode, false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) return ERR_PTR(err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) has_key = fscrypt_has_encryption_key(inode);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340) * For historical reasons, encrypted symlink targets are prefixed with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) * the ciphertext length, even though this is redundant with i_size.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 344) if (max_size < sizeof(*sd))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 345) return ERR_PTR(-EUCLEAN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 346) sd = caddr;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 347) cstr.name = (unsigned char *)sd->encrypted_path;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 348) cstr.len = le16_to_cpu(sd->len);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 349)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 350) if (cstr.len == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 351) return ERR_PTR(-EUCLEAN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 352)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 353) if (cstr.len + sizeof(*sd) - 1 > max_size)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 354) return ERR_PTR(-EUCLEAN);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 355)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 356) err = fscrypt_fname_alloc_buffer(cstr.len, &pstr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 357) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 358) return ERR_PTR(err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 359)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 360) err = fscrypt_fname_disk_to_usr(inode, 0, 0, &cstr, &pstr);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 361) if (err)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 362) goto err_kfree;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 363)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 364) err = -EUCLEAN;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 365) if (pstr.name[0] == '\0')
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 366) goto err_kfree;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 367)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 368) pstr.name[pstr.len] = '\0';
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 369)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 370) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 371) * Cache decrypted symlink targets in i_link for later use. Don't cache
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 372) * symlink targets encoded without the key, since those become outdated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 373) * once the key is added. This pairs with the READ_ONCE() above and in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 374) * the VFS path lookup code.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 375) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 376) if (!has_key ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 377) cmpxchg_release(&inode->i_link, NULL, pstr.name) != NULL)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 378) set_delayed_call(done, kfree_link, pstr.name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 379)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 380) return pstr.name;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 381)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 382) err_kfree:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 383) kfree(pstr.name);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 384) return ERR_PTR(err);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 385) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 386) EXPORT_SYMBOL_GPL(fscrypt_get_symlink);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 387)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 388) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 389) * fscrypt_symlink_getattr() - set the correct st_size for encrypted symlinks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 390) * @path: the path for the encrypted symlink being queried
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 391) * @stat: the struct being filled with the symlink's attributes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 392) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 393) * Override st_size of encrypted symlinks to be the length of the decrypted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 394) * symlink target (or the no-key encoded symlink target, if the key is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 395) * unavailable) rather than the length of the encrypted symlink target. This is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 396) * necessary for st_size to match the symlink target that userspace actually
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 397) * sees. POSIX requires this, and some userspace programs depend on it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 398) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 399) * This requires reading the symlink target from disk if needed, setting up the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 400) * inode's encryption key if possible, and then decrypting or encoding the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 401) * symlink target. This makes lstat() more heavyweight than is normally the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 402) * case. However, decrypted symlink targets will be cached in ->i_link, so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 403) * usually the symlink won't have to be read and decrypted again later if/when
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 404) * it is actually followed, readlink() is called, or lstat() is called again.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 405) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 406) * Return: 0 on success, -errno on failure
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 407) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 408) int fscrypt_symlink_getattr(const struct path *path, struct kstat *stat)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 409) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 410) struct dentry *dentry = path->dentry;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 411) struct inode *inode = d_inode(dentry);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 412) const char *link;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 413) DEFINE_DELAYED_CALL(done);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 414)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 415) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 416) * To get the symlink target that userspace will see (whether it's the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 417) * decrypted target or the no-key encoded target), we can just get it in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 418) * the same way the VFS does during path resolution and readlink().
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 419) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 420) link = READ_ONCE(inode->i_link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 421) if (!link) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 422) link = inode->i_op->get_link(dentry, inode, &done);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 423) if (IS_ERR(link))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 424) return PTR_ERR(link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 425) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 426) stat->size = strlen(link);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 427) do_delayed_call(&done);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 428) return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 429) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 430) EXPORT_SYMBOL_GPL(fscrypt_symlink_getattr);
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags