| blob | 926e5df20ec31b783a5ac77dded7d0bd58bdc27b |
1 /*
2 * fs/crypto/hooks.c
3 *
4 * Encryption hooks for higher-level filesystem operations.
5 */
7 #include <linux/ratelimit.h>
10 /**
11 * fscrypt_file_open - prepare to open a possibly-encrypted regular file
12 * @inode: the inode being opened
13 * @filp: the struct file being set up
14 *
15 * Currently, an encrypted regular file can only be opened if its encryption key
16 * is available; access to the raw encrypted contents is not supported.
17 * Therefore, we first set up the inode's encryption key (if not already done)
18 * and return an error if it's unavailable.
19 *
20 * We also verify that if the parent directory (from the path via which the file
21 * is being opened) is encrypted, then the inode being opened uses the same
22 * encryption policy. This is needed as part of the enforcement that all files
23 * in an encrypted directory tree use the same encryption policy, as a
24 * protection against certain types of offline attacks. Note that this check is
25 * needed even when opening an *unencrypted* file, since it's forbidden to have
26 * an unencrypted file in an encrypted directory.
27 *
28 * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
29 */
31 {
46 }
49 }
53 {
64 }
70 {
92 }
94 }
98 {
108 }
112 }
118 {
121 /*
122 * To calculate the size of the encrypted symlink target we need to know
123 * the amount of NUL padding, which is determined by the flags set in
124 * the encryption policy which will be inherited from the directory.
125 * The easiest way to get access to this is to just load the directory's
126 * fscrypt_info, since we'll need it to create the dir_entry anyway.
127 *
128 * Note: in test_dummy_encryption mode, @dir may be unencrypted.
129 */
136 /*
137 * Calculate the size of the encrypted symlink and verify it won't
138 * exceed max_len. Note that for historical reasons, encrypted symlink
139 * targets are prefixed with the ciphertext length, despite this
140 * actually being redundant with i_size. This decreases by 2 bytes the
141 * longest symlink target we can accept.
142 *
143 * We could recover 1 byte by not counting a null terminator, but
144 * counting it (even though it is meaningless for ciphertext) is simpler
145 * for now since filesystems will assume it is there and subtract it.
146 */
155 }
160 {
171 /* filesystem-provided buffer */
177 }
186 }
187 /*
188 * Null-terminating the ciphertext doesn't make sense, but we still
189 * count the null terminator in the length, so we might as well
190 * initialize it just in case the filesystem writes it out.
191 */
197 }
200 /**
201 * fscrypt_get_symlink - get the target of an encrypted symlink
202 * @inode: the symlink inode
203 * @caddr: the on-disk contents of the symlink
204 * @max_size: size of @caddr buffer
205 * @done: if successful, will be set up to free the returned target
206 *
207 * If the symlink's encryption key is available, we decrypt its target.
208 * Otherwise, we encode its target for presentation.
209 *
210 * This may sleep, so the filesystem must have dropped out of RCU mode already.
211 *
212 * Return: the presentable symlink target or an ERR_PTR()
213 */
217 {
222 /* This is for encrypted symlinks only */
226 /*
227 * Try to set up the symlink's encryption key, but we can continue
228 * regardless of whether the key is available or not.
229 */
234 /*
235 * For historical reasons, encrypted symlink targets are prefixed with
236 * the ciphertext length, even though this is redundant with i_size.
237 */
267 err_kfree:
270 }