1 // SPDX-License-Identifier: GPL-2.0
3 * Encryption policy functions for per-file encryption support.
5 * Copyright (C) 2015, Google, Inc.
6 * Copyright (C) 2015, Motorola Mobility.
8 * Originally written by Michael Halcrow, 2015.
9 * Modified by Jaegeuk Kim, 2015.
10 * Modified by Eric Biggers, 2019 for v2 policy support.
13 #include <linux/random.h>
14 #include <linux/string.h>
15 #include <linux/mount.h>
16 #include "fscrypt_private.h"
19 * fscrypt_policies_equal - check whether two encryption policies are the same
21 * Return: %true if equal, else %false
23 bool fscrypt_policies_equal(const union fscrypt_policy
*policy1
,
24 const union fscrypt_policy
*policy2
)
26 if (policy1
->version
!= policy2
->version
)
29 return !memcmp(policy1
, policy2
, fscrypt_policy_size(policy1
));
32 static bool fscrypt_valid_enc_modes(u32 contents_mode
, u32 filenames_mode
)
34 if (contents_mode
== FSCRYPT_MODE_AES_256_XTS
&&
35 filenames_mode
== FSCRYPT_MODE_AES_256_CTS
)
38 if (contents_mode
== FSCRYPT_MODE_AES_128_CBC
&&
39 filenames_mode
== FSCRYPT_MODE_AES_128_CTS
)
42 if (contents_mode
== FSCRYPT_MODE_ADIANTUM
&&
43 filenames_mode
== FSCRYPT_MODE_ADIANTUM
)
49 static bool supported_direct_key_modes(const struct inode
*inode
,
50 u32 contents_mode
, u32 filenames_mode
)
52 const struct fscrypt_mode
*mode
;
54 if (contents_mode
!= filenames_mode
) {
56 "Direct key flag not allowed with different contents and filenames modes");
59 mode
= &fscrypt_modes
[contents_mode
];
61 if (mode
->ivsize
< offsetofend(union fscrypt_iv
, nonce
)) {
62 fscrypt_warn(inode
, "Direct key flag not allowed with %s",
69 static bool supported_iv_ino_lblk_64_policy(
70 const struct fscrypt_policy_v2
*policy
,
71 const struct inode
*inode
)
73 struct super_block
*sb
= inode
->i_sb
;
74 int ino_bits
= 64, lblk_bits
= 64;
76 if (policy
->flags
& FSCRYPT_POLICY_FLAG_DIRECT_KEY
) {
78 "The DIRECT_KEY and IV_INO_LBLK_64 flags are mutually exclusive");
82 * It's unsafe to include inode numbers in the IVs if the filesystem can
83 * potentially renumber inodes, e.g. via filesystem shrinking.
85 if (!sb
->s_cop
->has_stable_inodes
||
86 !sb
->s_cop
->has_stable_inodes(sb
)) {
88 "Can't use IV_INO_LBLK_64 policy on filesystem '%s' because it doesn't have stable inode numbers",
92 if (sb
->s_cop
->get_ino_and_lblk_bits
)
93 sb
->s_cop
->get_ino_and_lblk_bits(sb
, &ino_bits
, &lblk_bits
);
94 if (ino_bits
> 32 || lblk_bits
> 32) {
96 "Can't use IV_INO_LBLK_64 policy on filesystem '%s' because it doesn't use 32-bit inode and block numbers",
103 static bool fscrypt_supported_v1_policy(const struct fscrypt_policy_v1
*policy
,
104 const struct inode
*inode
)
106 if (!fscrypt_valid_enc_modes(policy
->contents_encryption_mode
,
107 policy
->filenames_encryption_mode
)) {
109 "Unsupported encryption modes (contents %d, filenames %d)",
110 policy
->contents_encryption_mode
,
111 policy
->filenames_encryption_mode
);
115 if (policy
->flags
& ~(FSCRYPT_POLICY_FLAGS_PAD_MASK
|
116 FSCRYPT_POLICY_FLAG_DIRECT_KEY
)) {
117 fscrypt_warn(inode
, "Unsupported encryption flags (0x%02x)",
122 if ((policy
->flags
& FSCRYPT_POLICY_FLAG_DIRECT_KEY
) &&
123 !supported_direct_key_modes(inode
, policy
->contents_encryption_mode
,
124 policy
->filenames_encryption_mode
))
127 if (IS_CASEFOLDED(inode
)) {
128 /* With v1, there's no way to derive dirhash keys. */
130 "v1 policies can't be used on casefolded directories");
137 static bool fscrypt_supported_v2_policy(const struct fscrypt_policy_v2
*policy
,
138 const struct inode
*inode
)
140 if (!fscrypt_valid_enc_modes(policy
->contents_encryption_mode
,
141 policy
->filenames_encryption_mode
)) {
143 "Unsupported encryption modes (contents %d, filenames %d)",
144 policy
->contents_encryption_mode
,
145 policy
->filenames_encryption_mode
);
149 if (policy
->flags
& ~FSCRYPT_POLICY_FLAGS_VALID
) {
150 fscrypt_warn(inode
, "Unsupported encryption flags (0x%02x)",
155 if ((policy
->flags
& FSCRYPT_POLICY_FLAG_DIRECT_KEY
) &&
156 !supported_direct_key_modes(inode
, policy
->contents_encryption_mode
,
157 policy
->filenames_encryption_mode
))
160 if ((policy
->flags
& FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64
) &&
161 !supported_iv_ino_lblk_64_policy(policy
, inode
))
164 if (memchr_inv(policy
->__reserved
, 0, sizeof(policy
->__reserved
))) {
165 fscrypt_warn(inode
, "Reserved bits set in encryption policy");
173 * fscrypt_supported_policy - check whether an encryption policy is supported
175 * Given an encryption policy, check whether all its encryption modes and other
176 * settings are supported by this kernel on the given inode. (But we don't
177 * currently don't check for crypto API support here, so attempting to use an
178 * algorithm not configured into the crypto API will still fail later.)
180 * Return: %true if supported, else %false
182 bool fscrypt_supported_policy(const union fscrypt_policy
*policy_u
,
183 const struct inode
*inode
)
185 switch (policy_u
->version
) {
186 case FSCRYPT_POLICY_V1
:
187 return fscrypt_supported_v1_policy(&policy_u
->v1
, inode
);
188 case FSCRYPT_POLICY_V2
:
189 return fscrypt_supported_v2_policy(&policy_u
->v2
, inode
);
195 * fscrypt_new_context_from_policy - create a new fscrypt_context from a policy
197 * Create an fscrypt_context for an inode that is being assigned the given
198 * encryption policy. A new nonce is randomly generated.
200 * Return: the size of the new context in bytes.
202 static int fscrypt_new_context_from_policy(union fscrypt_context
*ctx_u
,
203 const union fscrypt_policy
*policy_u
)
205 memset(ctx_u
, 0, sizeof(*ctx_u
));
207 switch (policy_u
->version
) {
208 case FSCRYPT_POLICY_V1
: {
209 const struct fscrypt_policy_v1
*policy
= &policy_u
->v1
;
210 struct fscrypt_context_v1
*ctx
= &ctx_u
->v1
;
212 ctx
->version
= FSCRYPT_CONTEXT_V1
;
213 ctx
->contents_encryption_mode
=
214 policy
->contents_encryption_mode
;
215 ctx
->filenames_encryption_mode
=
216 policy
->filenames_encryption_mode
;
217 ctx
->flags
= policy
->flags
;
218 memcpy(ctx
->master_key_descriptor
,
219 policy
->master_key_descriptor
,
220 sizeof(ctx
->master_key_descriptor
));
221 get_random_bytes(ctx
->nonce
, sizeof(ctx
->nonce
));
224 case FSCRYPT_POLICY_V2
: {
225 const struct fscrypt_policy_v2
*policy
= &policy_u
->v2
;
226 struct fscrypt_context_v2
*ctx
= &ctx_u
->v2
;
228 ctx
->version
= FSCRYPT_CONTEXT_V2
;
229 ctx
->contents_encryption_mode
=
230 policy
->contents_encryption_mode
;
231 ctx
->filenames_encryption_mode
=
232 policy
->filenames_encryption_mode
;
233 ctx
->flags
= policy
->flags
;
234 memcpy(ctx
->master_key_identifier
,
235 policy
->master_key_identifier
,
236 sizeof(ctx
->master_key_identifier
));
237 get_random_bytes(ctx
->nonce
, sizeof(ctx
->nonce
));
245 * fscrypt_policy_from_context - convert an fscrypt_context to an fscrypt_policy
247 * Given an fscrypt_context, build the corresponding fscrypt_policy.
249 * Return: 0 on success, or -EINVAL if the fscrypt_context has an unrecognized
250 * version number or size.
252 * This does *not* validate the settings within the policy itself, e.g. the
253 * modes, flags, and reserved bits. Use fscrypt_supported_policy() for that.
255 int fscrypt_policy_from_context(union fscrypt_policy
*policy_u
,
256 const union fscrypt_context
*ctx_u
,
259 memset(policy_u
, 0, sizeof(*policy_u
));
261 if (ctx_size
<= 0 || ctx_size
!= fscrypt_context_size(ctx_u
))
264 switch (ctx_u
->version
) {
265 case FSCRYPT_CONTEXT_V1
: {
266 const struct fscrypt_context_v1
*ctx
= &ctx_u
->v1
;
267 struct fscrypt_policy_v1
*policy
= &policy_u
->v1
;
269 policy
->version
= FSCRYPT_POLICY_V1
;
270 policy
->contents_encryption_mode
=
271 ctx
->contents_encryption_mode
;
272 policy
->filenames_encryption_mode
=
273 ctx
->filenames_encryption_mode
;
274 policy
->flags
= ctx
->flags
;
275 memcpy(policy
->master_key_descriptor
,
276 ctx
->master_key_descriptor
,
277 sizeof(policy
->master_key_descriptor
));
280 case FSCRYPT_CONTEXT_V2
: {
281 const struct fscrypt_context_v2
*ctx
= &ctx_u
->v2
;
282 struct fscrypt_policy_v2
*policy
= &policy_u
->v2
;
284 policy
->version
= FSCRYPT_POLICY_V2
;
285 policy
->contents_encryption_mode
=
286 ctx
->contents_encryption_mode
;
287 policy
->filenames_encryption_mode
=
288 ctx
->filenames_encryption_mode
;
289 policy
->flags
= ctx
->flags
;
290 memcpy(policy
->__reserved
, ctx
->__reserved
,
291 sizeof(policy
->__reserved
));
292 memcpy(policy
->master_key_identifier
,
293 ctx
->master_key_identifier
,
294 sizeof(policy
->master_key_identifier
));
302 /* Retrieve an inode's encryption policy */
303 static int fscrypt_get_policy(struct inode
*inode
, union fscrypt_policy
*policy
)
305 const struct fscrypt_info
*ci
;
306 union fscrypt_context ctx
;
309 ci
= READ_ONCE(inode
->i_crypt_info
);
311 /* key available, use the cached policy */
312 *policy
= ci
->ci_policy
;
316 if (!IS_ENCRYPTED(inode
))
319 ret
= inode
->i_sb
->s_cop
->get_context(inode
, &ctx
, sizeof(ctx
));
321 return (ret
== -ERANGE
) ? -EINVAL
: ret
;
323 return fscrypt_policy_from_context(policy
, &ctx
, ret
);
326 static int set_encryption_policy(struct inode
*inode
,
327 const union fscrypt_policy
*policy
)
329 union fscrypt_context ctx
;
333 if (!fscrypt_supported_policy(policy
, inode
))
336 switch (policy
->version
) {
337 case FSCRYPT_POLICY_V1
:
339 * The original encryption policy version provided no way of
340 * verifying that the correct master key was supplied, which was
341 * insecure in scenarios where multiple users have access to the
342 * same encrypted files (even just read-only access). The new
343 * encryption policy version fixes this and also implies use of
344 * an improved key derivation function and allows non-root users
345 * to securely remove keys. So as long as compatibility with
346 * old kernels isn't required, it is recommended to use the new
347 * policy version for all new encrypted directories.
349 pr_warn_once("%s (pid %d) is setting deprecated v1 encryption policy; recommend upgrading to v2.\n",
350 current
->comm
, current
->pid
);
352 case FSCRYPT_POLICY_V2
:
353 err
= fscrypt_verify_key_added(inode
->i_sb
,
354 policy
->v2
.master_key_identifier
);
363 ctxsize
= fscrypt_new_context_from_policy(&ctx
, policy
);
365 return inode
->i_sb
->s_cop
->set_context(inode
, &ctx
, ctxsize
, NULL
);
368 int fscrypt_ioctl_set_policy(struct file
*filp
, const void __user
*arg
)
370 union fscrypt_policy policy
;
371 union fscrypt_policy existing_policy
;
372 struct inode
*inode
= file_inode(filp
);
377 if (get_user(policy
.version
, (const u8 __user
*)arg
))
380 size
= fscrypt_policy_size(&policy
);
385 * We should just copy the remaining 'size - 1' bytes here, but a
386 * bizarre bug in gcc 7 and earlier (fixed by gcc r255731) causes gcc to
387 * think that size can be 0 here (despite the check above!) *and* that
388 * it's a compile-time constant. Thus it would think copy_from_user()
389 * is passed compile-time constant ULONG_MAX, causing the compile-time
390 * buffer overflow check to fail, breaking the build. This only occurred
391 * when building an i386 kernel with -Os and branch profiling enabled.
393 * Work around it by just copying the first byte again...
395 version
= policy
.version
;
396 if (copy_from_user(&policy
, arg
, size
))
398 policy
.version
= version
;
400 if (!inode_owner_or_capable(inode
))
403 ret
= mnt_want_write_file(filp
);
409 ret
= fscrypt_get_policy(inode
, &existing_policy
);
410 if (ret
== -ENODATA
) {
411 if (!S_ISDIR(inode
->i_mode
))
413 else if (IS_DEADDIR(inode
))
415 else if (!inode
->i_sb
->s_cop
->empty_dir(inode
))
418 ret
= set_encryption_policy(inode
, &policy
);
419 } else if (ret
== -EINVAL
||
420 (ret
== 0 && !fscrypt_policies_equal(&policy
,
421 &existing_policy
))) {
422 /* The file already uses a different encryption policy. */
428 mnt_drop_write_file(filp
);
431 EXPORT_SYMBOL(fscrypt_ioctl_set_policy
);
433 /* Original ioctl version; can only get the original policy version */
434 int fscrypt_ioctl_get_policy(struct file
*filp
, void __user
*arg
)
436 union fscrypt_policy policy
;
439 err
= fscrypt_get_policy(file_inode(filp
), &policy
);
443 if (policy
.version
!= FSCRYPT_POLICY_V1
)
446 if (copy_to_user(arg
, &policy
, sizeof(policy
.v1
)))
450 EXPORT_SYMBOL(fscrypt_ioctl_get_policy
);
452 /* Extended ioctl version; can get policies of any version */
453 int fscrypt_ioctl_get_policy_ex(struct file
*filp
, void __user
*uarg
)
455 struct fscrypt_get_policy_ex_arg arg
;
456 union fscrypt_policy
*policy
= (union fscrypt_policy
*)&arg
.policy
;
460 /* arg is policy_size, then policy */
461 BUILD_BUG_ON(offsetof(typeof(arg
), policy_size
) != 0);
462 BUILD_BUG_ON(offsetofend(typeof(arg
), policy_size
) !=
463 offsetof(typeof(arg
), policy
));
464 BUILD_BUG_ON(sizeof(arg
.policy
) != sizeof(*policy
));
466 err
= fscrypt_get_policy(file_inode(filp
), policy
);
469 policy_size
= fscrypt_policy_size(policy
);
471 if (copy_from_user(&arg
, uarg
, sizeof(arg
.policy_size
)))
474 if (policy_size
> arg
.policy_size
)
476 arg
.policy_size
= policy_size
;
478 if (copy_to_user(uarg
, &arg
, sizeof(arg
.policy_size
) + policy_size
))
482 EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_policy_ex
);
485 * fscrypt_has_permitted_context() - is a file's encryption policy permitted
486 * within its directory?
488 * @parent: inode for parent directory
489 * @child: inode for file being looked up, opened, or linked into @parent
491 * Filesystems must call this before permitting access to an inode in a
492 * situation where the parent directory is encrypted (either before allowing
493 * ->lookup() to succeed, or for a regular file before allowing it to be opened)
494 * and before any operation that involves linking an inode into an encrypted
495 * directory, including link, rename, and cross rename. It enforces the
496 * constraint that within a given encrypted directory tree, all files use the
497 * same encryption policy. The pre-access check is needed to detect potentially
498 * malicious offline violations of this constraint, while the link and rename
499 * checks are needed to prevent online violations of this constraint.
501 * Return: 1 if permitted, 0 if forbidden.
503 int fscrypt_has_permitted_context(struct inode
*parent
, struct inode
*child
)
505 union fscrypt_policy parent_policy
, child_policy
;
508 /* No restrictions on file types which are never encrypted */
509 if (!S_ISREG(child
->i_mode
) && !S_ISDIR(child
->i_mode
) &&
510 !S_ISLNK(child
->i_mode
))
513 /* No restrictions if the parent directory is unencrypted */
514 if (!IS_ENCRYPTED(parent
))
517 /* Encrypted directories must not contain unencrypted files */
518 if (!IS_ENCRYPTED(child
))
522 * Both parent and child are encrypted, so verify they use the same
523 * encryption policy. Compare the fscrypt_info structs if the keys are
524 * available, otherwise retrieve and compare the fscrypt_contexts.
526 * Note that the fscrypt_context retrieval will be required frequently
527 * when accessing an encrypted directory tree without the key.
528 * Performance-wise this is not a big deal because we already don't
529 * really optimize for file access without the key (to the extent that
530 * such access is even possible), given that any attempted access
531 * already causes a fscrypt_context retrieval and keyring search.
533 * In any case, if an unexpected error occurs, fall back to "forbidden".
536 err
= fscrypt_get_encryption_info(parent
);
539 err
= fscrypt_get_encryption_info(child
);
543 err
= fscrypt_get_policy(parent
, &parent_policy
);
547 err
= fscrypt_get_policy(child
, &child_policy
);
551 return fscrypt_policies_equal(&parent_policy
, &child_policy
);
553 EXPORT_SYMBOL(fscrypt_has_permitted_context
);
556 * fscrypt_inherit_context() - Sets a child context from its parent
557 * @parent: Parent inode from which the context is inherited.
558 * @child: Child inode that inherits the context from @parent.
559 * @fs_data: private data given by FS.
560 * @preload: preload child i_crypt_info if true
562 * Return: 0 on success, -errno on failure
564 int fscrypt_inherit_context(struct inode
*parent
, struct inode
*child
,
565 void *fs_data
, bool preload
)
567 union fscrypt_context ctx
;
569 struct fscrypt_info
*ci
;
572 res
= fscrypt_get_encryption_info(parent
);
576 ci
= READ_ONCE(parent
->i_crypt_info
);
580 ctxsize
= fscrypt_new_context_from_policy(&ctx
, &ci
->ci_policy
);
582 BUILD_BUG_ON(sizeof(ctx
) != FSCRYPT_SET_CONTEXT_MAX_SIZE
);
583 res
= parent
->i_sb
->s_cop
->set_context(child
, &ctx
, ctxsize
, fs_data
);
586 return preload
? fscrypt_get_encryption_info(child
): 0;
588 EXPORT_SYMBOL(fscrypt_inherit_context
);