1
// SPDX-License-Identifier: GPL-2.0
2
/*
3
 * Encryption policy functions for per-file encryption support.
4
 *
5
 * Copyright (C) 2015, Google, Inc.
6
 * Copyright (C) 2015, Motorola Mobility.
7
 *
8
 * Originally written by Michael Halcrow, 2015.
9
 * Modified by Jaegeuk Kim, 2015.
10
 * Modified by Eric Biggers, 2019 for v2 policy support.
11
 */
12

13
#include <linux/export.h>
14
#include <linux/fs_context.h>
15
#include <linux/mount.h>
16
#include <linux/random.h>
17
#include <linux/seq_file.h>
18
#include <linux/string.h>
19

20
#include "fscrypt_private.h"
21

22
/**
23
 * fscrypt_policies_equal() - check whether two encryption policies are the same
24
 * @policy1: the first policy
25
 * @policy2: the second policy
26
 *
27
 * Return: %true if equal, else %false
28
 */
29
bool fscrypt_policies_equal(const union fscrypt_policy *policy1,
30
			    const union fscrypt_policy *policy2)
31
{
32
	if (policy1->version != policy2->version)
33
		return false;
34

35
	return !memcmp(policy1, policy2, fscrypt_policy_size(policy1));
36
}
37

38
int fscrypt_policy_to_key_spec(const union fscrypt_policy *policy,
39
			       struct fscrypt_key_specifier *key_spec)
40
{
41
	switch (policy->version) {
42
	case FSCRYPT_POLICY_V1:
43
		key_spec->type = FSCRYPT_KEY_SPEC_TYPE_DESCRIPTOR;
44
		memcpy(key_spec->u.descriptor, policy->v1.master_key_descriptor,
45
		       FSCRYPT_KEY_DESCRIPTOR_SIZE);
46
		return 0;
47
	case FSCRYPT_POLICY_V2:
48
		key_spec->type = FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER;
49
		memcpy(key_spec->u.identifier, policy->v2.master_key_identifier,
50
		       FSCRYPT_KEY_IDENTIFIER_SIZE);
51
		return 0;
52
	default:
53
		WARN_ON_ONCE(1);
54
		return -EINVAL;
55
	}
56
}
57

58
const union fscrypt_policy *fscrypt_get_dummy_policy(struct super_block *sb)
59
{
60
	if (!sb->s_cop->get_dummy_policy)
61
		return NULL;
62
	return sb->s_cop->get_dummy_policy(sb);
63
}
64

65
/*
66
 * Return %true if the given combination of encryption modes is supported for v1
67
 * (and later) encryption policies.
68
 *
69
 * Do *not* add anything new here, since v1 encryption policies are deprecated.
70
 * New combinations of modes should go in fscrypt_valid_enc_modes_v2() only.
71
 */
72
static bool fscrypt_valid_enc_modes_v1(u32 contents_mode, u32 filenames_mode)
73
{
74
	if (contents_mode == FSCRYPT_MODE_AES_256_XTS &&
75
	    filenames_mode == FSCRYPT_MODE_AES_256_CTS)
76
		return true;
77

78
	if (contents_mode == FSCRYPT_MODE_AES_128_CBC &&
79
	    filenames_mode == FSCRYPT_MODE_AES_128_CTS)
80
		return true;
81

82
	if (contents_mode == FSCRYPT_MODE_ADIANTUM &&
83
	    filenames_mode == FSCRYPT_MODE_ADIANTUM)
84
		return true;
85

86
	return false;
87
}
88

89
static bool fscrypt_valid_enc_modes_v2(u32 contents_mode, u32 filenames_mode)
90
{
91
	if (contents_mode == FSCRYPT_MODE_AES_256_XTS &&
92
	    filenames_mode == FSCRYPT_MODE_AES_256_HCTR2)
93
		return true;
94

95
	if (contents_mode == FSCRYPT_MODE_SM4_XTS &&
96
	    filenames_mode == FSCRYPT_MODE_SM4_CTS)
97
		return true;
98

99
	return fscrypt_valid_enc_modes_v1(contents_mode, filenames_mode);
100
}
101

102
static bool supported_direct_key_modes(const struct inode *inode,
103
				       u32 contents_mode, u32 filenames_mode)
104
{
105
	const struct fscrypt_mode *mode;
106

107
	if (contents_mode != filenames_mode) {
108
		fscrypt_warn(inode,
109
			     "Direct key flag not allowed with different contents and filenames modes");
110
		return false;
111
	}
112
	mode = &fscrypt_modes[contents_mode];
113

114
	if (mode->ivsize < offsetofend(union fscrypt_iv, nonce)) {
115
		fscrypt_warn(inode, "Direct key flag not allowed with %s",
116
			     mode->friendly_name);
117
		return false;
118
	}
119
	return true;
120
}
121

122
static bool supported_iv_ino_lblk_policy(const struct fscrypt_policy_v2 *policy,
123
					 const struct inode *inode)
124
{
125
	const char *type = (policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64)
126
				? "IV_INO_LBLK_64" : "IV_INO_LBLK_32";
127
	struct super_block *sb = inode->i_sb;
128

129
	/*
130
	 * IV_INO_LBLK_* exist only because of hardware limitations, and
131
	 * currently the only known use case for them involves AES-256-XTS.
132
	 * That's also all we test currently.  For these reasons, for now only
133
	 * allow AES-256-XTS here.  This can be relaxed later if a use case for
134
	 * IV_INO_LBLK_* with other encryption modes arises.
135
	 */
136
	if (policy->contents_encryption_mode != FSCRYPT_MODE_AES_256_XTS) {
137
		fscrypt_warn(inode,
138
			     "Can't use %s policy with contents mode other than AES-256-XTS",
139
			     type);
140
		return false;
141
	}
142

143
	/*
144
	 * It's unsafe to include inode numbers in the IVs if the filesystem can
145
	 * potentially renumber inodes, e.g. via filesystem shrinking.
146
	 */
147
	if (!sb->s_cop->has_stable_inodes ||
148
	    !sb->s_cop->has_stable_inodes(sb)) {
149
		fscrypt_warn(inode,
150
			     "Can't use %s policy on filesystem '%s' because it doesn't have stable inode numbers",
151
			     type, sb->s_id);
152
		return false;
153
	}
154

155
	/*
156
	 * IV_INO_LBLK_64 and IV_INO_LBLK_32 both require that inode numbers fit
157
	 * in 32 bits.  In principle, IV_INO_LBLK_32 could support longer inode
158
	 * numbers because it hashes the inode number; however, currently the
159
	 * inode number is gotten from inode::i_ino which is 'unsigned long'.
160
	 * So for now the implementation limit is 32 bits.
161
	 */
162
	if (!sb->s_cop->has_32bit_inodes) {
163
		fscrypt_warn(inode,
164
			     "Can't use %s policy on filesystem '%s' because its inode numbers are too long",
165
			     type, sb->s_id);
166
		return false;
167
	}
168

169
	/*
170
	 * IV_INO_LBLK_64 and IV_INO_LBLK_32 both require that file data unit
171
	 * indices fit in 32 bits.
172
	 */
173
	if (fscrypt_max_file_dun_bits(sb,
174
			fscrypt_policy_v2_du_bits(policy, inode)) > 32) {
175
		fscrypt_warn(inode,
176
			     "Can't use %s policy on filesystem '%s' because its maximum file size is too large",
177
			     type, sb->s_id);
178
		return false;
179
	}
180
	return true;
181
}
182

183
static bool fscrypt_supported_v1_policy(const struct fscrypt_policy_v1 *policy,
184
					const struct inode *inode)
185
{
186
	if (!fscrypt_valid_enc_modes_v1(policy->contents_encryption_mode,
187
				     policy->filenames_encryption_mode)) {
188
		fscrypt_warn(inode,
189
			     "Unsupported encryption modes (contents %d, filenames %d)",
190
			     policy->contents_encryption_mode,
191
			     policy->filenames_encryption_mode);
192
		return false;
193
	}
194

195
	if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK |
196
			      FSCRYPT_POLICY_FLAG_DIRECT_KEY)) {
197
		fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)",
198
			     policy->flags);
199
		return false;
200
	}
201

202
	if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) &&
203
	    !supported_direct_key_modes(inode, policy->contents_encryption_mode,
204
					policy->filenames_encryption_mode))
205
		return false;
206

207
	if (IS_CASEFOLDED(inode)) {
208
		/* With v1, there's no way to derive dirhash keys. */
209
		fscrypt_warn(inode,
210
			     "v1 policies can't be used on casefolded directories");
211
		return false;
212
	}
213

214
	return true;
215
}
216

217
static bool fscrypt_supported_v2_policy(const struct fscrypt_policy_v2 *policy,
218
					const struct inode *inode)
219
{
220
	int count = 0;
221

222
	if (!fscrypt_valid_enc_modes_v2(policy->contents_encryption_mode,
223
				     policy->filenames_encryption_mode)) {
224
		fscrypt_warn(inode,
225
			     "Unsupported encryption modes (contents %d, filenames %d)",
226
			     policy->contents_encryption_mode,
227
			     policy->filenames_encryption_mode);
228
		return false;
229
	}
230

231
	if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK |
232
			      FSCRYPT_POLICY_FLAG_DIRECT_KEY |
233
			      FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 |
234
			      FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) {
235
		fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)",
236
			     policy->flags);
237
		return false;
238
	}
239

240
	count += !!(policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY);
241
	count += !!(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64);
242
	count += !!(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32);
243
	if (count > 1) {
244
		fscrypt_warn(inode, "Mutually exclusive encryption flags (0x%02x)",
245
			     policy->flags);
246
		return false;
247
	}
248

249
	if (policy->log2_data_unit_size) {
250
		if (!inode->i_sb->s_cop->supports_subblock_data_units) {
251
			fscrypt_warn(inode,
252
				     "Filesystem does not support configuring crypto data unit size");
253
			return false;
254
		}
255
		if (policy->log2_data_unit_size > inode->i_blkbits ||
256
		    policy->log2_data_unit_size < SECTOR_SHIFT /* 9 */) {
257
			fscrypt_warn(inode,
258
				     "Unsupported log2_data_unit_size in encryption policy: %d",
259
				     policy->log2_data_unit_size);
260
			return false;
261
		}
262
		if (policy->log2_data_unit_size != inode->i_blkbits &&
263
		    (policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) {
264
			/*
265
			 * Not safe to enable yet, as we need to ensure that DUN
266
			 * wraparound can only occur on a FS block boundary.
267
			 */
268
			fscrypt_warn(inode,
269
				     "Sub-block data units not yet supported with IV_INO_LBLK_32");
270
			return false;
271
		}
272
	}
273

274
	if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) &&
275
	    !supported_direct_key_modes(inode, policy->contents_encryption_mode,
276
					policy->filenames_encryption_mode))
277
		return false;
278

279
	if ((policy->flags & (FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 |
280
			      FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) &&
281
	    !supported_iv_ino_lblk_policy(policy, inode))
282
		return false;
283

284
	if (memchr_inv(policy->__reserved, 0, sizeof(policy->__reserved))) {
285
		fscrypt_warn(inode, "Reserved bits set in encryption policy");
286
		return false;
287
	}
288

289
	return true;
290
}
291

292
/**
293
 * fscrypt_supported_policy() - check whether an encryption policy is supported
294
 * @policy_u: the encryption policy
295
 * @inode: the inode on which the policy will be used
296
 *
297
 * Given an encryption policy, check whether all its encryption modes and other
298
 * settings are supported by this kernel on the given inode.  (But we don't
299
 * currently don't check for crypto API support here, so attempting to use an
300
 * algorithm not configured into the crypto API will still fail later.)
301
 *
302
 * Return: %true if supported, else %false
303
 */
304
bool fscrypt_supported_policy(const union fscrypt_policy *policy_u,
305
			      const struct inode *inode)
306
{
307
	switch (policy_u->version) {
308
	case FSCRYPT_POLICY_V1:
309
		return fscrypt_supported_v1_policy(&policy_u->v1, inode);
310
	case FSCRYPT_POLICY_V2:
311
		return fscrypt_supported_v2_policy(&policy_u->v2, inode);
312
	}
313
	return false;
314
}
315

316
/**
317
 * fscrypt_new_context() - create a new fscrypt_context
318
 * @ctx_u: output context
319
 * @policy_u: input policy
320
 * @nonce: nonce to use
321
 *
322
 * Create an fscrypt_context for an inode that is being assigned the given
323
 * encryption policy.  @nonce must be a new random nonce.
324
 *
325
 * Return: the size of the new context in bytes.
326
 */
327
static int fscrypt_new_context(union fscrypt_context *ctx_u,
328
			       const union fscrypt_policy *policy_u,
329
			       const u8 nonce[FSCRYPT_FILE_NONCE_SIZE])
330
{
331
	memset(ctx_u, 0, sizeof(*ctx_u));
332

333
	switch (policy_u->version) {
334
	case FSCRYPT_POLICY_V1: {
335
		const struct fscrypt_policy_v1 *policy = &policy_u->v1;
336
		struct fscrypt_context_v1 *ctx = &ctx_u->v1;
337

338
		ctx->version = FSCRYPT_CONTEXT_V1;
339
		ctx->contents_encryption_mode =
340
			policy->contents_encryption_mode;
341
		ctx->filenames_encryption_mode =
342
			policy->filenames_encryption_mode;
343
		ctx->flags = policy->flags;
344
		memcpy(ctx->master_key_descriptor,
345
		       policy->master_key_descriptor,
346
		       sizeof(ctx->master_key_descriptor));
347
		memcpy(ctx->nonce, nonce, FSCRYPT_FILE_NONCE_SIZE);
348
		return sizeof(*ctx);
349
	}
350
	case FSCRYPT_POLICY_V2: {
351
		const struct fscrypt_policy_v2 *policy = &policy_u->v2;
352
		struct fscrypt_context_v2 *ctx = &ctx_u->v2;
353

354
		ctx->version = FSCRYPT_CONTEXT_V2;
355
		ctx->contents_encryption_mode =
356
			policy->contents_encryption_mode;
357
		ctx->filenames_encryption_mode =
358
			policy->filenames_encryption_mode;
359
		ctx->flags = policy->flags;
360
		ctx->log2_data_unit_size = policy->log2_data_unit_size;
361
		memcpy(ctx->master_key_identifier,
362
		       policy->master_key_identifier,
363
		       sizeof(ctx->master_key_identifier));
364
		memcpy(ctx->nonce, nonce, FSCRYPT_FILE_NONCE_SIZE);
365
		return sizeof(*ctx);
366
	}
367
	}
368
	BUG();
369
}
370

371
/**
372
 * fscrypt_policy_from_context() - convert an fscrypt_context to
373
 *				   an fscrypt_policy
374
 * @policy_u: output policy
375
 * @ctx_u: input context
376
 * @ctx_size: size of input context in bytes
377
 *
378
 * Given an fscrypt_context, build the corresponding fscrypt_policy.
379
 *
380
 * Return: 0 on success, or -EINVAL if the fscrypt_context has an unrecognized
381
 * version number or size.
382
 *
383
 * This does *not* validate the settings within the policy itself, e.g. the
384
 * modes, flags, and reserved bits.  Use fscrypt_supported_policy() for that.
385
 */
386
int fscrypt_policy_from_context(union fscrypt_policy *policy_u,
387
				const union fscrypt_context *ctx_u,
388
				int ctx_size)
389
{
390
	memset(policy_u, 0, sizeof(*policy_u));
391

392
	if (!fscrypt_context_is_valid(ctx_u, ctx_size))
393
		return -EINVAL;
394

395
	switch (ctx_u->version) {
396
	case FSCRYPT_CONTEXT_V1: {
397
		const struct fscrypt_context_v1 *ctx = &ctx_u->v1;
398
		struct fscrypt_policy_v1 *policy = &policy_u->v1;
399

400
		policy->version = FSCRYPT_POLICY_V1;
401
		policy->contents_encryption_mode =
402
			ctx->contents_encryption_mode;
403
		policy->filenames_encryption_mode =
404
			ctx->filenames_encryption_mode;
405
		policy->flags = ctx->flags;
406
		memcpy(policy->master_key_descriptor,
407
		       ctx->master_key_descriptor,
408
		       sizeof(policy->master_key_descriptor));
409
		return 0;
410
	}
411
	case FSCRYPT_CONTEXT_V2: {
412
		const struct fscrypt_context_v2 *ctx = &ctx_u->v2;
413
		struct fscrypt_policy_v2 *policy = &policy_u->v2;
414

415
		policy->version = FSCRYPT_POLICY_V2;
416
		policy->contents_encryption_mode =
417
			ctx->contents_encryption_mode;
418
		policy->filenames_encryption_mode =
419
			ctx->filenames_encryption_mode;
420
		policy->flags = ctx->flags;
421
		policy->log2_data_unit_size = ctx->log2_data_unit_size;
422
		memcpy(policy->__reserved, ctx->__reserved,
423
		       sizeof(policy->__reserved));
424
		memcpy(policy->master_key_identifier,
425
		       ctx->master_key_identifier,
426
		       sizeof(policy->master_key_identifier));
427
		return 0;
428
	}
429
	}
430
	/* unreachable */
431
	return -EINVAL;
432
}
433

434
/* Retrieve an inode's encryption policy */
435
static int fscrypt_get_policy(struct inode *inode, union fscrypt_policy *policy)
436
{
437
	const struct fscrypt_inode_info *ci;
438
	union fscrypt_context ctx;
439
	int ret;
440

441
	ci = fscrypt_get_inode_info(inode);
442
	if (ci) {
443
		/* key available, use the cached policy */
444
		*policy = ci->ci_policy;
445
		return 0;
446
	}
447

448
	if (!IS_ENCRYPTED(inode))
449
		return -ENODATA;
450

451
	ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
452
	if (ret < 0)
453
		return (ret == -ERANGE) ? -EINVAL : ret;
454

455
	return fscrypt_policy_from_context(policy, &ctx, ret);
456
}
457

458
static int set_encryption_policy(struct inode *inode,
459
				 const union fscrypt_policy *policy)
460
{
461
	u8 nonce[FSCRYPT_FILE_NONCE_SIZE];
462
	union fscrypt_context ctx;
463
	int ctxsize;
464
	int err;
465

466
	if (!fscrypt_supported_policy(policy, inode))
467
		return -EINVAL;
468

469
	switch (policy->version) {
470
	case FSCRYPT_POLICY_V1:
471
		/*
472
		 * The original encryption policy version provided no way of
473
		 * verifying that the correct master key was supplied, which was
474
		 * insecure in scenarios where multiple users have access to the
475
		 * same encrypted files (even just read-only access).  The new
476
		 * encryption policy version fixes this and also implies use of
477
		 * an improved key derivation function and allows non-root users
478
		 * to securely remove keys.  So as long as compatibility with
479
		 * old kernels isn't required, it is recommended to use the new
480
		 * policy version for all new encrypted directories.
481
		 */
482
		pr_warn_once("%s (pid %d) is setting deprecated v1 encryption policy; recommend upgrading to v2.\n",
483
			     current->comm, current->pid);
484
		break;
485
	case FSCRYPT_POLICY_V2:
486
		err = fscrypt_verify_key_added(inode->i_sb,
487
					       policy->v2.master_key_identifier);
488
		if (err)
489
			return err;
490
		if (policy->v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)
491
			pr_warn_once("%s (pid %d) is setting an IV_INO_LBLK_32 encryption policy.  This should only be used if there are certain hardware limitations.\n",
492
				     current->comm, current->pid);
493
		break;
494
	default:
495
		WARN_ON_ONCE(1);
496
		return -EINVAL;
497
	}
498

499
	get_random_bytes(nonce, FSCRYPT_FILE_NONCE_SIZE);
500
	ctxsize = fscrypt_new_context(&ctx, policy, nonce);
501

502
	return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, NULL);
503
}
504

505
int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg)
506
{
507
	union fscrypt_policy policy;
508
	union fscrypt_policy existing_policy;
509
	struct inode *inode = file_inode(filp);
510
	u8 version;
511
	int size;
512
	int ret;
513

514
	if (get_user(policy.version, (const u8 __user *)arg))
515
		return -EFAULT;
516

517
	size = fscrypt_policy_size(&policy);
518
	if (size <= 0)
519
		return -EINVAL;
520

521
	/*
522
	 * We should just copy the remaining 'size - 1' bytes here, but a
523
	 * bizarre bug in gcc 7 and earlier (fixed by gcc r255731) causes gcc to
524
	 * think that size can be 0 here (despite the check above!) *and* that
525
	 * it's a compile-time constant.  Thus it would think copy_from_user()
526
	 * is passed compile-time constant ULONG_MAX, causing the compile-time
527
	 * buffer overflow check to fail, breaking the build. This only occurred
528
	 * when building an i386 kernel with -Os and branch profiling enabled.
529
	 *
530
	 * Work around it by just copying the first byte again...
531
	 */
532
	version = policy.version;
533
	if (copy_from_user(&policy, arg, size))
534
		return -EFAULT;
535
	policy.version = version;
536

537
	if (!inode_owner_or_capable(&nop_mnt_idmap, inode))
538
		return -EACCES;
539

540
	ret = mnt_want_write_file(filp);
541
	if (ret)
542
		return ret;
543

544
	inode_lock(inode);
545

546
	ret = fscrypt_get_policy(inode, &existing_policy);
547
	if (ret == -ENODATA) {
548
		if (!S_ISDIR(inode->i_mode))
549
			ret = -ENOTDIR;
550
		else if (IS_DEADDIR(inode))
551
			ret = -ENOENT;
552
		else if (!inode->i_sb->s_cop->empty_dir(inode))
553
			ret = -ENOTEMPTY;
554
		else
555
			ret = set_encryption_policy(inode, &policy);
556
	} else if (ret == -EINVAL ||
557
		   (ret == 0 && !fscrypt_policies_equal(&policy,
558
							&existing_policy))) {
559
		/* The file already uses a different encryption policy. */
560
		ret = -EEXIST;
561
	}
562

563
	inode_unlock(inode);
564

565
	mnt_drop_write_file(filp);
566
	return ret;
567
}
568
EXPORT_SYMBOL(fscrypt_ioctl_set_policy);
569

570
/* Original ioctl version; can only get the original policy version */
571
int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg)
572
{
573
	union fscrypt_policy policy;
574
	int err;
575

576
	err = fscrypt_get_policy(file_inode(filp), &policy);
577
	if (err)
578
		return err;
579

580
	if (policy.version != FSCRYPT_POLICY_V1)
581
		return -EINVAL;
582

583
	if (copy_to_user(arg, &policy, sizeof(policy.v1)))
584
		return -EFAULT;
585
	return 0;
586
}
587
EXPORT_SYMBOL(fscrypt_ioctl_get_policy);
588

589
/* Extended ioctl version; can get policies of any version */
590
int fscrypt_ioctl_get_policy_ex(struct file *filp, void __user *uarg)
591
{
592
	struct fscrypt_get_policy_ex_arg arg;
593
	union fscrypt_policy *policy = (union fscrypt_policy *)&arg.policy;
594
	size_t policy_size;
595
	int err;
596

597
	/* arg is policy_size, then policy */
598
	BUILD_BUG_ON(offsetof(typeof(arg), policy_size) != 0);
599
	BUILD_BUG_ON(offsetofend(typeof(arg), policy_size) !=
600
		     offsetof(typeof(arg), policy));
601
	BUILD_BUG_ON(sizeof(arg.policy) != sizeof(*policy));
602

603
	err = fscrypt_get_policy(file_inode(filp), policy);
604
	if (err)
605
		return err;
606
	policy_size = fscrypt_policy_size(policy);
607

608
	if (copy_from_user(&arg, uarg, sizeof(arg.policy_size)))
609
		return -EFAULT;
610

611
	if (policy_size > arg.policy_size)
612
		return -EOVERFLOW;
613
	arg.policy_size = policy_size;
614

615
	if (copy_to_user(uarg, &arg, sizeof(arg.policy_size) + policy_size))
616
		return -EFAULT;
617
	return 0;
618
}
619
EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_policy_ex);
620

621
/* FS_IOC_GET_ENCRYPTION_NONCE: retrieve file's encryption nonce for testing */
622
int fscrypt_ioctl_get_nonce(struct file *filp, void __user *arg)
623
{
624
	struct inode *inode = file_inode(filp);
625
	union fscrypt_context ctx;
626
	int ret;
627

628
	ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
629
	if (ret < 0)
630
		return ret;
631
	if (!fscrypt_context_is_valid(&ctx, ret))
632
		return -EINVAL;
633
	if (copy_to_user(arg, fscrypt_context_nonce(&ctx),
634
			 FSCRYPT_FILE_NONCE_SIZE))
635
		return -EFAULT;
636
	return 0;
637
}
638
EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_nonce);
639

640
/**
641
 * fscrypt_has_permitted_context() - is a file's encryption policy permitted
642
 *				     within its directory?
643
 *
644
 * @parent: inode for parent directory
645
 * @child: inode for file being looked up, opened, or linked into @parent
646
 *
647
 * Filesystems must call this before permitting access to an inode in a
648
 * situation where the parent directory is encrypted (either before allowing
649
 * ->lookup() to succeed, or for a regular file before allowing it to be opened)
650
 * and before any operation that involves linking an inode into an encrypted
651
 * directory, including link, rename, and cross rename.  It enforces the
652
 * constraint that within a given encrypted directory tree, all files use the
653
 * same encryption policy.  The pre-access check is needed to detect potentially
654
 * malicious offline violations of this constraint, while the link and rename
655
 * checks are needed to prevent online violations of this constraint.
656
 *
657
 * Return: 1 if permitted, 0 if forbidden.
658
 */
659
int fscrypt_has_permitted_context(struct inode *parent, struct inode *child)
660
{
661
	union fscrypt_policy parent_policy, child_policy;
662
	int err, err1, err2;
663

664
	/* No restrictions on file types which are never encrypted */
665
	if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) &&
666
	    !S_ISLNK(child->i_mode))
667
		return 1;
668

669
	/* No restrictions if the parent directory is unencrypted */
670
	if (!IS_ENCRYPTED(parent))
671
		return 1;
672

673
	/* Encrypted directories must not contain unencrypted files */
674
	if (!IS_ENCRYPTED(child))
675
		return 0;
676

677
	/*
678
	 * Both parent and child are encrypted, so verify they use the same
679
	 * encryption policy.  Compare the cached policies if the keys are
680
	 * available, otherwise retrieve and compare the fscrypt_contexts.
681
	 *
682
	 * Note that the fscrypt_context retrieval will be required frequently
683
	 * when accessing an encrypted directory tree without the key.
684
	 * Performance-wise this is not a big deal because we already don't
685
	 * really optimize for file access without the key (to the extent that
686
	 * such access is even possible), given that any attempted access
687
	 * already causes a fscrypt_context retrieval and keyring search.
688
	 *
689
	 * In any case, if an unexpected error occurs, fall back to "forbidden".
690
	 */
691

692
	err = fscrypt_get_encryption_info(parent, true);
693
	if (err)
694
		return 0;
695
	err = fscrypt_get_encryption_info(child, true);
696
	if (err)
697
		return 0;
698

699
	err1 = fscrypt_get_policy(parent, &parent_policy);
700
	err2 = fscrypt_get_policy(child, &child_policy);
701

702
	/*
703
	 * Allow the case where the parent and child both have an unrecognized
704
	 * encryption policy, so that files with an unrecognized encryption
705
	 * policy can be deleted.
706
	 */
707
	if (err1 == -EINVAL && err2 == -EINVAL)
708
		return 1;
709

710
	if (err1 || err2)
711
		return 0;
712

713
	return fscrypt_policies_equal(&parent_policy, &child_policy);
714
}
715
EXPORT_SYMBOL(fscrypt_has_permitted_context);
716

717
/*
718
 * Return the encryption policy that new files in the directory will inherit, or
719
 * NULL if none, or an ERR_PTR() on error.  If the directory is encrypted, also
720
 * ensure that its key is set up, so that the new filename can be encrypted.
721
 */
722
const union fscrypt_policy *fscrypt_policy_to_inherit(struct inode *dir)
723
{
724
	int err;
725

726
	if (IS_ENCRYPTED(dir)) {
727
		err = fscrypt_require_key(dir);
728
		if (err)
729
			return ERR_PTR(err);
730
		return &dir->i_crypt_info->ci_policy;
731
	}
732

733
	return fscrypt_get_dummy_policy(dir->i_sb);
734
}
735

736
/**
737
 * fscrypt_context_for_new_inode() - create an encryption context for a new inode
738
 * @ctx: where context should be written
739
 * @inode: inode from which to fetch policy and nonce
740
 *
741
 * Given an in-core "prepared" (via fscrypt_prepare_new_inode) inode,
742
 * generate a new context and write it to ctx. ctx _must_ be at least
743
 * FSCRYPT_SET_CONTEXT_MAX_SIZE bytes.
744
 *
745
 * Return: size of the resulting context or a negative error code.
746
 */
747
int fscrypt_context_for_new_inode(void *ctx, struct inode *inode)
748
{
749
	struct fscrypt_inode_info *ci = inode->i_crypt_info;
750

751
	BUILD_BUG_ON(sizeof(union fscrypt_context) !=
752
			FSCRYPT_SET_CONTEXT_MAX_SIZE);
753

754
	/* fscrypt_prepare_new_inode() should have set up the key already. */
755
	if (WARN_ON_ONCE(!ci))
756
		return -ENOKEY;
757

758
	return fscrypt_new_context(ctx, &ci->ci_policy, ci->ci_nonce);
759
}
760
EXPORT_SYMBOL_GPL(fscrypt_context_for_new_inode);
761

762
/**
763
 * fscrypt_set_context() - Set the fscrypt context of a new inode
764
 * @inode: a new inode
765
 * @fs_data: private data given by FS and passed to ->set_context()
766
 *
767
 * This should be called after fscrypt_prepare_new_inode(), generally during a
768
 * filesystem transaction.  Everything here must be %GFP_NOFS-safe.
769
 *
770
 * Return: 0 on success, -errno on failure
771
 */
772
int fscrypt_set_context(struct inode *inode, void *fs_data)
773
{
774
	struct fscrypt_inode_info *ci = inode->i_crypt_info;
775
	union fscrypt_context ctx;
776
	int ctxsize;
777

778
	ctxsize = fscrypt_context_for_new_inode(&ctx, inode);
779
	if (ctxsize < 0)
780
		return ctxsize;
781

782
	/*
783
	 * This may be the first time the inode number is available, so do any
784
	 * delayed key setup that requires the inode number.
785
	 */
786
	if (ci->ci_policy.version == FSCRYPT_POLICY_V2 &&
787
	    (ci->ci_policy.v2.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32))
788
		fscrypt_hash_inode_number(ci, ci->ci_master_key);
789

790
	return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, fs_data);
791
}
792
EXPORT_SYMBOL_GPL(fscrypt_set_context);
793

794
/**
795
 * fscrypt_parse_test_dummy_encryption() - parse the test_dummy_encryption mount option
796
 * @param: the mount option
797
 * @dummy_policy: (input/output) the place to write the dummy policy that will
798
 *	result from parsing the option.  Zero-initialize this.  If a policy is
799
 *	already set here (due to test_dummy_encryption being given multiple
800
 *	times), then this function will verify that the policies are the same.
801
 *
802
 * Return: 0 on success; -EINVAL if the argument is invalid; -EEXIST if the
803
 *	   argument conflicts with one already specified; or -ENOMEM.
804
 */
805
int fscrypt_parse_test_dummy_encryption(const struct fs_parameter *param,
806
				struct fscrypt_dummy_policy *dummy_policy)
807
{
808
	const char *arg = "v2";
809
	union fscrypt_policy *policy;
810
	int err;
811

812
	if (param->type == fs_value_is_string && *param->string)
813
		arg = param->string;
814

815
	policy = kzalloc(sizeof(*policy), GFP_KERNEL);
816
	if (!policy)
817
		return -ENOMEM;
818

819
	if (!strcmp(arg, "v1")) {
820
		policy->version = FSCRYPT_POLICY_V1;
821
		policy->v1.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS;
822
		policy->v1.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS;
823
		memset(policy->v1.master_key_descriptor, 0x42,
824
		       FSCRYPT_KEY_DESCRIPTOR_SIZE);
825
	} else if (!strcmp(arg, "v2")) {
826
		policy->version = FSCRYPT_POLICY_V2;
827
		policy->v2.contents_encryption_mode = FSCRYPT_MODE_AES_256_XTS;
828
		policy->v2.filenames_encryption_mode = FSCRYPT_MODE_AES_256_CTS;
829
		err = fscrypt_get_test_dummy_key_identifier(
830
				policy->v2.master_key_identifier);
831
		if (err)
832
			goto out;
833
	} else {
834
		err = -EINVAL;
835
		goto out;
836
	}
837

838
	if (dummy_policy->policy) {
839
		if (fscrypt_policies_equal(policy, dummy_policy->policy))
840
			err = 0;
841
		else
842
			err = -EEXIST;
843
		goto out;
844
	}
845
	dummy_policy->policy = policy;
846
	policy = NULL;
847
	err = 0;
848
out:
849
	kfree(policy);
850
	return err;
851
}
852
EXPORT_SYMBOL_GPL(fscrypt_parse_test_dummy_encryption);
853

854
/**
855
 * fscrypt_dummy_policies_equal() - check whether two dummy policies are equal
856
 * @p1: the first test dummy policy (may be unset)
857
 * @p2: the second test dummy policy (may be unset)
858
 *
859
 * Return: %true if the dummy policies are both set and equal, or both unset.
860
 */
861
bool fscrypt_dummy_policies_equal(const struct fscrypt_dummy_policy *p1,
862
				  const struct fscrypt_dummy_policy *p2)
863
{
864
	if (!p1->policy && !p2->policy)
865
		return true;
866
	if (!p1->policy || !p2->policy)
867
		return false;
868
	return fscrypt_policies_equal(p1->policy, p2->policy);
869
}
870
EXPORT_SYMBOL_GPL(fscrypt_dummy_policies_equal);
871

872
/**
873
 * fscrypt_show_test_dummy_encryption() - show '-o test_dummy_encryption'
874
 * @seq: the seq_file to print the option to
875
 * @sep: the separator character to use
876
 * @sb: the filesystem whose options are being shown
877
 *
878
 * Show the test_dummy_encryption mount option, if it was specified.
879
 * This is mainly used for /proc/mounts.
880
 */
881
void fscrypt_show_test_dummy_encryption(struct seq_file *seq, char sep,
882
					struct super_block *sb)
883
{
884
	const union fscrypt_policy *policy = fscrypt_get_dummy_policy(sb);
885
	int vers;
886

887
	if (!policy)
888
		return;
889

890
	vers = policy->version;
891
	if (vers == FSCRYPT_POLICY_V1) /* Handle numbering quirk */
892
		vers = 1;
893

894
	seq_printf(seq, "%ctest_dummy_encryption=v%d", sep, vers);
895
}
896
EXPORT_SYMBOL_GPL(fscrypt_show_test_dummy_encryption);
897

898