1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Encryption policy functions for per-file encryption support. 4 * 5 * Copyright (C) 2015, Google, Inc. 6 * Copyright (C) 2015, Motorola Mobility. 7 * 8 * Originally written by Michael Halcrow, 2015. 9 * Modified by Jaegeuk Kim, 2015. 10 * Modified by Eric Biggers, 2019 for v2 policy support. 11 */ 12 13 #include <linux/random.h> 14 #include <linux/string.h> 15 #include <linux/mount.h> 16 #include "fscrypt_private.h" 17 18 /** 19 * fscrypt_policies_equal - check whether two encryption policies are the same 20 * 21 * Return: %true if equal, else %false 22 */ 23 bool fscrypt_policies_equal(const union fscrypt_policy *policy1, 24 const union fscrypt_policy *policy2) 25 { 26 if (policy1->version != policy2->version) 27 return false; 28 29 return !memcmp(policy1, policy2, fscrypt_policy_size(policy1)); 30 } 31 32 /** 33 * fscrypt_supported_policy - check whether an encryption policy is supported 34 * 35 * Given an encryption policy, check whether all its encryption modes and other 36 * settings are supported by this kernel. (But we don't currently don't check 37 * for crypto API support here, so attempting to use an algorithm not configured 38 * into the crypto API will still fail later.) 39 * 40 * Return: %true if supported, else %false 41 */ 42 bool fscrypt_supported_policy(const union fscrypt_policy *policy_u, 43 const struct inode *inode) 44 { 45 switch (policy_u->version) { 46 case FSCRYPT_POLICY_V1: { 47 const struct fscrypt_policy_v1 *policy = &policy_u->v1; 48 49 if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode, 50 policy->filenames_encryption_mode)) { 51 fscrypt_warn(inode, 52 "Unsupported encryption modes (contents %d, filenames %d)", 53 policy->contents_encryption_mode, 54 policy->filenames_encryption_mode); 55 return false; 56 } 57 58 if (policy->flags & ~FSCRYPT_POLICY_FLAGS_VALID) { 59 fscrypt_warn(inode, 60 "Unsupported encryption flags (0x%02x)", 61 policy->flags); 62 return false; 63 } 64 65 return true; 66 } 67 case FSCRYPT_POLICY_V2: { 68 const struct fscrypt_policy_v2 *policy = &policy_u->v2; 69 70 if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode, 71 policy->filenames_encryption_mode)) { 72 fscrypt_warn(inode, 73 "Unsupported encryption modes (contents %d, filenames %d)", 74 policy->contents_encryption_mode, 75 policy->filenames_encryption_mode); 76 return false; 77 } 78 79 if (policy->flags & ~FSCRYPT_POLICY_FLAGS_VALID) { 80 fscrypt_warn(inode, 81 "Unsupported encryption flags (0x%02x)", 82 policy->flags); 83 return false; 84 } 85 86 if (memchr_inv(policy->__reserved, 0, 87 sizeof(policy->__reserved))) { 88 fscrypt_warn(inode, 89 "Reserved bits set in encryption policy"); 90 return false; 91 } 92 93 return true; 94 } 95 } 96 return false; 97 } 98 99 /** 100 * fscrypt_new_context_from_policy - create a new fscrypt_context from a policy 101 * 102 * Create an fscrypt_context for an inode that is being assigned the given 103 * encryption policy. A new nonce is randomly generated. 104 * 105 * Return: the size of the new context in bytes. 106 */ 107 static int fscrypt_new_context_from_policy(union fscrypt_context *ctx_u, 108 const union fscrypt_policy *policy_u) 109 { 110 memset(ctx_u, 0, sizeof(*ctx_u)); 111 112 switch (policy_u->version) { 113 case FSCRYPT_POLICY_V1: { 114 const struct fscrypt_policy_v1 *policy = &policy_u->v1; 115 struct fscrypt_context_v1 *ctx = &ctx_u->v1; 116 117 ctx->version = FSCRYPT_CONTEXT_V1; 118 ctx->contents_encryption_mode = 119 policy->contents_encryption_mode; 120 ctx->filenames_encryption_mode = 121 policy->filenames_encryption_mode; 122 ctx->flags = policy->flags; 123 memcpy(ctx->master_key_descriptor, 124 policy->master_key_descriptor, 125 sizeof(ctx->master_key_descriptor)); 126 get_random_bytes(ctx->nonce, sizeof(ctx->nonce)); 127 return sizeof(*ctx); 128 } 129 case FSCRYPT_POLICY_V2: { 130 const struct fscrypt_policy_v2 *policy = &policy_u->v2; 131 struct fscrypt_context_v2 *ctx = &ctx_u->v2; 132 133 ctx->version = FSCRYPT_CONTEXT_V2; 134 ctx->contents_encryption_mode = 135 policy->contents_encryption_mode; 136 ctx->filenames_encryption_mode = 137 policy->filenames_encryption_mode; 138 ctx->flags = policy->flags; 139 memcpy(ctx->master_key_identifier, 140 policy->master_key_identifier, 141 sizeof(ctx->master_key_identifier)); 142 get_random_bytes(ctx->nonce, sizeof(ctx->nonce)); 143 return sizeof(*ctx); 144 } 145 } 146 BUG(); 147 } 148 149 /** 150 * fscrypt_policy_from_context - convert an fscrypt_context to an fscrypt_policy 151 * 152 * Given an fscrypt_context, build the corresponding fscrypt_policy. 153 * 154 * Return: 0 on success, or -EINVAL if the fscrypt_context has an unrecognized 155 * version number or size. 156 * 157 * This does *not* validate the settings within the policy itself, e.g. the 158 * modes, flags, and reserved bits. Use fscrypt_supported_policy() for that. 159 */ 160 int fscrypt_policy_from_context(union fscrypt_policy *policy_u, 161 const union fscrypt_context *ctx_u, 162 int ctx_size) 163 { 164 memset(policy_u, 0, sizeof(*policy_u)); 165 166 if (ctx_size <= 0 || ctx_size != fscrypt_context_size(ctx_u)) 167 return -EINVAL; 168 169 switch (ctx_u->version) { 170 case FSCRYPT_CONTEXT_V1: { 171 const struct fscrypt_context_v1 *ctx = &ctx_u->v1; 172 struct fscrypt_policy_v1 *policy = &policy_u->v1; 173 174 policy->version = FSCRYPT_POLICY_V1; 175 policy->contents_encryption_mode = 176 ctx->contents_encryption_mode; 177 policy->filenames_encryption_mode = 178 ctx->filenames_encryption_mode; 179 policy->flags = ctx->flags; 180 memcpy(policy->master_key_descriptor, 181 ctx->master_key_descriptor, 182 sizeof(policy->master_key_descriptor)); 183 return 0; 184 } 185 case FSCRYPT_CONTEXT_V2: { 186 const struct fscrypt_context_v2 *ctx = &ctx_u->v2; 187 struct fscrypt_policy_v2 *policy = &policy_u->v2; 188 189 policy->version = FSCRYPT_POLICY_V2; 190 policy->contents_encryption_mode = 191 ctx->contents_encryption_mode; 192 policy->filenames_encryption_mode = 193 ctx->filenames_encryption_mode; 194 policy->flags = ctx->flags; 195 memcpy(policy->__reserved, ctx->__reserved, 196 sizeof(policy->__reserved)); 197 memcpy(policy->master_key_identifier, 198 ctx->master_key_identifier, 199 sizeof(policy->master_key_identifier)); 200 return 0; 201 } 202 } 203 /* unreachable */ 204 return -EINVAL; 205 } 206 207 /* Retrieve an inode's encryption policy */ 208 static int fscrypt_get_policy(struct inode *inode, union fscrypt_policy *policy) 209 { 210 const struct fscrypt_info *ci; 211 union fscrypt_context ctx; 212 int ret; 213 214 ci = READ_ONCE(inode->i_crypt_info); 215 if (ci) { 216 /* key available, use the cached policy */ 217 *policy = ci->ci_policy; 218 return 0; 219 } 220 221 if (!IS_ENCRYPTED(inode)) 222 return -ENODATA; 223 224 ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx)); 225 if (ret < 0) 226 return (ret == -ERANGE) ? -EINVAL : ret; 227 228 return fscrypt_policy_from_context(policy, &ctx, ret); 229 } 230 231 static int set_encryption_policy(struct inode *inode, 232 const union fscrypt_policy *policy) 233 { 234 union fscrypt_context ctx; 235 int ctxsize; 236 int err; 237 238 if (!fscrypt_supported_policy(policy, inode)) 239 return -EINVAL; 240 241 switch (policy->version) { 242 case FSCRYPT_POLICY_V1: 243 /* 244 * The original encryption policy version provided no way of 245 * verifying that the correct master key was supplied, which was 246 * insecure in scenarios where multiple users have access to the 247 * same encrypted files (even just read-only access). The new 248 * encryption policy version fixes this and also implies use of 249 * an improved key derivation function and allows non-root users 250 * to securely remove keys. So as long as compatibility with 251 * old kernels isn't required, it is recommended to use the new 252 * policy version for all new encrypted directories. 253 */ 254 pr_warn_once("%s (pid %d) is setting deprecated v1 encryption policy; recommend upgrading to v2.\n", 255 current->comm, current->pid); 256 break; 257 case FSCRYPT_POLICY_V2: 258 err = fscrypt_verify_key_added(inode->i_sb, 259 policy->v2.master_key_identifier); 260 if (err) 261 return err; 262 break; 263 default: 264 WARN_ON(1); 265 return -EINVAL; 266 } 267 268 ctxsize = fscrypt_new_context_from_policy(&ctx, policy); 269 270 return inode->i_sb->s_cop->set_context(inode, &ctx, ctxsize, NULL); 271 } 272 273 int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg) 274 { 275 union fscrypt_policy policy; 276 union fscrypt_policy existing_policy; 277 struct inode *inode = file_inode(filp); 278 u8 version; 279 int size; 280 int ret; 281 282 if (get_user(policy.version, (const u8 __user *)arg)) 283 return -EFAULT; 284 285 size = fscrypt_policy_size(&policy); 286 if (size <= 0) 287 return -EINVAL; 288 289 /* 290 * We should just copy the remaining 'size - 1' bytes here, but a 291 * bizarre bug in gcc 7 and earlier (fixed by gcc r255731) causes gcc to 292 * think that size can be 0 here (despite the check above!) *and* that 293 * it's a compile-time constant. Thus it would think copy_from_user() 294 * is passed compile-time constant ULONG_MAX, causing the compile-time 295 * buffer overflow check to fail, breaking the build. This only occurred 296 * when building an i386 kernel with -Os and branch profiling enabled. 297 * 298 * Work around it by just copying the first byte again... 299 */ 300 version = policy.version; 301 if (copy_from_user(&policy, arg, size)) 302 return -EFAULT; 303 policy.version = version; 304 305 if (!inode_owner_or_capable(inode)) 306 return -EACCES; 307 308 ret = mnt_want_write_file(filp); 309 if (ret) 310 return ret; 311 312 inode_lock(inode); 313 314 ret = fscrypt_get_policy(inode, &existing_policy); 315 if (ret == -ENODATA) { 316 if (!S_ISDIR(inode->i_mode)) 317 ret = -ENOTDIR; 318 else if (IS_DEADDIR(inode)) 319 ret = -ENOENT; 320 else if (!inode->i_sb->s_cop->empty_dir(inode)) 321 ret = -ENOTEMPTY; 322 else 323 ret = set_encryption_policy(inode, &policy); 324 } else if (ret == -EINVAL || 325 (ret == 0 && !fscrypt_policies_equal(&policy, 326 &existing_policy))) { 327 /* The file already uses a different encryption policy. */ 328 ret = -EEXIST; 329 } 330 331 inode_unlock(inode); 332 333 mnt_drop_write_file(filp); 334 return ret; 335 } 336 EXPORT_SYMBOL(fscrypt_ioctl_set_policy); 337 338 /* Original ioctl version; can only get the original policy version */ 339 int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg) 340 { 341 union fscrypt_policy policy; 342 int err; 343 344 err = fscrypt_get_policy(file_inode(filp), &policy); 345 if (err) 346 return err; 347 348 if (policy.version != FSCRYPT_POLICY_V1) 349 return -EINVAL; 350 351 if (copy_to_user(arg, &policy, sizeof(policy.v1))) 352 return -EFAULT; 353 return 0; 354 } 355 EXPORT_SYMBOL(fscrypt_ioctl_get_policy); 356 357 /* Extended ioctl version; can get policies of any version */ 358 int fscrypt_ioctl_get_policy_ex(struct file *filp, void __user *uarg) 359 { 360 struct fscrypt_get_policy_ex_arg arg; 361 union fscrypt_policy *policy = (union fscrypt_policy *)&arg.policy; 362 size_t policy_size; 363 int err; 364 365 /* arg is policy_size, then policy */ 366 BUILD_BUG_ON(offsetof(typeof(arg), policy_size) != 0); 367 BUILD_BUG_ON(offsetofend(typeof(arg), policy_size) != 368 offsetof(typeof(arg), policy)); 369 BUILD_BUG_ON(sizeof(arg.policy) != sizeof(*policy)); 370 371 err = fscrypt_get_policy(file_inode(filp), policy); 372 if (err) 373 return err; 374 policy_size = fscrypt_policy_size(policy); 375 376 if (copy_from_user(&arg, uarg, sizeof(arg.policy_size))) 377 return -EFAULT; 378 379 if (policy_size > arg.policy_size) 380 return -EOVERFLOW; 381 arg.policy_size = policy_size; 382 383 if (copy_to_user(uarg, &arg, sizeof(arg.policy_size) + policy_size)) 384 return -EFAULT; 385 return 0; 386 } 387 EXPORT_SYMBOL_GPL(fscrypt_ioctl_get_policy_ex); 388 389 /** 390 * fscrypt_has_permitted_context() - is a file's encryption policy permitted 391 * within its directory? 392 * 393 * @parent: inode for parent directory 394 * @child: inode for file being looked up, opened, or linked into @parent 395 * 396 * Filesystems must call this before permitting access to an inode in a 397 * situation where the parent directory is encrypted (either before allowing 398 * ->lookup() to succeed, or for a regular file before allowing it to be opened) 399 * and before any operation that involves linking an inode into an encrypted 400 * directory, including link, rename, and cross rename. It enforces the 401 * constraint that within a given encrypted directory tree, all files use the 402 * same encryption policy. The pre-access check is needed to detect potentially 403 * malicious offline violations of this constraint, while the link and rename 404 * checks are needed to prevent online violations of this constraint. 405 * 406 * Return: 1 if permitted, 0 if forbidden. 407 */ 408 int fscrypt_has_permitted_context(struct inode *parent, struct inode *child) 409 { 410 union fscrypt_policy parent_policy, child_policy; 411 int err; 412 413 /* No restrictions on file types which are never encrypted */ 414 if (!S_ISREG(child->i_mode) && !S_ISDIR(child->i_mode) && 415 !S_ISLNK(child->i_mode)) 416 return 1; 417 418 /* No restrictions if the parent directory is unencrypted */ 419 if (!IS_ENCRYPTED(parent)) 420 return 1; 421 422 /* Encrypted directories must not contain unencrypted files */ 423 if (!IS_ENCRYPTED(child)) 424 return 0; 425 426 /* 427 * Both parent and child are encrypted, so verify they use the same 428 * encryption policy. Compare the fscrypt_info structs if the keys are 429 * available, otherwise retrieve and compare the fscrypt_contexts. 430 * 431 * Note that the fscrypt_context retrieval will be required frequently 432 * when accessing an encrypted directory tree without the key. 433 * Performance-wise this is not a big deal because we already don't 434 * really optimize for file access without the key (to the extent that 435 * such access is even possible), given that any attempted access 436 * already causes a fscrypt_context retrieval and keyring search. 437 * 438 * In any case, if an unexpected error occurs, fall back to "forbidden". 439 */ 440 441 err = fscrypt_get_encryption_info(parent); 442 if (err) 443 return 0; 444 err = fscrypt_get_encryption_info(child); 445 if (err) 446 return 0; 447 448 err = fscrypt_get_policy(parent, &parent_policy); 449 if (err) 450 return 0; 451 452 err = fscrypt_get_policy(child, &child_policy); 453 if (err) 454 return 0; 455 456 return fscrypt_policies_equal(&parent_policy, &child_policy); 457 } 458 EXPORT_SYMBOL(fscrypt_has_permitted_context); 459 460 /** 461 * fscrypt_inherit_context() - Sets a child context from its parent 462 * @parent: Parent inode from which the context is inherited. 463 * @child: Child inode that inherits the context from @parent. 464 * @fs_data: private data given by FS. 465 * @preload: preload child i_crypt_info if true 466 * 467 * Return: 0 on success, -errno on failure 468 */ 469 int fscrypt_inherit_context(struct inode *parent, struct inode *child, 470 void *fs_data, bool preload) 471 { 472 union fscrypt_context ctx; 473 int ctxsize; 474 struct fscrypt_info *ci; 475 int res; 476 477 res = fscrypt_get_encryption_info(parent); 478 if (res < 0) 479 return res; 480 481 ci = READ_ONCE(parent->i_crypt_info); 482 if (ci == NULL) 483 return -ENOKEY; 484 485 ctxsize = fscrypt_new_context_from_policy(&ctx, &ci->ci_policy); 486 487 BUILD_BUG_ON(sizeof(ctx) != FSCRYPT_SET_CONTEXT_MAX_SIZE); 488 res = parent->i_sb->s_cop->set_context(child, &ctx, ctxsize, fs_data); 489 if (res) 490 return res; 491 return preload ? fscrypt_get_encryption_info(child): 0; 492 } 493 EXPORT_SYMBOL(fscrypt_inherit_context); 494