linux/include/linux/fscrypt.h
<<
>>
Prefs 
   1/* SPDX-License-Identifier: GPL-2.0 */
   2/*
   3 * fscrypt.h: declarations for per-file encryption
   4 *
   5 * Filesystems that implement per-file encryption must include this header
   6 * file.
   7 *
   8 * Copyright (C) 2015, Google, Inc.
   9 *
  10 * Written by Michael Halcrow, 2015.
  11 * Modified by Jaegeuk Kim, 2015.
  12 */
  13#ifndef _LINUX_FSCRYPT_H
  14#define _LINUX_FSCRYPT_H
  15
  16#include <linux/fs.h>
  17#include <linux/mm.h>
  18#include <linux/slab.h>
  19#include <uapi/linux/fscrypt.h>
  20
  21#define FS_CRYPTO_BLOCK_SIZE            16
  22
  23union fscrypt_policy;
  24struct fscrypt_info;
  25struct seq_file;
  26
  27struct fscrypt_str {
  28        unsigned char *name;
  29        u32 len;
  30};
  31
  32struct fscrypt_name {
  33        const struct qstr *usr_fname;
  34        struct fscrypt_str disk_name;
  35        u32 hash;
  36        u32 minor_hash;
  37        struct fscrypt_str crypto_buf;
  38        bool is_nokey_name;
  39};
  40
  41#define FSTR_INIT(n, l)         { .name = n, .len = l }
  42#define FSTR_TO_QSTR(f)         QSTR_INIT((f)->name, (f)->len)
  43#define fname_name(p)           ((p)->disk_name.name)
  44#define fname_len(p)            ((p)->disk_name.len)
  45
  46/* Maximum value for the third parameter of fscrypt_operations.set_context(). */
  47#define FSCRYPT_SET_CONTEXT_MAX_SIZE    40
  48
  49#ifdef CONFIG_FS_ENCRYPTION
  50/*
  51 * fscrypt superblock flags
  52 */
  53#define FS_CFLG_OWN_PAGES (1U << 1)
  54
  55/*
  56 * crypto operations for filesystems
  57 */
  58struct fscrypt_operations {
  59        unsigned int flags;
  60        const char *key_prefix;
  61        int (*get_context)(struct inode *inode, void *ctx, size_t len);
  62        int (*set_context)(struct inode *inode, const void *ctx, size_t len,
  63                           void *fs_data);
  64        const union fscrypt_policy *(*get_dummy_policy)(struct super_block *sb);
  65        bool (*empty_dir)(struct inode *inode);
  66        unsigned int max_namelen;
  67        bool (*has_stable_inodes)(struct super_block *sb);
  68        void (*get_ino_and_lblk_bits)(struct super_block *sb,
  69                                      int *ino_bits_ret, int *lblk_bits_ret);
  70        int (*get_num_devices)(struct super_block *sb);
  71        void (*get_devices)(struct super_block *sb,
  72                            struct request_queue **devs);
  73};
  74
  75static inline struct fscrypt_info *fscrypt_get_info(const struct inode *inode)
  76{
  77        /*
  78         * Pairs with the cmpxchg_release() in fscrypt_setup_encryption_info().
  79         * I.e., another task may publish ->i_crypt_info concurrently, executing
  80         * a RELEASE barrier.  We need to use smp_load_acquire() here to safely
  81         * ACQUIRE the memory the other task published.
  82         */
  83        return smp_load_acquire(&inode->i_crypt_info);
  84}
  85
  86/**
  87 * fscrypt_needs_contents_encryption() - check whether an inode needs
  88 *                                       contents encryption
  89 * @inode: the inode to check
  90 *
  91 * Return: %true iff the inode is an encrypted regular file and the kernel was
  92 * built with fscrypt support.
  93 *
  94 * If you need to know whether the encrypt bit is set even when the kernel was
  95 * built without fscrypt support, you must use IS_ENCRYPTED() directly instead.
  96 */
  97static inline bool fscrypt_needs_contents_encryption(const struct inode *inode)
  98{
  99        return IS_ENCRYPTED(inode) && S_ISREG(inode->i_mode);
 100}
 101
 102/*
 103 * When d_splice_alias() moves a directory's no-key alias to its plaintext alias
 104 * as a result of the encryption key being added, DCACHE_NOKEY_NAME must be
 105 * cleared.  Note that we don't have to support arbitrary moves of this flag
 106 * because fscrypt doesn't allow no-key names to be the source or target of a
 107 * rename().
 108 */
 109static inline void fscrypt_handle_d_move(struct dentry *dentry)
 110{
 111        dentry->d_flags &= ~DCACHE_NOKEY_NAME;
 112}
 113
 114/**
 115 * fscrypt_is_nokey_name() - test whether a dentry is a no-key name
 116 * @dentry: the dentry to check
 117 *
 118 * This returns true if the dentry is a no-key dentry.  A no-key dentry is a
 119 * dentry that was created in an encrypted directory that hasn't had its
 120 * encryption key added yet.  Such dentries may be either positive or negative.
 121 *
 122 * When a filesystem is asked to create a new filename in an encrypted directory
 123 * and the new filename's dentry is a no-key dentry, it must fail the operation
 124 * with ENOKEY.  This includes ->create(), ->mkdir(), ->mknod(), ->symlink(),
 125 * ->rename(), and ->link().  (However, ->rename() and ->link() are already
 126 * handled by fscrypt_prepare_rename() and fscrypt_prepare_link().)
 127 *
 128 * This is necessary because creating a filename requires the directory's
 129 * encryption key, but just checking for the key on the directory inode during
 130 * the final filesystem operation doesn't guarantee that the key was available
 131 * during the preceding dentry lookup.  And the key must have already been
 132 * available during the dentry lookup in order for it to have been checked
 133 * whether the filename already exists in the directory and for the new file's
 134 * dentry not to be invalidated due to it incorrectly having the no-key flag.
 135 *
 136 * Return: %true if the dentry is a no-key name
 137 */
 138static inline bool fscrypt_is_nokey_name(const struct dentry *dentry)
 139{
 140        return dentry->d_flags & DCACHE_NOKEY_NAME;
 141}
 142
 143/* crypto.c */
 144void fscrypt_enqueue_decrypt_work(struct work_struct *);
 145
 146struct page *fscrypt_encrypt_pagecache_blocks(struct page *page,
 147                                              unsigned int len,
 148                                              unsigned int offs,
 149                                              gfp_t gfp_flags);
 150int fscrypt_encrypt_block_inplace(const struct inode *inode, struct page *page,
 151                                  unsigned int len, unsigned int offs,
 152                                  u64 lblk_num, gfp_t gfp_flags);
 153
 154int fscrypt_decrypt_pagecache_blocks(struct page *page, unsigned int len,
 155                                     unsigned int offs);
 156int fscrypt_decrypt_block_inplace(const struct inode *inode, struct page *page,
 157                                  unsigned int len, unsigned int offs,
 158                                  u64 lblk_num);
 159
 160static inline bool fscrypt_is_bounce_page(struct page *page)
 161{
 162        return page->mapping == NULL;
 163}
 164
 165static inline struct page *fscrypt_pagecache_page(struct page *bounce_page)
 166{
 167        return (struct page *)page_private(bounce_page);
 168}
 169
 170void fscrypt_free_bounce_page(struct page *bounce_page);
 171
 172/* policy.c */
 173int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg);
 174int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg);
 175int fscrypt_ioctl_get_policy_ex(struct file *filp, void __user *arg);
 176int fscrypt_ioctl_get_nonce(struct file *filp, void __user *arg);
 177int fscrypt_has_permitted_context(struct inode *parent, struct inode *child);
 178int fscrypt_set_context(struct inode *inode, void *fs_data);
 179
 180struct fscrypt_dummy_policy {
 181        const union fscrypt_policy *policy;
 182};
 183
 184int fscrypt_set_test_dummy_encryption(struct super_block *sb, const char *arg,
 185                                struct fscrypt_dummy_policy *dummy_policy);
 186void fscrypt_show_test_dummy_encryption(struct seq_file *seq, char sep,
 187                                        struct super_block *sb);
 188static inline void
 189fscrypt_free_dummy_policy(struct fscrypt_dummy_policy *dummy_policy)
 190{
 191        kfree(dummy_policy->policy);
 192        dummy_policy->policy = NULL;
 193}
 194
 195/* keyring.c */
 196void fscrypt_sb_free(struct super_block *sb);
 197int fscrypt_ioctl_add_key(struct file *filp, void __user *arg);
 198int fscrypt_ioctl_remove_key(struct file *filp, void __user *arg);
 199int fscrypt_ioctl_remove_key_all_users(struct file *filp, void __user *arg);
 200int fscrypt_ioctl_get_key_status(struct file *filp, void __user *arg);
 201
 202/* keysetup.c */
 203int fscrypt_prepare_new_inode(struct inode *dir, struct inode *inode,
 204                              bool *encrypt_ret);
 205void fscrypt_put_encryption_info(struct inode *inode);
 206void fscrypt_free_inode(struct inode *inode);
 207int fscrypt_drop_inode(struct inode *inode);
 208
 209/* fname.c */
 210int fscrypt_setup_filename(struct inode *inode, const struct qstr *iname,
 211                           int lookup, struct fscrypt_name *fname);
 212
 213static inline void fscrypt_free_filename(struct fscrypt_name *fname)
 214{
 215        kfree(fname->crypto_buf.name);
 216}
 217
 218int fscrypt_fname_alloc_buffer(u32 max_encrypted_len,
 219                               struct fscrypt_str *crypto_str);
 220void fscrypt_fname_free_buffer(struct fscrypt_str *crypto_str);
 221int fscrypt_fname_disk_to_usr(const struct inode *inode,
 222                              u32 hash, u32 minor_hash,
 223                              const struct fscrypt_str *iname,
 224                              struct fscrypt_str *oname);
 225bool fscrypt_match_name(const struct fscrypt_name *fname,
 226                        const u8 *de_name, u32 de_name_len);
 227u64 fscrypt_fname_siphash(const struct inode *dir, const struct qstr *name);
 228int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags);
 229
 230/* bio.c */
 231void fscrypt_decrypt_bio(struct bio *bio);
 232int fscrypt_zeroout_range(const struct inode *inode, pgoff_t lblk,
 233                          sector_t pblk, unsigned int len);
 234
 235/* hooks.c */
 236int fscrypt_file_open(struct inode *inode, struct file *filp);
 237int __fscrypt_prepare_link(struct inode *inode, struct inode *dir,
 238                           struct dentry *dentry);
 239int __fscrypt_prepare_rename(struct inode *old_dir, struct dentry *old_dentry,
 240                             struct inode *new_dir, struct dentry *new_dentry,
 241                             unsigned int flags);
 242int __fscrypt_prepare_lookup(struct inode *dir, struct dentry *dentry,
 243                             struct fscrypt_name *fname);
 244int __fscrypt_prepare_readdir(struct inode *dir);
 245int __fscrypt_prepare_setattr(struct dentry *dentry, struct iattr *attr);
 246int fscrypt_prepare_setflags(struct inode *inode,
 247                             unsigned int oldflags, unsigned int flags);
 248int fscrypt_prepare_symlink(struct inode *dir, const char *target,
 249                            unsigned int len, unsigned int max_len,
 250                            struct fscrypt_str *disk_link);
 251int __fscrypt_encrypt_symlink(struct inode *inode, const char *target,
 252                              unsigned int len, struct fscrypt_str *disk_link);
 253const char *fscrypt_get_symlink(struct inode *inode, const void *caddr,
 254                                unsigned int max_size,
 255                                struct delayed_call *done);
 256static inline void fscrypt_set_ops(struct super_block *sb,
 257                                   const struct fscrypt_operations *s_cop)
 258{
 259        sb->s_cop = s_cop;
 260}
 261#else  /* !CONFIG_FS_ENCRYPTION */
 262
 263static inline struct fscrypt_info *fscrypt_get_info(const struct inode *inode)
 264{
 265        return NULL;
 266}
 267
 268static inline bool fscrypt_needs_contents_encryption(const struct inode *inode)
 269{
 270        return false;
 271}
 272
 273static inline void fscrypt_handle_d_move(struct dentry *dentry)
 274{
 275}
 276
 277static inline bool fscrypt_is_nokey_name(const struct dentry *dentry)
 278{
 279        return false;
 280}
 281
 282/* crypto.c */
 283static inline void fscrypt_enqueue_decrypt_work(struct work_struct *work)
 284{
 285}
 286
 287static inline struct page *fscrypt_encrypt_pagecache_blocks(struct page *page,
 288                                                            unsigned int len,
 289                                                            unsigned int offs,
 290                                                            gfp_t gfp_flags)
 291{
 292        return ERR_PTR(-EOPNOTSUPP);
 293}
 294
 295static inline int fscrypt_encrypt_block_inplace(const struct inode *inode,
 296                                                struct page *page,
 297                                                unsigned int len,
 298                                                unsigned int offs, u64 lblk_num,
 299                                                gfp_t gfp_flags)
 300{
 301        return -EOPNOTSUPP;
 302}
 303
 304static inline int fscrypt_decrypt_pagecache_blocks(struct page *page,
 305                                                   unsigned int len,
 306                                                   unsigned int offs)
 307{
 308        return -EOPNOTSUPP;
 309}
 310
 311static inline int fscrypt_decrypt_block_inplace(const struct inode *inode,
 312                                                struct page *page,
 313                                                unsigned int len,
 314                                                unsigned int offs, u64 lblk_num)
 315{
 316        return -EOPNOTSUPP;
 317}
 318
 319static inline bool fscrypt_is_bounce_page(struct page *page)
 320{
 321        return false;
 322}
 323
 324static inline struct page *fscrypt_pagecache_page(struct page *bounce_page)
 325{
 326        WARN_ON_ONCE(1);
 327        return ERR_PTR(-EINVAL);
 328}
 329
 330static inline void fscrypt_free_bounce_page(struct page *bounce_page)
 331{
 332}
 333
 334/* policy.c */
 335static inline int fscrypt_ioctl_set_policy(struct file *filp,
 336                                           const void __user *arg)
 337{
 338        return -EOPNOTSUPP;
 339}
 340
 341static inline int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg)
 342{
 343        return -EOPNOTSUPP;
 344}
 345
 346static inline int fscrypt_ioctl_get_policy_ex(struct file *filp,
 347                                              void __user *arg)
 348{
 349        return -EOPNOTSUPP;
 350}
 351
 352static inline int fscrypt_ioctl_get_nonce(struct file *filp, void __user *arg)
 353{
 354        return -EOPNOTSUPP;
 355}
 356
 357static inline int fscrypt_has_permitted_context(struct inode *parent,
 358                                                struct inode *child)
 359{
 360        return 0;
 361}
 362
 363static inline int fscrypt_set_context(struct inode *inode, void *fs_data)
 364{
 365        return -EOPNOTSUPP;
 366}
 367
 368struct fscrypt_dummy_policy {
 369};
 370
 371static inline void fscrypt_show_test_dummy_encryption(struct seq_file *seq,
 372                                                      char sep,
 373                                                      struct super_block *sb)
 374{
 375}
 376
 377static inline void
 378fscrypt_free_dummy_policy(struct fscrypt_dummy_policy *dummy_policy)
 379{
 380}
 381
 382/* keyring.c */
 383static inline void fscrypt_sb_free(struct super_block *sb)
 384{
 385}
 386
 387static inline int fscrypt_ioctl_add_key(struct file *filp, void __user *arg)
 388{
 389        return -EOPNOTSUPP;
 390}
 391
 392static inline int fscrypt_ioctl_remove_key(struct file *filp, void __user *arg)
 393{
 394        return -EOPNOTSUPP;
 395}
 396
 397static inline int fscrypt_ioctl_remove_key_all_users(struct file *filp,
 398                                                     void __user *arg)
 399{
 400        return -EOPNOTSUPP;
 401}
 402
 403static inline int fscrypt_ioctl_get_key_status(struct file *filp,
 404                                               void __user *arg)
 405{
 406        return -EOPNOTSUPP;
 407}
 408
 409/* keysetup.c */
 410
 411static inline int fscrypt_prepare_new_inode(struct inode *dir,
 412                                            struct inode *inode,
 413                                            bool *encrypt_ret)
 414{
 415        if (IS_ENCRYPTED(dir))
 416                return -EOPNOTSUPP;
 417        return 0;
 418}
 419
 420static inline void fscrypt_put_encryption_info(struct inode *inode)
 421{
 422        return;
 423}
 424
 425static inline void fscrypt_free_inode(struct inode *inode)
 426{
 427}
 428
 429static inline int fscrypt_drop_inode(struct inode *inode)
 430{
 431        return 0;
 432}
 433
 434 /* fname.c */
 435static inline int fscrypt_setup_filename(struct inode *dir,
 436                                         const struct qstr *iname,
 437                                         int lookup, struct fscrypt_name *fname)
 438{
 439        if (IS_ENCRYPTED(dir))
 440                return -EOPNOTSUPP;
 441
 442        memset(fname, 0, sizeof(*fname));
 443        fname->usr_fname = iname;
 444        fname->disk_name.name = (unsigned char *)iname->name;
 445        fname->disk_name.len = iname->len;
 446        return 0;
 447}
 448
 449static inline void fscrypt_free_filename(struct fscrypt_name *fname)
 450{
 451        return;
 452}
 453
 454static inline int fscrypt_fname_alloc_buffer(u32 max_encrypted_len,
 455                                             struct fscrypt_str *crypto_str)
 456{
 457        return -EOPNOTSUPP;
 458}
 459
 460static inline void fscrypt_fname_free_buffer(struct fscrypt_str *crypto_str)
 461{
 462        return;
 463}
 464
 465static inline int fscrypt_fname_disk_to_usr(const struct inode *inode,
 466                                            u32 hash, u32 minor_hash,
 467                                            const struct fscrypt_str *iname,
 468                                            struct fscrypt_str *oname)
 469{
 470        return -EOPNOTSUPP;
 471}
 472
 473static inline bool fscrypt_match_name(const struct fscrypt_name *fname,
 474                                      const u8 *de_name, u32 de_name_len)
 475{
 476        /* Encryption support disabled; use standard comparison */
 477        if (de_name_len != fname->disk_name.len)
 478                return false;
 479        return !memcmp(de_name, fname->disk_name.name, fname->disk_name.len);
 480}
 481
 482static inline u64 fscrypt_fname_siphash(const struct inode *dir,
 483                                        const struct qstr *name)
 484{
 485        WARN_ON_ONCE(1);
 486        return 0;
 487}
 488
 489static inline int fscrypt_d_revalidate(struct dentry *dentry,
 490                                       unsigned int flags)
 491{
 492        return 1;
 493}
 494
 495/* bio.c */
 496static inline void fscrypt_decrypt_bio(struct bio *bio)
 497{
 498}
 499
 500static inline int fscrypt_zeroout_range(const struct inode *inode, pgoff_t lblk,
 501                                        sector_t pblk, unsigned int len)
 502{
 503        return -EOPNOTSUPP;
 504}
 505
 506/* hooks.c */
 507
 508static inline int fscrypt_file_open(struct inode *inode, struct file *filp)
 509{
 510        if (IS_ENCRYPTED(inode))
 511                return -EOPNOTSUPP;
 512        return 0;
 513}
 514
 515static inline int __fscrypt_prepare_link(struct inode *inode, struct inode *dir,
 516                                         struct dentry *dentry)
 517{
 518        return -EOPNOTSUPP;
 519}
 520
 521static inline int __fscrypt_prepare_rename(struct inode *old_dir,
 522                                           struct dentry *old_dentry,
 523                                           struct inode *new_dir,
 524                                           struct dentry *new_dentry,
 525                                           unsigned int flags)
 526{
 527        return -EOPNOTSUPP;
 528}
 529
 530static inline int __fscrypt_prepare_lookup(struct inode *dir,
 531                                           struct dentry *dentry,
 532                                           struct fscrypt_name *fname)
 533{
 534        return -EOPNOTSUPP;
 535}
 536
 537static inline int __fscrypt_prepare_readdir(struct inode *dir)
 538{
 539        return -EOPNOTSUPP;
 540}
 541
 542static inline int __fscrypt_prepare_setattr(struct dentry *dentry,
 543                                            struct iattr *attr)
 544{
 545        return -EOPNOTSUPP;
 546}
 547
 548static inline int fscrypt_prepare_setflags(struct inode *inode,
 549                                           unsigned int oldflags,
 550                                           unsigned int flags)
 551{
 552        return 0;
 553}
 554
 555static inline int fscrypt_prepare_symlink(struct inode *dir,
 556                                          const char *target,
 557                                          unsigned int len,
 558                                          unsigned int max_len,
 559                                          struct fscrypt_str *disk_link)
 560{
 561        if (IS_ENCRYPTED(dir))
 562                return -EOPNOTSUPP;
 563        disk_link->name = (unsigned char *)target;
 564        disk_link->len = len + 1;
 565        if (disk_link->len > max_len)
 566                return -ENAMETOOLONG;
 567        return 0;
 568}
 569
 570static inline int __fscrypt_encrypt_symlink(struct inode *inode,
 571                                            const char *target,
 572                                            unsigned int len,
 573                                            struct fscrypt_str *disk_link)
 574{
 575        return -EOPNOTSUPP;
 576}
 577
 578static inline const char *fscrypt_get_symlink(struct inode *inode,
 579                                              const void *caddr,
 580                                              unsigned int max_size,
 581                                              struct delayed_call *done)
 582{
 583        return ERR_PTR(-EOPNOTSUPP);
 584}
 585
 586static inline void fscrypt_set_ops(struct super_block *sb,
 587                                   const struct fscrypt_operations *s_cop)
 588{
 589}
 590
 591#endif  /* !CONFIG_FS_ENCRYPTION */
 592
 593/* inline_crypt.c */
 594#ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
 595
 596bool __fscrypt_inode_uses_inline_crypto(const struct inode *inode);
 597
 598void fscrypt_set_bio_crypt_ctx(struct bio *bio,
 599                               const struct inode *inode, u64 first_lblk,
 600                               gfp_t gfp_mask);
 601
 602void fscrypt_set_bio_crypt_ctx_bh(struct bio *bio,
 603                                  const struct buffer_head *first_bh,
 604                                  gfp_t gfp_mask);
 605
 606bool fscrypt_mergeable_bio(struct bio *bio, const struct inode *inode,
 607                           u64 next_lblk);
 608
 609bool fscrypt_mergeable_bio_bh(struct bio *bio,
 610                              const struct buffer_head *next_bh);
 611
 612#else /* CONFIG_FS_ENCRYPTION_INLINE_CRYPT */
 613
 614static inline bool __fscrypt_inode_uses_inline_crypto(const struct inode *inode)
 615{
 616        return false;
 617}
 618
 619static inline void fscrypt_set_bio_crypt_ctx(struct bio *bio,
 620                                             const struct inode *inode,
 621                                             u64 first_lblk, gfp_t gfp_mask) { }
 622
 623static inline void fscrypt_set_bio_crypt_ctx_bh(
 624                                         struct bio *bio,
 625                                         const struct buffer_head *first_bh,
 626                                         gfp_t gfp_mask) { }
 627
 628static inline bool fscrypt_mergeable_bio(struct bio *bio,
 629                                         const struct inode *inode,
 630                                         u64 next_lblk)
 631{
 632        return true;
 633}
 634
 635static inline bool fscrypt_mergeable_bio_bh(struct bio *bio,
 636                                            const struct buffer_head *next_bh)
 637{
 638        return true;
 639}
 640#endif /* !CONFIG_FS_ENCRYPTION_INLINE_CRYPT */
 641
 642/**
 643 * fscrypt_inode_uses_inline_crypto() - test whether an inode uses inline
 644 *                                      encryption
 645 * @inode: an inode. If encrypted, its key must be set up.
 646 *
 647 * Return: true if the inode requires file contents encryption and if the
 648 *         encryption should be done in the block layer via blk-crypto rather
 649 *         than in the filesystem layer.
 650 */
 651static inline bool fscrypt_inode_uses_inline_crypto(const struct inode *inode)
 652{
 653        return fscrypt_needs_contents_encryption(inode) &&
 654               __fscrypt_inode_uses_inline_crypto(inode);
 655}
 656
 657/**
 658 * fscrypt_inode_uses_fs_layer_crypto() - test whether an inode uses fs-layer
 659 *                                        encryption
 660 * @inode: an inode. If encrypted, its key must be set up.
 661 *
 662 * Return: true if the inode requires file contents encryption and if the
 663 *         encryption should be done in the filesystem layer rather than in the
 664 *         block layer via blk-crypto.
 665 */
 666static inline bool fscrypt_inode_uses_fs_layer_crypto(const struct inode *inode)
 667{
 668        return fscrypt_needs_contents_encryption(inode) &&
 669               !__fscrypt_inode_uses_inline_crypto(inode);
 670}
 671
 672/**
 673 * fscrypt_has_encryption_key() - check whether an inode has had its key set up
 674 * @inode: the inode to check
 675 *
 676 * Return: %true if the inode has had its encryption key set up, else %false.
 677 *
 678 * Usually this should be preceded by fscrypt_get_encryption_info() to try to
 679 * set up the key first.
 680 */
 681static inline bool fscrypt_has_encryption_key(const struct inode *inode)
 682{
 683        return fscrypt_get_info(inode) != NULL;
 684}
 685
 686/**
 687 * fscrypt_prepare_link() - prepare to link an inode into a possibly-encrypted
 688 *                          directory
 689 * @old_dentry: an existing dentry for the inode being linked
 690 * @dir: the target directory
 691 * @dentry: negative dentry for the target filename
 692 *
 693 * A new link can only be added to an encrypted directory if the directory's
 694 * encryption key is available --- since otherwise we'd have no way to encrypt
 695 * the filename.
 696 *
 697 * We also verify that the link will not violate the constraint that all files
 698 * in an encrypted directory tree use the same encryption policy.
 699 *
 700 * Return: 0 on success, -ENOKEY if the directory's encryption key is missing,
 701 * -EXDEV if the link would result in an inconsistent encryption policy, or
 702 * another -errno code.
 703 */
 704static inline int fscrypt_prepare_link(struct dentry *old_dentry,
 705                                       struct inode *dir,
 706                                       struct dentry *dentry)
 707{
 708        if (IS_ENCRYPTED(dir))
 709                return __fscrypt_prepare_link(d_inode(old_dentry), dir, dentry);
 710        return 0;
 711}
 712
 713/**
 714 * fscrypt_prepare_rename() - prepare for a rename between possibly-encrypted
 715 *                            directories
 716 * @old_dir: source directory
 717 * @old_dentry: dentry for source file
 718 * @new_dir: target directory
 719 * @new_dentry: dentry for target location (may be negative unless exchanging)
 720 * @flags: rename flags (we care at least about %RENAME_EXCHANGE)
 721 *
 722 * Prepare for ->rename() where the source and/or target directories may be
 723 * encrypted.  A new link can only be added to an encrypted directory if the
 724 * directory's encryption key is available --- since otherwise we'd have no way
 725 * to encrypt the filename.  A rename to an existing name, on the other hand,
 726 * *is* cryptographically possible without the key.  However, we take the more
 727 * conservative approach and just forbid all no-key renames.
 728 *
 729 * We also verify that the rename will not violate the constraint that all files
 730 * in an encrypted directory tree use the same encryption policy.
 731 *
 732 * Return: 0 on success, -ENOKEY if an encryption key is missing, -EXDEV if the
 733 * rename would cause inconsistent encryption policies, or another -errno code.
 734 */
 735static inline int fscrypt_prepare_rename(struct inode *old_dir,
 736                                         struct dentry *old_dentry,
 737                                         struct inode *new_dir,
 738                                         struct dentry *new_dentry,
 739                                         unsigned int flags)
 740{
 741        if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir))
 742                return __fscrypt_prepare_rename(old_dir, old_dentry,
 743                                                new_dir, new_dentry, flags);
 744        return 0;
 745}
 746
 747/**
 748 * fscrypt_prepare_lookup() - prepare to lookup a name in a possibly-encrypted
 749 *                            directory
 750 * @dir: directory being searched
 751 * @dentry: filename being looked up
 752 * @fname: (output) the name to use to search the on-disk directory
 753 *
 754 * Prepare for ->lookup() in a directory which may be encrypted by determining
 755 * the name that will actually be used to search the directory on-disk.  If the
 756 * directory's encryption policy is supported by this kernel and its encryption
 757 * key is available, then the lookup is assumed to be by plaintext name;
 758 * otherwise, it is assumed to be by no-key name.
 759 *
 760 * This will set DCACHE_NOKEY_NAME on the dentry if the lookup is by no-key
 761 * name.  In this case the filesystem must assign the dentry a dentry_operations
 762 * which contains fscrypt_d_revalidate (or contains a d_revalidate method that
 763 * calls fscrypt_d_revalidate), so that the dentry will be invalidated if the
 764 * directory's encryption key is later added.
 765 *
 766 * Return: 0 on success; -ENOENT if the directory's key is unavailable but the
 767 * filename isn't a valid no-key name, so a negative dentry should be created;
 768 * or another -errno code.
 769 */
 770static inline int fscrypt_prepare_lookup(struct inode *dir,
 771                                         struct dentry *dentry,
 772                                         struct fscrypt_name *fname)
 773{
 774        if (IS_ENCRYPTED(dir))
 775                return __fscrypt_prepare_lookup(dir, dentry, fname);
 776
 777        memset(fname, 0, sizeof(*fname));
 778        fname->usr_fname = &dentry->d_name;
 779        fname->disk_name.name = (unsigned char *)dentry->d_name.name;
 780        fname->disk_name.len = dentry->d_name.len;
 781        return 0;
 782}
 783
 784/**
 785 * fscrypt_prepare_readdir() - prepare to read a possibly-encrypted directory
 786 * @dir: the directory inode
 787 *
 788 * If the directory is encrypted and it doesn't already have its encryption key
 789 * set up, try to set it up so that the filenames will be listed in plaintext
 790 * form rather than in no-key form.
 791 *
 792 * Return: 0 on success; -errno on error.  Note that the encryption key being
 793 *         unavailable is not considered an error.  It is also not an error if
 794 *         the encryption policy is unsupported by this kernel; that is treated
 795 *         like the key being unavailable, so that files can still be deleted.
 796 */
 797static inline int fscrypt_prepare_readdir(struct inode *dir)
 798{
 799        if (IS_ENCRYPTED(dir))
 800                return __fscrypt_prepare_readdir(dir);
 801        return 0;
 802}
 803
 804/**
 805 * fscrypt_prepare_setattr() - prepare to change a possibly-encrypted inode's
 806 *                             attributes
 807 * @dentry: dentry through which the inode is being changed
 808 * @attr: attributes to change
 809 *
 810 * Prepare for ->setattr() on a possibly-encrypted inode.  On an encrypted file,
 811 * most attribute changes are allowed even without the encryption key.  However,
 812 * without the encryption key we do have to forbid truncates.  This is needed
 813 * because the size being truncated to may not be a multiple of the filesystem
 814 * block size, and in that case we'd have to decrypt the final block, zero the
 815 * portion past i_size, and re-encrypt it.  (We *could* allow truncating to a
 816 * filesystem block boundary, but it's simpler to just forbid all truncates ---
 817 * and we already forbid all other contents modifications without the key.)
 818 *
 819 * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
 820 * if a problem occurred while setting up the encryption key.
 821 */
 822static inline int fscrypt_prepare_setattr(struct dentry *dentry,
 823                                          struct iattr *attr)
 824{
 825        if (IS_ENCRYPTED(d_inode(dentry)))
 826                return __fscrypt_prepare_setattr(dentry, attr);
 827        return 0;
 828}
 829
 830/**
 831 * fscrypt_encrypt_symlink() - encrypt the symlink target if needed
 832 * @inode: symlink inode
 833 * @target: plaintext symlink target
 834 * @len: length of @target excluding null terminator
 835 * @disk_link: (in/out) the on-disk symlink target being prepared
 836 *
 837 * If the symlink target needs to be encrypted, then this function encrypts it
 838 * into @disk_link->name.  fscrypt_prepare_symlink() must have been called
 839 * previously to compute @disk_link->len.  If the filesystem did not allocate a
 840 * buffer for @disk_link->name after calling fscrypt_prepare_link(), then one
 841 * will be kmalloc()'ed and the filesystem will be responsible for freeing it.
 842 *
 843 * Return: 0 on success, -errno on failure
 844 */
 845static inline int fscrypt_encrypt_symlink(struct inode *inode,
 846                                          const char *target,
 847                                          unsigned int len,
 848                                          struct fscrypt_str *disk_link)
 849{
 850        if (IS_ENCRYPTED(inode))
 851                return __fscrypt_encrypt_symlink(inode, target, len, disk_link);
 852        return 0;
 853}
 854
 855/* If *pagep is a bounce page, free it and set *pagep to the pagecache page */
 856static inline void fscrypt_finalize_bounce_page(struct page **pagep)
 857{
 858        struct page *page = *pagep;
 859
 860        if (fscrypt_is_bounce_page(page)) {
 861                *pagep = fscrypt_pagecache_page(page);
 862                fscrypt_free_bounce_page(page);
 863        }
 864}
 865
 866#endif  /* _LINUX_FSCRYPT_H */
 867
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.