From patchwork Wed Sep 20 22:45:46 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9962857 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 6A1C960208 for ; Wed, 20 Sep 2017 22:49:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5B6D228925 for ; Wed, 20 Sep 2017 22:49:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5050029158; Wed, 20 Sep 2017 22:49:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DF58528925 for ; Wed, 20 Sep 2017 22:49:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752245AbdITWth (ORCPT ); Wed, 20 Sep 2017 18:49:37 -0400 Received: from mail-pf0-f196.google.com ([209.85.192.196]:34862 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751887AbdITWq6 (ORCPT ); Wed, 20 Sep 2017 18:46:58 -0400 Received: by mail-pf0-f196.google.com with SMTP id i23so1721240pfi.2; Wed, 20 Sep 2017 15:46:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Mh1p6bEaf5UBvexRlo+vlN54JZtltE66yYlTh5JiNSU=; b=HcAnmVF0wufrU5CedheMhEIK0vF0fdvxcXEJceHNgLKZm1C9K6vgM9hUHO8p03F80W X//4vvaFlS9OipUPqNztK1eEa7GD8RijCM61jVbjM6895GnBgioLneJxKuaANl6p8YgP U5mCgHBrxsaznPNxFjEuhBi/fPy5a0EoLFFEkTcfHFk6XYbN38iLxtYByIIjUPvdqAow fl/E4I/DVegFOegiZDrdqL+9L+op3N7dqJFZbD9EPiKTdNrXzlb6knwdMWnB8CAch0jX Nz1TyC350AG4wGxlXpfTCj/H//hrqd25X5mQIAiB1Cr3lLfR5gUZzXcbbt0j9ybvrkC/ MPuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Mh1p6bEaf5UBvexRlo+vlN54JZtltE66yYlTh5JiNSU=; b=AHBfLK6FZmu0y/UybJCKjwrUR1L3k1m+eLLNnW8WCUEUMq7kgLt7ujtE0D5NNEqqC4 xF4oHGYa5Nxq//22cNmBXwfKzqk/MxJ8SRtJlBPYNzoaXMbcOkIIZ2/YCFcCWnUug/40 /BHxlywFcoQqlAXUTLio2RSArwZEVnmV41mX8nFbV6Uxym+II0mrxN/DcMKubLX1RxUb Mz+4jzKMW3mUenXRrQvBOrE278XZRxKMyHbev8kWGZdr7Hj2KTsbnhkEhpDSTL3SOK0o Zmc4vZd5YJrUA5kvWz9+RLl3vPUTEu56GUNKNO8sK4pdzNESxqkKeOCogiypKucED8LS pQ+Q== X-Gm-Message-State: AHPjjUitxh7DtoMJnksH12Lkd6RcKkUNWMPj1YZd5DRWt2JVxFFq4WZ1 KNrUtY5eR8+bAsFAhQTS9JetinEYR9k= X-Google-Smtp-Source: AOwi7QDkvB7kLMmA3/LTvuaKzYLmJxjovEX1besLL7hSgybz9O1iAYHMQaPARnAS+8Dl5EGkzqMaAA== X-Received: by 10.84.191.131 with SMTP id a3mr3495464pld.255.1505947617871; Wed, 20 Sep 2017 15:46:57 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.66.174.81]) by smtp.gmail.com with ESMTPSA id j2sm6249pgn.26.2017.09.20.15.46.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 20 Sep 2017 15:46:57 -0700 (PDT) From: Eric Biggers To: linux-fscrypt@vger.kernel.org Cc: linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, linux-mtd@lists.infradead.org, "Theodore Y . Ts'o" , Jaegeuk Kim , Michael Halcrow , Eric Biggers Subject: [PATCH 06/25] fscrypt: new helper function - fscrypt_file_open() Date: Wed, 20 Sep 2017 15:45:46 -0700 Message-Id: <20170920224605.22030-7-ebiggers3@gmail.com> X-Mailer: git-send-email 2.14.1.821.g8fa685d3b7-goog In-Reply-To: <20170920224605.22030-1-ebiggers3@gmail.com> References: <20170920224605.22030-1-ebiggers3@gmail.com> Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Add a helper function which prepares to open a regular file which may be encrypted. It handles setting up the file's encryption key, then checking that the file's encryption policy matches that of its parent directory (if the parent directory is encrypted). It may be set as the ->open() method or it can be called from another ->open() method. Signed-off-by: Eric Biggers --- fs/crypto/Makefile | 2 +- fs/crypto/hooks.c | 49 +++++++++++++++++++++++++++++++++++++++++ include/linux/fscrypt_notsupp.h | 7 ++++++ include/linux/fscrypt_supp.h | 2 ++ 4 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 fs/crypto/hooks.c diff --git a/fs/crypto/Makefile b/fs/crypto/Makefile index 9f6607f17b53..cb496989a6b6 100644 --- a/fs/crypto/Makefile +++ b/fs/crypto/Makefile @@ -1,4 +1,4 @@ obj-$(CONFIG_FS_ENCRYPTION) += fscrypto.o -fscrypto-y := crypto.o fname.o policy.o keyinfo.o +fscrypto-y := crypto.o fname.o hooks.o keyinfo.o policy.o fscrypto-$(CONFIG_BLOCK) += bio.o diff --git a/fs/crypto/hooks.c b/fs/crypto/hooks.c new file mode 100644 index 000000000000..069088e91ea9 --- /dev/null +++ b/fs/crypto/hooks.c @@ -0,0 +1,49 @@ +/* + * fs/crypto/hooks.c + * + * Encryption hooks for higher-level filesystem operations. + */ + +#include +#include "fscrypt_private.h" + +/** + * fscrypt_file_open - prepare to open a possibly-encrypted regular file + * @inode: the inode being opened + * @filp: the struct file being set up + * + * Currently, an encrypted regular file can only be opened if its encryption key + * is available; access to the raw encrypted contents is not supported. + * Therefore, we first set up the inode's encryption key (if not already done) + * and return an error if it's unavailable. + * + * We also verify that if the parent directory (from the path via which the file + * is being opened) is encrypted, then the inode being opened uses the same + * encryption policy. This is needed as part of the enforcement that all files + * in an encrypted directory tree use the same encryption policy, as a + * protection against certain types of offline attacks. Note that this check is + * needed even when opening an *unencrypted* file, since it's forbidden to have + * an unencrypted file in an encrypted directory. + * + * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code + */ +int fscrypt_file_open(struct inode *inode, struct file *filp) +{ + int err; + struct dentry *dir; + + err = fscrypt_require_key(inode); + if (err) + return err; + + dir = dget_parent(file_dentry(filp)); + if (IS_ENCRYPTED(d_inode(dir)) && + !fscrypt_has_permitted_context(d_inode(dir), inode)) { + pr_warn_ratelimited("fscrypt: inconsistent encryption contexts: %lu/%lu", + d_inode(dir)->i_ino, inode->i_ino); + err = -EPERM; + } + dput(dir); + return err; +} +EXPORT_SYMBOL_GPL(fscrypt_file_open); diff --git a/include/linux/fscrypt_notsupp.h b/include/linux/fscrypt_notsupp.h index 3cfc953fef71..99e8ee6f2ce4 100644 --- a/include/linux/fscrypt_notsupp.h +++ b/include/linux/fscrypt_notsupp.h @@ -182,4 +182,11 @@ static inline int fscrypt_require_key(struct inode *inode) return 0; } +static inline int fscrypt_file_open(struct inode *inode, struct file *filp) +{ + if (IS_ENCRYPTED(inode)) + return -EOPNOTSUPP; + return 0; +} + #endif /* _LINUX_FSCRYPT_NOTSUPP_H */ diff --git a/include/linux/fscrypt_supp.h b/include/linux/fscrypt_supp.h index b6d4b5d303a3..521f15adf83c 100644 --- a/include/linux/fscrypt_supp.h +++ b/include/linux/fscrypt_supp.h @@ -170,4 +170,6 @@ static inline int fscrypt_require_key(struct inode *inode) return 0; } +extern int fscrypt_file_open(struct inode *inode, struct file *filp); + #endif /* _LINUX_FSCRYPT_SUPP_H */