[v4,03/46] fscrypt: add a fscrypt_inode_open helper

Message ID	32beea11211858a998ba2de88d01471c31004f2d.1701468306.git.josef@toxicpanda.com (mailing list archive)
State	New
Headers	show Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=toxicpanda-com.20230601.gappssmtp.com header.i=@toxicpanda-com.20230601.gappssmtp.com header.b="1Fbb68g2" From: Josef Bacik <josef@toxicpanda.com> To: linux-btrfs@vger.kernel.org, kernel-team@fb.com, linux-fsdevel@vger.kernel.org Subject: [PATCH v4 03/46] fscrypt: add a fscrypt_inode_open helper Date: Fri, 1 Dec 2023 17:11:00 -0500 Message-ID: <32beea11211858a998ba2de88d01471c31004f2d.1701468306.git.josef@toxicpanda.com> In-Reply-To: <cover.1701468305.git.josef@toxicpanda.com> References: <cover.1701468305.git.josef@toxicpanda.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	btrfs: add fscrypt support \| expand [v4,00/46] btrfs: add fscrypt support [v4,01/46] fs: move fscrypt keyring destruction to after ->put_super [v4,02/46] fscrypt: add per-extent encryption support [v4,03/46] fscrypt: add a fscrypt_inode_open helper [v4,04/46] fscrypt: conditionally don't wipe mk secret until the last active user is done [v4,05/46] blk-crypto: add a process bio callback [v4,06/46] fscrypt: expose fscrypt_nokey_name [v4,07/46] fscrypt: add documentation about extent encryption [v4,08/46] btrfs: add infrastructure for safe em freeing [v4,09/46] btrfs: disable various operations on encrypted inodes [v4,10/46] btrfs: disable verity on encrypted inodes [v4,11/46] btrfs: start using fscrypt hooks [v4,12/46] btrfs: add inode encryption contexts [v4,13/46] btrfs: add new FEATURE_INCOMPAT_ENCRYPT flag [v4,14/46] btrfs: adapt readdir for encrypted and nokey names [v4,15/46] btrfs: handle nokey names. [v4,16/46] btrfs: implement fscrypt ioctls [v4,17/46] btrfs: add encryption to CONFIG_BTRFS_DEBUG [v4,18/46] btrfs: add get_devices hook for fscrypt [v4,19/46] btrfs: turn on inlinecrypt mount option for encrypt [v4,20/46] btrfs: set file extent encryption excplicitly [v4,21/46] btrfs: add fscrypt_info and encryption_type to extent_map [v4,22/46] btrfs: add fscrypt_info and encryption_type to ordered_extent [v4,23/46] btrfs: plumb through setting the fscrypt_info for ordered extents [v4,24/46] btrfs: plumb the fscrypt extent context through create_io_em [v4,25/46] btrfs: populate the ordered_extent with the fscrypt context [v4,26/46] btrfs: keep track of fscrypt info and orig_start for dio reads [v4,27/46] btrfs: add an optional encryption context to the end of file extents [v4,28/46] btrfs: explicitly track file extent length for replace and drop [v4,29/46] btrfs: pass through fscrypt_extent_info to the file extent helpers [v4,30/46] btrfs: pass the fscrypt_info through the replace extent infrastructure [v4,31/46] btrfs: implement the fscrypt extent encryption hooks [v4,32/46] btrfs: setup fscrypt_extent_info for new extents [v4,33/46] btrfs: populate ordered_extent with the orig offset [v4,34/46] btrfs: set the bio fscrypt context when applicable [v4,35/46] btrfs: add a bio argument to btrfs_csum_one_bio [v4,36/46] btrfs: add orig_logical to btrfs_bio [v4,37/46] btrfs: limit encrypted writes to 256 segments [v4,38/46] btrfs: implement process_bio cb for fscrypt [v4,39/46] btrfs: add test_dummy_encryption support [v4,40/46] btrfs: don't rewrite ret from inode_permission [v4,41/46] btrfs: move inode_to_path higher in backref.c [v4,42/46] btrfs: make btrfs_ref_to_path handle encrypted filenames [v4,43/46] btrfs: don't search back for dir inode item in INO_LOOKUP_USER [v4,44/46] btrfs: deal with encrypted symlinks in send [v4,45/46] btrfs: decrypt file names for send [v4,46/46] btrfs: load the inode context before sending writes

Message ID

32beea11211858a998ba2de88d01471c31004f2d.1701468306.git.josef@toxicpanda.com (mailing list archive)

State

New

Headers

From: Josef Bacik <josef@toxicpanda.com>
To: linux-btrfs@vger.kernel.org,
	kernel-team@fb.com,
	linux-fsdevel@vger.kernel.org
Subject: [PATCH v4 03/46] fscrypt: add a fscrypt_inode_open helper
Date: Fri,  1 Dec 2023 17:11:00 -0500
Message-ID: 
 <32beea11211858a998ba2de88d01471c31004f2d.1701468306.git.josef@toxicpanda.com>
In-Reply-To: <cover.1701468305.git.josef@toxicpanda.com>
References: <cover.1701468305.git.josef@toxicpanda.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

btrfs: add fscrypt support | expand

Commit Message

Josef Bacik Dec. 1, 2023, 10:11 p.m. UTC

We have fscrypt_file_open() which is meant to be called on files being
opened so that their key is loaded when we start reading data from them.

However for btrfs send we are opening the inode directly without a filp,
so we need a different helper to make sure we can load the fscrypt
context for the inode before reading its contents.

We need a different helper as opposed to simply using
fscrypt_has_permitted_context() directly because of '-o
test_dummy_encryption', which allows for encrypted files to be created
with !IS_ENCRYPTED set on the directory (the root directory in this
case).  fscrypt_file_open() already does the appropriate check where it
simply doesn't call fscrypt_has_permitted_context() if the parent
directory isn't marked with IS_ENCRYPTED in order to facilitate this
invariant when using '-o test_dummy_encryption'.

Signed-off-by: Josef Bacik <josef@toxicpanda.com>
---
 fs/crypto/hooks.c       | 42 +++++++++++++++++++++++++++++++++++++++++
 include/linux/fscrypt.h |  8 ++++++++
 2 files changed, 50 insertions(+)

Comments

Eric Biggers Dec. 5, 2023, 4:14 a.m. UTC | #1

On Fri, Dec 01, 2023 at 05:11:00PM -0500, Josef Bacik wrote:
> We have fscrypt_file_open() which is meant to be called on files being
> opened so that their key is loaded when we start reading data from them.
> 
> However for btrfs send we are opening the inode directly without a filp,
> so we need a different helper to make sure we can load the fscrypt
> context for the inode before reading its contents.
> 
> We need a different helper as opposed to simply using
> fscrypt_has_permitted_context() directly because of '-o
> test_dummy_encryption', which allows for encrypted files to be created
> with !IS_ENCRYPTED set on the directory (the root directory in this
> case).  fscrypt_file_open() already does the appropriate check where it
> simply doesn't call fscrypt_has_permitted_context() if the parent
> directory isn't marked with IS_ENCRYPTED in order to facilitate this
> invariant when using '-o test_dummy_encryption'.
> 
> Signed-off-by: Josef Bacik <josef@toxicpanda.com>
> ---
>  fs/crypto/hooks.c       | 42 +++++++++++++++++++++++++++++++++++++++++
>  include/linux/fscrypt.h |  8 ++++++++
>  2 files changed, 50 insertions(+)
> 
> diff --git a/fs/crypto/hooks.c b/fs/crypto/hooks.c
> index 52504dd478d3..a391a987c58f 100644
> --- a/fs/crypto/hooks.c
> +++ b/fs/crypto/hooks.c
> @@ -49,6 +49,48 @@ int fscrypt_file_open(struct inode *inode, struct file *filp)
>  }
>  EXPORT_SYMBOL_GPL(fscrypt_file_open);
>  
> +/**
> + * fscrypt_inode_open() - prepare to open a possibly-encrypted regular file
> + * @dir: the directory that contains this inode
> + * @inode: the inode being opened
> + *
> + * Currently, an encrypted regular file can only be opened if its encryption key
> + * is available; access to the raw encrypted contents is not supported.
> + * Therefore, we first set up the inode's encryption key (if not already done)
> + * and return an error if it's unavailable.
> + *
> + * We also verify that if the parent directory is encrypted, then the inode
> + * being opened uses the same encryption policy.  This is needed as part of the
> + * enforcement that all files in an encrypted directory tree use the same
> + * encryption policy, as a protection against certain types of offline attacks.
> + * Note that this check is needed even when opening an *unencrypted* file, since
> + * it's forbidden to have an unencrypted file in an encrypted directory.
> + *
> + * File systems should be using fscrypt_file_open in their open callback.  This
> + * is for file systems that may need to open inodes outside of the normal file
> + * open path, btrfs send for example.
> + *
> + * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
> + */
> +int fscrypt_inode_open(struct inode *dir, struct inode *inode)
> +{
> +	int err;
> +
> +	err = fscrypt_require_key(inode);
> +	if (err)
> +		return err;
> +
> +	if (IS_ENCRYPTED(dir) &&
> +	    !fscrypt_has_permitted_context(dir, inode)) {
> +		fscrypt_warn(inode,
> +			     "Inconsistent encryption context (parent directory: %lu)",
> +			     dir->i_ino);
> +		err = -EPERM;
> +	}
> +	return err;
> +}
> +EXPORT_SYMBOL_GPL(fscrypt_inode_open);

The comment and code is heavily copy+pasted from fscrypt_file_open(), which is
not great.  How about naming the new function __fscrypt_file_open(),
implementing fscrypt_file_open() on top of it, and making the comment describe
the differences vs. fscrypt_file_open()?

So fscrypt_file_open() would do:

	struct inode *dir;
	int err;

	dir = dget_parent(file_dentry(filp));

	err = __fscrypt_file_open(dir, filp);

	dput(dir);
	return err;

... and the comment for the new function would be something like:

/**
 * __fscrypt_file_open() - prepare for filesystem-internal access to a
 *			   possibly-encrypted regular file
 * @dir: the inode for the directory via which the file is being accessed
 * @inode: the inode being "opened"
 *
 * This is like fscrypt_file_open(), but instead of taking the 'struct file'
 * being opened it takes the parent directory explicitly.  This is intended for
 * use cases such as "send/receive" which involve the filesystem accessing file
 * contents without setting up a 'struct file'.
 *
 * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
 */
int __fscrypt_file_open(struct inode *dir, struct inode *inode)


Note, we need to be careful when describing "@dir".  It's not simply "the
directory that contains this inode".  An inode can be in multiple directories.

- Eric

diff --git a/fs/crypto/hooks.c b/fs/crypto/hooks.c
index 52504dd478d3..a391a987c58f 100644
--- a/fs/crypto/hooks.c
+++ b/fs/crypto/hooks.c
@@ -49,6 +49,48 @@  int fscrypt_file_open(struct inode *inode, struct file *filp)
 }
 EXPORT_SYMBOL_GPL(fscrypt_file_open);
 
+/**
+ * fscrypt_inode_open() - prepare to open a possibly-encrypted regular file
+ * @dir: the directory that contains this inode
+ * @inode: the inode being opened
+ *
+ * Currently, an encrypted regular file can only be opened if its encryption key
+ * is available; access to the raw encrypted contents is not supported.
+ * Therefore, we first set up the inode's encryption key (if not already done)
+ * and return an error if it's unavailable.
+ *
+ * We also verify that if the parent directory is encrypted, then the inode
+ * being opened uses the same encryption policy.  This is needed as part of the
+ * enforcement that all files in an encrypted directory tree use the same
+ * encryption policy, as a protection against certain types of offline attacks.
+ * Note that this check is needed even when opening an *unencrypted* file, since
+ * it's forbidden to have an unencrypted file in an encrypted directory.
+ *
+ * File systems should be using fscrypt_file_open in their open callback.  This
+ * is for file systems that may need to open inodes outside of the normal file
+ * open path, btrfs send for example.
+ *
+ * Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
+ */
+int fscrypt_inode_open(struct inode *dir, struct inode *inode)
+{
+	int err;
+
+	err = fscrypt_require_key(inode);
+	if (err)
+		return err;
+
+	if (IS_ENCRYPTED(dir) &&
+	    !fscrypt_has_permitted_context(dir, inode)) {
+		fscrypt_warn(inode,
+			     "Inconsistent encryption context (parent directory: %lu)",
+			     dir->i_ino);
+		err = -EPERM;
+	}
+	return err;
+}
+EXPORT_SYMBOL_GPL(fscrypt_inode_open);
+
 int __fscrypt_prepare_link(struct inode *inode, struct inode *dir,
 			   struct dentry *dentry)
 {
diff --git a/include/linux/fscrypt.h b/include/linux/fscrypt.h
index ea8fdc6f3b83..756f23fc3e83 100644
--- a/include/linux/fscrypt.h
+++ b/include/linux/fscrypt.h
@@ -394,6 +394,7 @@  int fscrypt_zeroout_range(const struct inode *inode, pgoff_t lblk,
 
 /* hooks.c */
 int fscrypt_file_open(struct inode *inode, struct file *filp);
+int fscrypt_inode_open(struct inode *dir, struct inode *inode);
 int __fscrypt_prepare_link(struct inode *inode, struct inode *dir,
 			   struct dentry *dentry);
 int __fscrypt_prepare_rename(struct inode *old_dir, struct dentry *old_dentry,
@@ -738,6 +739,13 @@  static inline int fscrypt_file_open(struct inode *inode, struct file *filp)
 	return 0;
 }
 
+static inline int fscrypt_inode_open(struct inode *dir, struct inode *inode)
+{
+	if (IS_ENCRYPTED(inode))
+		return -EOPNOTSUPP;
+	return 0;
+}
+
 static inline int __fscrypt_prepare_link(struct inode *inode, struct inode *dir,
 					 struct dentry *dentry)
 {

[v4,03/46] fscrypt: add a fscrypt_inode_open helper

Commit Message

Comments

Patch