mirror of https://github.com/OpenIPC/firmware.git
263 lines
8.2 KiB
Diff
263 lines
8.2 KiB
Diff
diff -drupN a/fs/crypto/policy.c b/fs/crypto/policy.c
|
|
--- a/fs/crypto/policy.c 2018-08-06 17:23:04.000000000 +0300
|
|
+++ b/fs/crypto/policy.c 2022-06-12 05:28:14.000000000 +0300
|
|
@@ -10,76 +10,37 @@
|
|
|
|
#include <linux/random.h>
|
|
#include <linux/string.h>
|
|
-#include <linux/fscrypto.h>
|
|
#include <linux/mount.h>
|
|
-
|
|
-static int inode_has_encryption_context(struct inode *inode)
|
|
-{
|
|
- if (!inode->i_sb->s_cop->get_context)
|
|
- return 0;
|
|
- return (inode->i_sb->s_cop->get_context(inode, NULL, 0L) > 0);
|
|
-}
|
|
+#include "fscrypt_private.h"
|
|
|
|
/*
|
|
- * check whether the policy is consistent with the encryption context
|
|
- * for the inode
|
|
+ * check whether an encryption policy is consistent with an encryption context
|
|
*/
|
|
-static int is_encryption_context_consistent_with_policy(struct inode *inode,
|
|
+static bool is_encryption_context_consistent_with_policy(
|
|
+ const struct fscrypt_context *ctx,
|
|
const struct fscrypt_policy *policy)
|
|
{
|
|
- struct fscrypt_context ctx;
|
|
- int res;
|
|
-
|
|
- if (!inode->i_sb->s_cop->get_context)
|
|
- return 0;
|
|
-
|
|
- res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
|
|
- if (res != sizeof(ctx))
|
|
- return 0;
|
|
-
|
|
- return (memcmp(ctx.master_key_descriptor, policy->master_key_descriptor,
|
|
- FS_KEY_DESCRIPTOR_SIZE) == 0 &&
|
|
- (ctx.flags == policy->flags) &&
|
|
- (ctx.contents_encryption_mode ==
|
|
- policy->contents_encryption_mode) &&
|
|
- (ctx.filenames_encryption_mode ==
|
|
- policy->filenames_encryption_mode));
|
|
+ return memcmp(ctx->master_key_descriptor, policy->master_key_descriptor,
|
|
+ FS_KEY_DESCRIPTOR_SIZE) == 0 &&
|
|
+ (ctx->flags == policy->flags) &&
|
|
+ (ctx->contents_encryption_mode ==
|
|
+ policy->contents_encryption_mode) &&
|
|
+ (ctx->filenames_encryption_mode ==
|
|
+ policy->filenames_encryption_mode);
|
|
}
|
|
|
|
static int create_encryption_context_from_policy(struct inode *inode,
|
|
const struct fscrypt_policy *policy)
|
|
{
|
|
struct fscrypt_context ctx;
|
|
- int res;
|
|
-
|
|
- if (!inode->i_sb->s_cop->set_context)
|
|
- return -EOPNOTSUPP;
|
|
-
|
|
- if (inode->i_sb->s_cop->prepare_context) {
|
|
- res = inode->i_sb->s_cop->prepare_context(inode);
|
|
- if (res)
|
|
- return res;
|
|
- }
|
|
|
|
ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1;
|
|
memcpy(ctx.master_key_descriptor, policy->master_key_descriptor,
|
|
FS_KEY_DESCRIPTOR_SIZE);
|
|
|
|
- if (!fscrypt_valid_contents_enc_mode(
|
|
- policy->contents_encryption_mode)) {
|
|
- printk(KERN_WARNING
|
|
- "%s: Invalid contents encryption mode %d\n", __func__,
|
|
- policy->contents_encryption_mode);
|
|
- return -EINVAL;
|
|
- }
|
|
-
|
|
- if (!fscrypt_valid_filenames_enc_mode(
|
|
- policy->filenames_encryption_mode)) {
|
|
- printk(KERN_WARNING
|
|
- "%s: Invalid filenames encryption mode %d\n", __func__,
|
|
- policy->filenames_encryption_mode);
|
|
+ if (!fscrypt_valid_enc_modes(policy->contents_encryption_mode,
|
|
+ policy->filenames_encryption_mode))
|
|
return -EINVAL;
|
|
- }
|
|
|
|
if (policy->flags & ~FS_POLICY_FLAGS_VALID)
|
|
return -EINVAL;
|
|
@@ -93,16 +54,20 @@ static int create_encryption_context_fro
|
|
return inode->i_sb->s_cop->set_context(inode, &ctx, sizeof(ctx), NULL);
|
|
}
|
|
|
|
-int fscrypt_process_policy(struct file *filp,
|
|
- const struct fscrypt_policy *policy)
|
|
+int fscrypt_ioctl_set_policy(struct file *filp, const void __user *arg)
|
|
{
|
|
+ struct fscrypt_policy policy;
|
|
struct inode *inode = file_inode(filp);
|
|
int ret;
|
|
+ struct fscrypt_context ctx;
|
|
+
|
|
+ if (copy_from_user(&policy, arg, sizeof(policy)))
|
|
+ return -EFAULT;
|
|
|
|
if (!inode_owner_or_capable(inode))
|
|
return -EACCES;
|
|
|
|
- if (policy->version != 0)
|
|
+ if (policy.version != 0)
|
|
return -EINVAL;
|
|
|
|
ret = mnt_want_write_file(filp);
|
|
@@ -111,22 +76,23 @@ int fscrypt_process_policy(struct file *
|
|
|
|
inode_lock(inode);
|
|
|
|
- if (!inode_has_encryption_context(inode)) {
|
|
+ ret = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
|
|
+ if (ret == -ENODATA) {
|
|
if (!S_ISDIR(inode->i_mode))
|
|
ret = -ENOTDIR;
|
|
- else if (!inode->i_sb->s_cop->empty_dir)
|
|
- ret = -EOPNOTSUPP;
|
|
else if (!inode->i_sb->s_cop->empty_dir(inode))
|
|
ret = -ENOTEMPTY;
|
|
else
|
|
ret = create_encryption_context_from_policy(inode,
|
|
- policy);
|
|
- } else if (!is_encryption_context_consistent_with_policy(inode,
|
|
- policy)) {
|
|
- printk(KERN_WARNING
|
|
- "%s: Policy inconsistent with encryption context\n",
|
|
- __func__);
|
|
- ret = -EINVAL;
|
|
+ &policy);
|
|
+ } else if (ret == sizeof(ctx) &&
|
|
+ is_encryption_context_consistent_with_policy(&ctx,
|
|
+ &policy)) {
|
|
+ /* The file already uses the same encryption policy. */
|
|
+ ret = 0;
|
|
+ } else if (ret >= 0 || ret == -ERANGE) {
|
|
+ /* The file already uses a different encryption policy. */
|
|
+ ret = -EEXIST;
|
|
}
|
|
|
|
inode_unlock(inode);
|
|
@@ -134,32 +100,38 @@ int fscrypt_process_policy(struct file *
|
|
mnt_drop_write_file(filp);
|
|
return ret;
|
|
}
|
|
-EXPORT_SYMBOL(fscrypt_process_policy);
|
|
+EXPORT_SYMBOL(fscrypt_ioctl_set_policy);
|
|
|
|
-int fscrypt_get_policy(struct inode *inode, struct fscrypt_policy *policy)
|
|
+int fscrypt_ioctl_get_policy(struct file *filp, void __user *arg)
|
|
{
|
|
+ struct inode *inode = file_inode(filp);
|
|
struct fscrypt_context ctx;
|
|
+ struct fscrypt_policy policy;
|
|
int res;
|
|
|
|
- if (!inode->i_sb->s_cop->get_context ||
|
|
- !inode->i_sb->s_cop->is_encrypted(inode))
|
|
+ if (!IS_ENCRYPTED(inode))
|
|
return -ENODATA;
|
|
|
|
res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
|
|
+ if (res < 0 && res != -ERANGE)
|
|
+ return res;
|
|
if (res != sizeof(ctx))
|
|
- return -ENODATA;
|
|
+ return -EINVAL;
|
|
if (ctx.format != FS_ENCRYPTION_CONTEXT_FORMAT_V1)
|
|
return -EINVAL;
|
|
|
|
- policy->version = 0;
|
|
- policy->contents_encryption_mode = ctx.contents_encryption_mode;
|
|
- policy->filenames_encryption_mode = ctx.filenames_encryption_mode;
|
|
- policy->flags = ctx.flags;
|
|
- memcpy(&policy->master_key_descriptor, ctx.master_key_descriptor,
|
|
+ policy.version = 0;
|
|
+ policy.contents_encryption_mode = ctx.contents_encryption_mode;
|
|
+ policy.filenames_encryption_mode = ctx.filenames_encryption_mode;
|
|
+ policy.flags = ctx.flags;
|
|
+ memcpy(policy.master_key_descriptor, ctx.master_key_descriptor,
|
|
FS_KEY_DESCRIPTOR_SIZE);
|
|
+
|
|
+ if (copy_to_user(arg, &policy, sizeof(policy)))
|
|
+ return -EFAULT;
|
|
return 0;
|
|
}
|
|
-EXPORT_SYMBOL(fscrypt_get_policy);
|
|
+EXPORT_SYMBOL(fscrypt_ioctl_get_policy);
|
|
|
|
/**
|
|
* fscrypt_has_permitted_context() - is a file's encryption policy permitted
|
|
@@ -194,11 +166,11 @@ int fscrypt_has_permitted_context(struct
|
|
return 1;
|
|
|
|
/* No restrictions if the parent directory is unencrypted */
|
|
- if (!cops->is_encrypted(parent))
|
|
+ if (!IS_ENCRYPTED(parent))
|
|
return 1;
|
|
|
|
/* Encrypted directories must not contain unencrypted files */
|
|
- if (!cops->is_encrypted(child))
|
|
+ if (!IS_ENCRYPTED(child))
|
|
return 0;
|
|
|
|
/*
|
|
@@ -258,9 +230,9 @@ EXPORT_SYMBOL(fscrypt_has_permitted_cont
|
|
* @parent: Parent inode from which the context is inherited.
|
|
* @child: Child inode that inherits the context from @parent.
|
|
* @fs_data: private data given by FS.
|
|
- * @preload: preload child i_crypt_info
|
|
+ * @preload: preload child i_crypt_info if true
|
|
*
|
|
- * Return: Zero on success, non-zero otherwise
|
|
+ * Return: 0 on success, -errno on failure
|
|
*/
|
|
int fscrypt_inherit_context(struct inode *parent, struct inode *child,
|
|
void *fs_data, bool preload)
|
|
@@ -269,9 +241,6 @@ int fscrypt_inherit_context(struct inode
|
|
struct fscrypt_info *ci;
|
|
int res;
|
|
|
|
- if (!parent->i_sb->s_cop->set_context)
|
|
- return -EOPNOTSUPP;
|
|
-
|
|
res = fscrypt_get_encryption_info(parent);
|
|
if (res < 0)
|
|
return res;
|
|
@@ -281,19 +250,11 @@ int fscrypt_inherit_context(struct inode
|
|
return -ENOKEY;
|
|
|
|
ctx.format = FS_ENCRYPTION_CONTEXT_FORMAT_V1;
|
|
- if (fscrypt_dummy_context_enabled(parent)) {
|
|
- ctx.contents_encryption_mode = FS_ENCRYPTION_MODE_AES_256_XTS;
|
|
- ctx.filenames_encryption_mode = FS_ENCRYPTION_MODE_AES_256_CTS;
|
|
- ctx.flags = 0;
|
|
- memset(ctx.master_key_descriptor, 0x42, FS_KEY_DESCRIPTOR_SIZE);
|
|
- res = 0;
|
|
- } else {
|
|
- ctx.contents_encryption_mode = ci->ci_data_mode;
|
|
- ctx.filenames_encryption_mode = ci->ci_filename_mode;
|
|
- ctx.flags = ci->ci_flags;
|
|
- memcpy(ctx.master_key_descriptor, ci->ci_master_key,
|
|
- FS_KEY_DESCRIPTOR_SIZE);
|
|
- }
|
|
+ ctx.contents_encryption_mode = ci->ci_data_mode;
|
|
+ ctx.filenames_encryption_mode = ci->ci_filename_mode;
|
|
+ ctx.flags = ci->ci_flags;
|
|
+ memcpy(ctx.master_key_descriptor, ci->ci_master_key,
|
|
+ FS_KEY_DESCRIPTOR_SIZE);
|
|
get_random_bytes(ctx.nonce, FS_KEY_DERIVATION_NONCE_SIZE);
|
|
res = parent->i_sb->s_cop->set_context(child, &ctx,
|
|
sizeof(ctx), fs_data);
|