24a2d90393
Pull f2fs update from Jaegeuk Kim: "In this round, we've mainly focused on performance tuning and critical bug fixes occurred in low-end devices. Sheng Yong introduced lost_found feature to keep missing files during recovery instead of thrashing them. We're preparing coming fsverity implementation. And, we've got more features to communicate with users for better performance. In low-end devices, some memory-related issues were fixed, and subtle race condtions and corner cases were addressed as well. Enhancements: - large nat bitmaps for more free node ids - add three block allocation policies to pass down write hints given by user - expose extension list to user and introduce hot file extension - tune small devices seamlessly for low-end devices - set readdir_ra by default - give more resources under gc_urgent mode regarding to discard and cleaning - introduce fsync_mode to enforce posix or not - nowait aio support - add lost_found feature to keep dangling inodes - reserve bits for future fsverity feature - add test_dummy_encryption for FBE Bug fixes: - don't use highmem for dentry pages - align memory boundary for bitops - truncate preallocated blocks in write errors - guarantee i_times on fsync call - clear CP_TRIMMED_FLAG correctly - prevent node chain loop during recovery - avoid data race between atomic write and background cleaning - avoid unnecessary selinux violation warnings on resgid option - GFP_NOFS to avoid deadlock in quota and read paths - fix f2fs_skip_inode_update to allow i_size recovery In addition to the above, there are several minor bug fixes and clean-ups" Cherry-pick from origin/upstream-f2fs-stable-linux-4.4.y:42bf67fc54f2fs: remain written times to update inode during fsync6cb5aa02bff2fs: make assignment of t->dentry_bitmap more readablea8d07f1f9cf2fs: truncate preallocated blocks in error case86444d6006f2fs: fix a wrong condition in f2fs_skip_inode_updatedb2188a687f2fs: reserve bits for fs-verityee2e74b3f0f2fs: Add a segment type check in inplace write0192e0a450f2fs: no need to initialize zero value for GFP_F2FS_ZERO49338842e9f2fs: don't track new nat entry in nat setd6a69d5e65f2fs: clean up with F2FS_BLK_ALIGN2c8834a7a2f2fs: check blkaddr more accuratly before issue a bio6ab573a9d9f2fs: Set GF_NOFS in read_cache_page_gfp while doing f2fs_quota_read7419dcb8bef2fs: introduce a new mount option test_dummy_encryption9321e22c03f2fs: introduce F2FS_FEATURE_LOST_FOUND feature8a57196158f2fs: release locks before return in f2fs_ioc_gc_range()739ace131cf2fs: align memory boundary for bitops4c55abe4f8f2fs: remove unneeded set_cold_node()30654507e0f2fs: add nowait aio supportd909e94106f2fs: wrap all options with f2fs_sb_info.mount_opt5738be52b3f2fs: Don't overwrite all types of node to keep node chain0bdeb167c8f2fs: introduce mount option for fsync mode6bc490f0eef2fs: fix to restore old mount option in ->remount_fs0c9c3e0344f2fs: wrap sb_rdonly with f2fs_readonly6c6611223af2fs: avoid selinux denial on CAP_SYS_RESOURCE076a6f32fef2fs: support hot file extension58edcdbca6f2fs: fix to avoid race in between atomic write and background GC1e0aeb0af9f2fs: do gc in greedy mode for whole range if gc_urgent mode is set10b2d001d6f2fs: issue discard aggressively in the gc_urgent modea5052f32b9f2fs: set readdir_ra by default1aa536a624f2fs: add auto tuning for small devices0ffdffc8f1f2fs: add mount option for segment allocation policyb798298912f2fs: don't stop GC if GC is contended766d232169f2fs: expose extension_list sysfs entry98b329de50f2fs: fix to set KEEP_SIZE bit in f2fs_zero_range4d409fa334f2fs: introduce sb_lock to make encrypt pwsalt update exclusive1f6bac14c1f2fs: remove redundant initialization of pointer 'p'946aefc754f2fs: flush cp pack except cp pack 2 page at firste5081a52acf2fs: clean up f2fs_sb_has_xxx functionsa292477154f2fs: remove redundant check of page type when submit bio190e64a819f2fs: fix to handle looped node chain during recovery889d980876f2fs: handle quota for orphan inodes92b12bb1a2f2fs: support passing down write hints to block layer with F2FS policy22fa74c2b0f2fs: support passing down write hints given by users to block layer180900373ef2fs: fix to clear CP_TRIMMED_FLAG0671fae134f2fs: support large nat bitmapeceb943d5df2fs: fix to check extent cache in f2fs_drop_extent_tree2e2a339c98f2fs: restrict inline_xattr_size configuration41dda11641f2fs: fix heap mode to reset it back39575737bbf2fs: fix potential corruption in area before F2FS_SUPER_OFFSET7e0e7995eefscrypt: fix build with pre-4.6 gcc versions31d3279a4ffscrypt: fix up fscrypt_fname_encrypted_size() for internal use82bec88856fscrypt: define fscrypt_fname_alloc_buffer() to be for presented names168a907828fscrypt: calculate NUL-padding length in one place only042ae9f4cffscrypt: move fscrypt_symlink_data to fscrypt_private.hf9550c24c2fscrypt: remove fscrypt_fname_usr_to_disk()7ac4756a24f2fs: switch to fscrypt_get_symlink()6b76f58e24f2fs: switch to fscrypt ->symlink() helper functionsfd457d2c4efscrypt: new helper function - fscrypt_get_symlink()a1cdacb7aefscrypt: new helper functions for ->symlink()7f43602f4dfscrypt: trim down fscrypt.h includesd9cadc11bdfscrypt: move fscrypt_is_dot_dotdot() to fs/crypto/fname.ce6fe930580fscrypt: move fscrypt_valid_enc_modes() to fscrypt_private.hefefa434f4fscrypt: move fscrypt_operations declaration to fscrypt_supp.h7ed178bc8afscrypt: split fscrypt_dummy_context_enabled() into supp/notsupp versions3f16e09dadfscrypt: move fscrypt_ctx declaration to fscrypt_supp.h8216a0b51afscrypt: move fscrypt_info_cachep declaration to fscrypt_private.hdfe0b3b1b6fscrypt: move fscrypt_control_page() to supp/notsupp headers3a2c791778fscrypt: move fscrypt_has_encryption_key() to supp/notsupp headers Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
250 lines
9.1 KiB
C
250 lines
9.1 KiB
C
/*
|
|
* fscrypt.h: declarations for per-file encryption
|
|
*
|
|
* Filesystems that implement per-file encryption include this header
|
|
* file with the __FS_HAS_ENCRYPTION set according to whether that filesystem
|
|
* is being built with encryption support or not.
|
|
*
|
|
* Copyright (C) 2015, Google, Inc.
|
|
*
|
|
* Written by Michael Halcrow, 2015.
|
|
* Modified by Jaegeuk Kim, 2015.
|
|
*/
|
|
#ifndef _LINUX_FSCRYPT_H
|
|
#define _LINUX_FSCRYPT_H
|
|
|
|
#include <linux/fs.h>
|
|
|
|
#define FS_CRYPTO_BLOCK_SIZE 16
|
|
|
|
struct fscrypt_ctx;
|
|
struct fscrypt_info;
|
|
|
|
struct fscrypt_str {
|
|
unsigned char *name;
|
|
u32 len;
|
|
};
|
|
|
|
struct fscrypt_name {
|
|
const struct qstr *usr_fname;
|
|
struct fscrypt_str disk_name;
|
|
u32 hash;
|
|
u32 minor_hash;
|
|
struct fscrypt_str crypto_buf;
|
|
};
|
|
|
|
#define FSTR_INIT(n, l) { .name = n, .len = l }
|
|
#define FSTR_TO_QSTR(f) QSTR_INIT((f)->name, (f)->len)
|
|
#define fname_name(p) ((p)->disk_name.name)
|
|
#define fname_len(p) ((p)->disk_name.len)
|
|
|
|
#if __FS_HAS_ENCRYPTION
|
|
#include <linux/fscrypt_supp.h>
|
|
#else
|
|
#include <linux/fscrypt_notsupp.h>
|
|
#endif
|
|
|
|
/**
|
|
* fscrypt_require_key - require an inode's encryption key
|
|
* @inode: the inode we need the key for
|
|
*
|
|
* If the inode is encrypted, set up its encryption key if not already done.
|
|
* Then require that the key be present and return -ENOKEY otherwise.
|
|
*
|
|
* No locks are needed, and the key will live as long as the struct inode --- so
|
|
* it won't go away from under you.
|
|
*
|
|
* Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
|
|
* if a problem occurred while setting up the encryption key.
|
|
*/
|
|
static inline int fscrypt_require_key(struct inode *inode)
|
|
{
|
|
if (IS_ENCRYPTED(inode)) {
|
|
int err = fscrypt_get_encryption_info(inode);
|
|
|
|
if (err)
|
|
return err;
|
|
if (!fscrypt_has_encryption_key(inode))
|
|
return -ENOKEY;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* fscrypt_prepare_link - prepare to link an inode into a possibly-encrypted directory
|
|
* @old_dentry: an existing dentry for the inode being linked
|
|
* @dir: the target directory
|
|
* @dentry: negative dentry for the target filename
|
|
*
|
|
* A new link can only be added to an encrypted directory if the directory's
|
|
* encryption key is available --- since otherwise we'd have no way to encrypt
|
|
* the filename. Therefore, we first set up the directory's encryption key (if
|
|
* not already done) and return an error if it's unavailable.
|
|
*
|
|
* We also verify that the link will not violate the constraint that all files
|
|
* in an encrypted directory tree use the same encryption policy.
|
|
*
|
|
* Return: 0 on success, -ENOKEY if the directory's encryption key is missing,
|
|
* -EPERM if the link would result in an inconsistent encryption policy, or
|
|
* another -errno code.
|
|
*/
|
|
static inline int fscrypt_prepare_link(struct dentry *old_dentry,
|
|
struct inode *dir,
|
|
struct dentry *dentry)
|
|
{
|
|
if (IS_ENCRYPTED(dir))
|
|
return __fscrypt_prepare_link(d_inode(old_dentry), dir);
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* fscrypt_prepare_rename - prepare for a rename between possibly-encrypted directories
|
|
* @old_dir: source directory
|
|
* @old_dentry: dentry for source file
|
|
* @new_dir: target directory
|
|
* @new_dentry: dentry for target location (may be negative unless exchanging)
|
|
* @flags: rename flags (we care at least about %RENAME_EXCHANGE)
|
|
*
|
|
* Prepare for ->rename() where the source and/or target directories may be
|
|
* encrypted. A new link can only be added to an encrypted directory if the
|
|
* directory's encryption key is available --- since otherwise we'd have no way
|
|
* to encrypt the filename. A rename to an existing name, on the other hand,
|
|
* *is* cryptographically possible without the key. However, we take the more
|
|
* conservative approach and just forbid all no-key renames.
|
|
*
|
|
* We also verify that the rename will not violate the constraint that all files
|
|
* in an encrypted directory tree use the same encryption policy.
|
|
*
|
|
* Return: 0 on success, -ENOKEY if an encryption key is missing, -EPERM if the
|
|
* rename would cause inconsistent encryption policies, or another -errno code.
|
|
*/
|
|
static inline int fscrypt_prepare_rename(struct inode *old_dir,
|
|
struct dentry *old_dentry,
|
|
struct inode *new_dir,
|
|
struct dentry *new_dentry,
|
|
unsigned int flags)
|
|
{
|
|
if (IS_ENCRYPTED(old_dir) || IS_ENCRYPTED(new_dir))
|
|
return __fscrypt_prepare_rename(old_dir, old_dentry,
|
|
new_dir, new_dentry, flags);
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* fscrypt_prepare_lookup - prepare to lookup a name in a possibly-encrypted directory
|
|
* @dir: directory being searched
|
|
* @dentry: filename being looked up
|
|
* @flags: lookup flags
|
|
*
|
|
* Prepare for ->lookup() in a directory which may be encrypted. Lookups can be
|
|
* done with or without the directory's encryption key; without the key,
|
|
* filenames are presented in encrypted form. Therefore, we'll try to set up
|
|
* the directory's encryption key, but even without it the lookup can continue.
|
|
*
|
|
* To allow invalidating stale dentries if the directory's encryption key is
|
|
* added later, we also install a custom ->d_revalidate() method and use the
|
|
* DCACHE_ENCRYPTED_WITH_KEY flag to indicate whether a given dentry is a
|
|
* plaintext name (flag set) or a ciphertext name (flag cleared).
|
|
*
|
|
* Return: 0 on success, -errno if a problem occurred while setting up the
|
|
* encryption key
|
|
*/
|
|
static inline int fscrypt_prepare_lookup(struct inode *dir,
|
|
struct dentry *dentry,
|
|
unsigned int flags)
|
|
{
|
|
if (IS_ENCRYPTED(dir))
|
|
return __fscrypt_prepare_lookup(dir, dentry);
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* fscrypt_prepare_setattr - prepare to change a possibly-encrypted inode's attributes
|
|
* @dentry: dentry through which the inode is being changed
|
|
* @attr: attributes to change
|
|
*
|
|
* Prepare for ->setattr() on a possibly-encrypted inode. On an encrypted file,
|
|
* most attribute changes are allowed even without the encryption key. However,
|
|
* without the encryption key we do have to forbid truncates. This is needed
|
|
* because the size being truncated to may not be a multiple of the filesystem
|
|
* block size, and in that case we'd have to decrypt the final block, zero the
|
|
* portion past i_size, and re-encrypt it. (We *could* allow truncating to a
|
|
* filesystem block boundary, but it's simpler to just forbid all truncates ---
|
|
* and we already forbid all other contents modifications without the key.)
|
|
*
|
|
* Return: 0 on success, -ENOKEY if the key is missing, or another -errno code
|
|
* if a problem occurred while setting up the encryption key.
|
|
*/
|
|
static inline int fscrypt_prepare_setattr(struct dentry *dentry,
|
|
struct iattr *attr)
|
|
{
|
|
if (attr->ia_valid & ATTR_SIZE)
|
|
return fscrypt_require_key(d_inode(dentry));
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* fscrypt_prepare_symlink - prepare to create a possibly-encrypted symlink
|
|
* @dir: directory in which the symlink is being created
|
|
* @target: plaintext symlink target
|
|
* @len: length of @target excluding null terminator
|
|
* @max_len: space the filesystem has available to store the symlink target
|
|
* @disk_link: (out) the on-disk symlink target being prepared
|
|
*
|
|
* This function computes the size the symlink target will require on-disk,
|
|
* stores it in @disk_link->len, and validates it against @max_len. An
|
|
* encrypted symlink may be longer than the original.
|
|
*
|
|
* Additionally, @disk_link->name is set to @target if the symlink will be
|
|
* unencrypted, but left NULL if the symlink will be encrypted. For encrypted
|
|
* symlinks, the filesystem must call fscrypt_encrypt_symlink() to create the
|
|
* on-disk target later. (The reason for the two-step process is that some
|
|
* filesystems need to know the size of the symlink target before creating the
|
|
* inode, e.g. to determine whether it will be a "fast" or "slow" symlink.)
|
|
*
|
|
* Return: 0 on success, -ENAMETOOLONG if the symlink target is too long,
|
|
* -ENOKEY if the encryption key is missing, or another -errno code if a problem
|
|
* occurred while setting up the encryption key.
|
|
*/
|
|
static inline int fscrypt_prepare_symlink(struct inode *dir,
|
|
const char *target,
|
|
unsigned int len,
|
|
unsigned int max_len,
|
|
struct fscrypt_str *disk_link)
|
|
{
|
|
if (IS_ENCRYPTED(dir) || fscrypt_dummy_context_enabled(dir))
|
|
return __fscrypt_prepare_symlink(dir, len, max_len, disk_link);
|
|
|
|
disk_link->name = (unsigned char *)target;
|
|
disk_link->len = len + 1;
|
|
if (disk_link->len > max_len)
|
|
return -ENAMETOOLONG;
|
|
return 0;
|
|
}
|
|
|
|
/**
|
|
* fscrypt_encrypt_symlink - encrypt the symlink target if needed
|
|
* @inode: symlink inode
|
|
* @target: plaintext symlink target
|
|
* @len: length of @target excluding null terminator
|
|
* @disk_link: (in/out) the on-disk symlink target being prepared
|
|
*
|
|
* If the symlink target needs to be encrypted, then this function encrypts it
|
|
* into @disk_link->name. fscrypt_prepare_symlink() must have been called
|
|
* previously to compute @disk_link->len. If the filesystem did not allocate a
|
|
* buffer for @disk_link->name after calling fscrypt_prepare_link(), then one
|
|
* will be kmalloc()'ed and the filesystem will be responsible for freeing it.
|
|
*
|
|
* Return: 0 on success, -errno on failure
|
|
*/
|
|
static inline int fscrypt_encrypt_symlink(struct inode *inode,
|
|
const char *target,
|
|
unsigned int len,
|
|
struct fscrypt_str *disk_link)
|
|
{
|
|
if (IS_ENCRYPTED(inode))
|
|
return __fscrypt_encrypt_symlink(inode, target, len, disk_link);
|
|
return 0;
|
|
}
|
|
|
|
#endif /* _LINUX_FSCRYPT_H */
|