Commit addd65ad authored by Michael Halcrow's avatar Michael Halcrow Committed by Linus Torvalds

eCryptfs: Filename Encryption: filldir, lookup, and readlink

Make the requisite modifications to ecryptfs_filldir(), ecryptfs_lookup(),
and ecryptfs_readlink() to call out to filename encryption functions.
Propagate filename encryption policy flags from mount-wide crypt_stat to
inode crypt_stat.
Signed-off-by: default avatarMichael Halcrow <mhalcrow@us.ibm.com>
Cc: Dustin Kirkland <dustin.kirkland@gmail.com>
Cc: Eric Sandeen <sandeen@redhat.com>
Cc: Tyler Hicks <tchicks@us.ibm.com>
Cc: David Kleikamp <shaggy@us.ibm.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 51ca58dc
...@@ -924,6 +924,15 @@ static void ecryptfs_copy_mount_wide_flags_to_inode_flags( ...@@ -924,6 +924,15 @@ static void ecryptfs_copy_mount_wide_flags_to_inode_flags(
crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR; crypt_stat->flags |= ECRYPTFS_METADATA_IN_XATTR;
if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) if (mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED; crypt_stat->flags |= ECRYPTFS_VIEW_AS_ENCRYPTED;
if (mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) {
crypt_stat->flags |= ECRYPTFS_ENCRYPT_FILENAMES;
if (mount_crypt_stat->flags
& ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK)
crypt_stat->flags |= ECRYPTFS_ENCFN_USE_MOUNT_FNEK;
else if (mount_crypt_stat->flags
& ECRYPTFS_GLOBAL_ENCFN_USE_FEK)
crypt_stat->flags |= ECRYPTFS_ENCFN_USE_FEK;
}
} }
static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs( static int ecryptfs_copy_mount_wide_sigs_to_inode_sigs(
...@@ -1060,7 +1069,8 @@ struct ecryptfs_flag_map_elem { ...@@ -1060,7 +1069,8 @@ struct ecryptfs_flag_map_elem {
static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = { static struct ecryptfs_flag_map_elem ecryptfs_flag_map[] = {
{0x00000001, ECRYPTFS_ENABLE_HMAC}, {0x00000001, ECRYPTFS_ENABLE_HMAC},
{0x00000002, ECRYPTFS_ENCRYPTED}, {0x00000002, ECRYPTFS_ENCRYPTED},
{0x00000004, ECRYPTFS_METADATA_IN_XATTR} {0x00000004, ECRYPTFS_METADATA_IN_XATTR},
{0x00000008, ECRYPTFS_ENCRYPT_FILENAMES}
}; };
/** /**
...@@ -1213,6 +1223,8 @@ int ecryptfs_read_and_validate_header_region(char *data, ...@@ -1213,6 +1223,8 @@ int ecryptfs_read_and_validate_header_region(char *data,
&(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat); &(ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat);
int rc; int rc;
if (crypt_stat->extent_size == 0)
crypt_stat->extent_size = ECRYPTFS_DEFAULT_EXTENT_SIZE;
rc = ecryptfs_read_lower(data, 0, crypt_stat->extent_size, rc = ecryptfs_read_lower(data, 0, crypt_stat->extent_size,
ecryptfs_inode); ecryptfs_inode);
if (rc) { if (rc) {
...@@ -1222,7 +1234,6 @@ int ecryptfs_read_and_validate_header_region(char *data, ...@@ -1222,7 +1234,6 @@ int ecryptfs_read_and_validate_header_region(char *data,
} }
if (!contains_ecryptfs_marker(data + ECRYPTFS_FILE_SIZE_BYTES)) { if (!contains_ecryptfs_marker(data + ECRYPTFS_FILE_SIZE_BYTES)) {
rc = -EINVAL; rc = -EINVAL;
ecryptfs_printk(KERN_DEBUG, "Valid marker not found\n");
} }
out: out:
return rc; return rc;
...@@ -1628,98 +1639,6 @@ out: ...@@ -1628,98 +1639,6 @@ out:
return rc; return rc;
} }
/**
* ecryptfs_encode_filename - converts a plaintext file name to cipher text
* @crypt_stat: The crypt_stat struct associated with the file anem to encode
* @name: The plaintext name
* @length: The length of the plaintext
* @encoded_name: The encypted name
*
* Encrypts and encodes a filename into something that constitutes a
* valid filename for a filesystem, with printable characters.
*
* We assume that we have a properly initialized crypto context,
* pointed to by crypt_stat->tfm.
*
* TODO: Implement filename decoding and decryption here, in place of
* memcpy. We are keeping the framework around for now to (1)
* facilitate testing of the components needed to implement filename
* encryption and (2) to provide a code base from which other
* developers in the community can easily implement this feature.
*
* Returns the length of encoded filename; negative if error
*/
int
ecryptfs_encode_filename(struct ecryptfs_crypt_stat *crypt_stat,
const char *name, int length, char **encoded_name)
{
int error = 0;
(*encoded_name) = kmalloc(length + 2, GFP_KERNEL);
if (!(*encoded_name)) {
error = -ENOMEM;
goto out;
}
/* TODO: Filename encryption is a scheduled feature for a
* future version of eCryptfs. This function is here only for
* the purpose of providing a framework for other developers
* to easily implement filename encryption. Hint: Replace this
* memcpy() with a call to encrypt and encode the
* filename, the set the length accordingly. */
memcpy((void *)(*encoded_name), (void *)name, length);
(*encoded_name)[length] = '\0';
error = length + 1;
out:
return error;
}
/**
* ecryptfs_decode_filename - converts the cipher text name to plaintext
* @crypt_stat: The crypt_stat struct associated with the file
* @name: The filename in cipher text
* @length: The length of the cipher text name
* @decrypted_name: The plaintext name
*
* Decodes and decrypts the filename.
*
* We assume that we have a properly initialized crypto context,
* pointed to by crypt_stat->tfm.
*
* TODO: Implement filename decoding and decryption here, in place of
* memcpy. We are keeping the framework around for now to (1)
* facilitate testing of the components needed to implement filename
* encryption and (2) to provide a code base from which other
* developers in the community can easily implement this feature.
*
* Returns the length of decoded filename; negative if error
*/
int
ecryptfs_decode_filename(struct ecryptfs_crypt_stat *crypt_stat,
const char *name, int length, char **decrypted_name)
{
int error = 0;
(*decrypted_name) = kmalloc(length + 2, GFP_KERNEL);
if (!(*decrypted_name)) {
error = -ENOMEM;
goto out;
}
/* TODO: Filename encryption is a scheduled feature for a
* future version of eCryptfs. This function is here only for
* the purpose of providing a framework for other developers
* to easily implement filename encryption. Hint: Replace this
* memcpy() with a call to decode and decrypt the
* filename, the set the length accordingly. */
memcpy((void *)(*decrypted_name), (void *)name, length);
(*decrypted_name)[length + 1] = '\0'; /* Only for convenience
* in printing out the
* string in debug
* messages */
error = length;
out:
return error;
}
/** /**
* ecryptfs_encrypt_filename - encrypt filename * ecryptfs_encrypt_filename - encrypt filename
* *
......
...@@ -627,12 +627,6 @@ int ecryptfs_decode_and_decrypt_filename(char **decrypted_name, ...@@ -627,12 +627,6 @@ int ecryptfs_decode_and_decrypt_filename(char **decrypted_name,
struct dentry *ecryptfs_dentry, struct dentry *ecryptfs_dentry,
const char *name, size_t name_size); const char *name, size_t name_size);
int ecryptfs_fill_zeros(struct file *file, loff_t new_length); int ecryptfs_fill_zeros(struct file *file, loff_t new_length);
int ecryptfs_decode_filename(struct ecryptfs_crypt_stat *crypt_stat,
const char *name, int length,
char **decrypted_name);
int ecryptfs_encode_filename(struct ecryptfs_crypt_stat *crypt_stat,
const char *name, int length,
char **encoded_name);
int ecryptfs_encrypt_and_encode_filename( int ecryptfs_encrypt_and_encode_filename(
char **encoded_name, char **encoded_name,
size_t *encoded_name_size, size_t *encoded_name_size,
......
...@@ -77,27 +77,27 @@ struct ecryptfs_getdents_callback { ...@@ -77,27 +77,27 @@ struct ecryptfs_getdents_callback {
/* Inspired by generic filldir in fs/readdir.c */ /* Inspired by generic filldir in fs/readdir.c */
static int static int
ecryptfs_filldir(void *dirent, const char *name, int namelen, loff_t offset, ecryptfs_filldir(void *dirent, const char *lower_name, int lower_namelen,
u64 ino, unsigned int d_type) loff_t offset, u64 ino, unsigned int d_type)
{ {
struct ecryptfs_crypt_stat *crypt_stat;
struct ecryptfs_getdents_callback *buf = struct ecryptfs_getdents_callback *buf =
(struct ecryptfs_getdents_callback *)dirent; (struct ecryptfs_getdents_callback *)dirent;
int name_size;
char *name;
int rc; int rc;
int decoded_length;
char *decoded_name;
crypt_stat = ecryptfs_dentry_to_private(buf->dentry)->crypt_stat;
buf->filldir_called++; buf->filldir_called++;
decoded_length = ecryptfs_decode_filename(crypt_stat, name, namelen, rc = ecryptfs_decode_and_decrypt_filename(&name, &name_size,
&decoded_name); buf->dentry, lower_name,
if (decoded_length < 0) { lower_namelen);
rc = decoded_length; if (rc) {
printk(KERN_ERR "%s: Error attempting to decode and decrypt "
"filename [%s]; rc = [%d]\n", __func__, lower_name,
rc);
goto out; goto out;
} }
rc = buf->filldir(buf->dirent, decoded_name, decoded_length, offset, rc = buf->filldir(buf->dirent, name, name_size, offset, ino, d_type);
ino, d_type); kfree(name);
kfree(decoded_name);
if (rc >= 0) if (rc >= 0)
buf->entries_written++; buf->entries_written++;
out: out:
...@@ -106,8 +106,8 @@ out: ...@@ -106,8 +106,8 @@ out:
/** /**
* ecryptfs_readdir * ecryptfs_readdir
* @file: The ecryptfs file struct * @file: The eCryptfs directory file
* @dirent: Directory entry * @dirent: Directory entry handle
* @filldir: The filldir callback function * @filldir: The filldir callback function
*/ */
static int ecryptfs_readdir(struct file *file, void *dirent, filldir_t filldir) static int ecryptfs_readdir(struct file *file, void *dirent, filldir_t filldir)
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment