f2fs crypto: activate encryption support for fs APIs
This patch activates the following APIs for encryption support. The rules quoted by ext4 are: - An unencrypted directory may contain encrypted or unencrypted files or directories. - All files or directories in a directory must be protected using the same key as their containing directory. - Encrypted inode for regular file should not have inline_data. - Encrypted symlink and directory may have inline_data and inline_dentry. This patch activates the following APIs. 1. f2fs_link : validate context 2. f2fs_lookup : '' 3. f2fs_rename : '' 4. f2fs_create/f2fs_mkdir : inherit its dir's context 5. f2fs_direct_IO : do buffered io for regular files 6. f2fs_open : check encryption info 7. f2fs_file_mmap : '' 8. f2fs_setattr : '' 9. f2fs_file_write_iter : '' (Called by sys_io_submit) 10. f2fs_fallocate : do not support fcollapse 11. f2fs_evict_inode : free_encryption_info Signed-off-by: Michael Halcrow <mhalcrow@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
This commit is contained in:
parent
6b3bd08f93
commit
fcc85a4d86
|
@ -1982,6 +1982,9 @@ static ssize_t f2fs_direct_IO(struct kiocb *iocb, struct iov_iter *iter,
|
|||
return err;
|
||||
}
|
||||
|
||||
if (f2fs_encrypted_inode(inode) && S_ISREG(inode->i_mode))
|
||||
return 0;
|
||||
|
||||
if (check_direct_IO(inode, iter, offset))
|
||||
return 0;
|
||||
|
||||
|
|
|
@ -390,6 +390,12 @@ struct page *init_inode_metadata(struct inode *inode, struct inode *dir,
|
|||
err = f2fs_init_security(inode, dir, name, page);
|
||||
if (err)
|
||||
goto put_error;
|
||||
|
||||
if (f2fs_encrypted_inode(dir) && f2fs_may_encrypt(inode)) {
|
||||
err = f2fs_inherit_context(dir, inode, page);
|
||||
if (err)
|
||||
goto put_error;
|
||||
}
|
||||
} else {
|
||||
page = get_node_page(F2FS_I_SB(dir), inode->i_ino);
|
||||
if (IS_ERR(page))
|
||||
|
|
|
@ -1975,6 +1975,17 @@ static inline int f2fs_sb_has_crypto(struct super_block *sb)
|
|||
#endif
|
||||
}
|
||||
|
||||
static inline bool f2fs_may_encrypt(struct inode *inode)
|
||||
{
|
||||
#ifdef CONFIG_F2FS_FS_ENCRYPTION
|
||||
mode_t mode = inode->i_mode;
|
||||
|
||||
return (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode));
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* crypto_policy.c */
|
||||
int f2fs_is_child_context_consistent_with_parent(struct inode *,
|
||||
struct inode *);
|
||||
|
|
|
@ -408,6 +408,12 @@ static int f2fs_file_mmap(struct file *file, struct vm_area_struct *vma)
|
|||
{
|
||||
struct inode *inode = file_inode(file);
|
||||
|
||||
if (f2fs_encrypted_inode(inode)) {
|
||||
int err = f2fs_get_encryption_info(inode);
|
||||
if (err)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* we don't need to use inline_data strictly */
|
||||
if (f2fs_has_inline_data(inode)) {
|
||||
int err = f2fs_convert_inline_inode(inode);
|
||||
|
@ -420,6 +426,18 @@ static int f2fs_file_mmap(struct file *file, struct vm_area_struct *vma)
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int f2fs_file_open(struct inode *inode, struct file *filp)
|
||||
{
|
||||
int ret = generic_file_open(inode, filp);
|
||||
|
||||
if (!ret && f2fs_encrypted_inode(inode)) {
|
||||
ret = f2fs_get_encryption_info(inode);
|
||||
if (ret)
|
||||
ret = -EACCES;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
int truncate_data_blocks_range(struct dnode_of_data *dn, int count)
|
||||
{
|
||||
int nr_free = 0, ofs = dn->ofs_in_node;
|
||||
|
@ -627,6 +645,10 @@ int f2fs_setattr(struct dentry *dentry, struct iattr *attr)
|
|||
return err;
|
||||
|
||||
if (attr->ia_valid & ATTR_SIZE) {
|
||||
if (f2fs_encrypted_inode(inode) &&
|
||||
f2fs_get_encryption_info(inode))
|
||||
return -EACCES;
|
||||
|
||||
if (attr->ia_size != i_size_read(inode)) {
|
||||
truncate_setsize(inode, attr->ia_size);
|
||||
f2fs_truncate(inode);
|
||||
|
@ -1061,6 +1083,9 @@ static long f2fs_fallocate(struct file *file, int mode,
|
|||
struct inode *inode = file_inode(file);
|
||||
long ret = 0;
|
||||
|
||||
if (f2fs_encrypted_inode(inode) && (mode & FALLOC_FL_COLLAPSE_RANGE))
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE |
|
||||
FALLOC_FL_COLLAPSE_RANGE | FALLOC_FL_ZERO_RANGE))
|
||||
return -EOPNOTSUPP;
|
||||
|
@ -1468,6 +1493,18 @@ long f2fs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
|
|||
}
|
||||
}
|
||||
|
||||
static ssize_t f2fs_file_write_iter(struct kiocb *iocb, struct iov_iter *from)
|
||||
{
|
||||
struct inode *inode = file_inode(iocb->ki_filp);
|
||||
|
||||
if (f2fs_encrypted_inode(inode) &&
|
||||
!f2fs_has_encryption_key(inode) &&
|
||||
f2fs_get_encryption_info(inode))
|
||||
return -EACCES;
|
||||
|
||||
return generic_file_write_iter(iocb, from);
|
||||
}
|
||||
|
||||
#ifdef CONFIG_COMPAT
|
||||
long f2fs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
|
||||
{
|
||||
|
@ -1488,8 +1525,8 @@ long f2fs_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
|
|||
const struct file_operations f2fs_file_operations = {
|
||||
.llseek = f2fs_llseek,
|
||||
.read_iter = generic_file_read_iter,
|
||||
.write_iter = generic_file_write_iter,
|
||||
.open = generic_file_open,
|
||||
.write_iter = f2fs_file_write_iter,
|
||||
.open = f2fs_file_open,
|
||||
.release = f2fs_release_file,
|
||||
.mmap = f2fs_file_mmap,
|
||||
.fsync = f2fs_sync_file,
|
||||
|
|
|
@ -27,6 +27,9 @@ bool f2fs_may_inline_data(struct inode *inode)
|
|||
if (i_size_read(inode) > MAX_INLINE_DATA)
|
||||
return false;
|
||||
|
||||
if (f2fs_encrypted_inode(inode) && S_ISREG(inode->i_mode))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
|
@ -359,6 +359,10 @@ no_delete:
|
|||
if (is_inode_flag_set(F2FS_I(inode), FI_UPDATE_WRITE))
|
||||
add_dirty_inode(sbi, inode->i_ino, UPDATE_INO);
|
||||
out_clear:
|
||||
#ifdef CONFIG_F2FS_FS_ENCRYPTION
|
||||
if (F2FS_I(inode)->i_crypt_info)
|
||||
f2fs_free_encryption_info(inode);
|
||||
#endif
|
||||
clear_inode(inode);
|
||||
}
|
||||
|
||||
|
|
|
@ -56,6 +56,10 @@ static struct inode *f2fs_new_inode(struct inode *dir, umode_t mode)
|
|||
goto out;
|
||||
}
|
||||
|
||||
/* If the directory encrypted, then we should encrypt the inode. */
|
||||
if (f2fs_encrypted_inode(dir) && f2fs_may_encrypt(inode))
|
||||
f2fs_set_encrypted_inode(inode);
|
||||
|
||||
if (f2fs_may_inline_data(inode))
|
||||
set_inode_flag(F2FS_I(inode), FI_INLINE_DATA);
|
||||
if (f2fs_may_inline_dentry(inode))
|
||||
|
@ -157,6 +161,10 @@ static int f2fs_link(struct dentry *old_dentry, struct inode *dir,
|
|||
struct f2fs_sb_info *sbi = F2FS_I_SB(dir);
|
||||
int err;
|
||||
|
||||
if (f2fs_encrypted_inode(dir) &&
|
||||
!f2fs_is_child_context_consistent_with_parent(dir, inode))
|
||||
return -EPERM;
|
||||
|
||||
f2fs_balance_fs(sbi);
|
||||
|
||||
inode->i_ctime = CURRENT_TIME;
|
||||
|
@ -235,6 +243,7 @@ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry,
|
|||
struct f2fs_dir_entry *de;
|
||||
struct page *page;
|
||||
nid_t ino;
|
||||
int err = 0;
|
||||
|
||||
if (dentry->d_name.len > F2FS_NAME_LEN)
|
||||
return ERR_PTR(-ENAMETOOLONG);
|
||||
|
@ -251,16 +260,26 @@ static struct dentry *f2fs_lookup(struct inode *dir, struct dentry *dentry,
|
|||
if (IS_ERR(inode))
|
||||
return ERR_CAST(inode);
|
||||
|
||||
if (f2fs_has_inline_dots(inode)) {
|
||||
int err;
|
||||
if (f2fs_encrypted_inode(dir) && f2fs_may_encrypt(inode) &&
|
||||
!f2fs_is_child_context_consistent_with_parent(dir, inode)) {
|
||||
iput(inode);
|
||||
f2fs_msg(inode->i_sb, KERN_WARNING,
|
||||
"Inconsistent encryption contexts: %lu/%lu\n",
|
||||
(unsigned long)dir->i_ino,
|
||||
(unsigned long)inode->i_ino);
|
||||
return ERR_PTR(-EPERM);
|
||||
}
|
||||
|
||||
if (f2fs_has_inline_dots(inode)) {
|
||||
err = __recover_dot_dentries(inode, dir->i_ino);
|
||||
if (err) {
|
||||
iget_failed(inode);
|
||||
return ERR_PTR(err);
|
||||
}
|
||||
if (err)
|
||||
goto err_out;
|
||||
}
|
||||
return d_splice_alias(inode, dentry);
|
||||
|
||||
err_out:
|
||||
iget_failed(inode);
|
||||
return ERR_PTR(err);
|
||||
}
|
||||
|
||||
static int f2fs_unlink(struct inode *dir, struct dentry *dentry)
|
||||
|
@ -460,6 +479,13 @@ static int f2fs_rename(struct inode *old_dir, struct dentry *old_dentry,
|
|||
struct f2fs_dir_entry *new_entry;
|
||||
int err = -ENOENT;
|
||||
|
||||
if ((old_dir != new_dir) && f2fs_encrypted_inode(new_dir) &&
|
||||
!f2fs_is_child_context_consistent_with_parent(new_dir,
|
||||
old_inode)) {
|
||||
err = -EPERM;
|
||||
goto out;
|
||||
}
|
||||
|
||||
f2fs_balance_fs(sbi);
|
||||
|
||||
old_entry = f2fs_find_entry(old_dir, &old_dentry->d_name, &old_page);
|
||||
|
|
Loading…
Reference in New Issue