1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/*
3
 * eCryptfs: Linux filesystem encryption layer
4
 *
5
 * Copyright (C) 1997-2003 Erez Zadok
6
 * Copyright (C) 2001-2003 Stony Brook University
7
 * Copyright (C) 2004-2007 International Business Machines Corp.
8
 *   Author(s): Michael A. Halcrow <[email protected]>
9
 *              Michael C. Thompson <[email protected]>
10
 *              Tyler Hicks <[email protected]>
11
 */
12

13
#include <linux/dcache.h>
14
#include <linux/file.h>
15
#include <linux/module.h>
16
#include <linux/namei.h>
17
#include <linux/skbuff.h>
18
#include <linux/pagemap.h>
19
#include <linux/key.h>
20
#include <linux/fs_context.h>
21
#include <linux/fs_parser.h>
22
#include <linux/fs_stack.h>
23
#include <linux/sysfs.h>
24
#include <linux/slab.h>
25
#include <linux/magic.h>
26
#include "ecryptfs_kernel.h"
27

28
/*
29
 * Module parameter that defines the ecryptfs_verbosity level.
30
 */
31
int ecryptfs_verbosity = 0;
32

33
module_param(ecryptfs_verbosity, int, 0);
34
MODULE_PARM_DESC(ecryptfs_verbosity,
35
		 "Initial verbosity level (0 or 1; defaults to "
36
		 "0, which is Quiet)");
37

38
/*
39
 * Module parameter that defines the number of message buffer elements
40
 */
41
unsigned int ecryptfs_message_buf_len = ECRYPTFS_DEFAULT_MSG_CTX_ELEMS;
42

43
module_param(ecryptfs_message_buf_len, uint, 0);
44
MODULE_PARM_DESC(ecryptfs_message_buf_len,
45
		 "Number of message buffer elements");
46

47
/*
48
 * Module parameter that defines the maximum guaranteed amount of time to wait
49
 * for a response from ecryptfsd.  The actual sleep time will be, more than
50
 * likely, a small amount greater than this specified value, but only less if
51
 * the message successfully arrives.
52
 */
53
signed long ecryptfs_message_wait_timeout = ECRYPTFS_MAX_MSG_CTX_TTL / HZ;
54

55
module_param(ecryptfs_message_wait_timeout, long, 0);
56
MODULE_PARM_DESC(ecryptfs_message_wait_timeout,
57
		 "Maximum number of seconds that an operation will "
58
		 "sleep while waiting for a message response from "
59
		 "userspace");
60

61
/*
62
 * Module parameter that is an estimate of the maximum number of users
63
 * that will be concurrently using eCryptfs. Set this to the right
64
 * value to balance performance and memory use.
65
 */
66
unsigned int ecryptfs_number_of_users = ECRYPTFS_DEFAULT_NUM_USERS;
67

68
module_param(ecryptfs_number_of_users, uint, 0);
69
MODULE_PARM_DESC(ecryptfs_number_of_users, "An estimate of the number of "
70
		 "concurrent users of eCryptfs");
71

72
void __ecryptfs_printk(const char *fmt, ...)
73
{
74
	va_list args;
75
	va_start(args, fmt);
76
	if (fmt[1] == '7') { /* KERN_DEBUG */
77
		if (ecryptfs_verbosity >= 1)
78
			vprintk(fmt, args);
79
	} else
80
		vprintk(fmt, args);
81
	va_end(args);
82
}
83

84
/*
85
 * ecryptfs_init_lower_file
86
 * @ecryptfs_dentry: Fully initialized eCryptfs dentry object, with
87
 *                   the lower dentry and the lower mount set
88
 *
89
 * eCryptfs only ever keeps a single open file for every lower
90
 * inode. All I/O operations to the lower inode occur through that
91
 * file. When the first eCryptfs dentry that interposes with the first
92
 * lower dentry for that inode is created, this function creates the
93
 * lower file struct and associates it with the eCryptfs
94
 * inode. When all eCryptfs files associated with the inode are released, the
95
 * file is closed.
96
 *
97
 * The lower file will be opened with read/write permissions, if
98
 * possible. Otherwise, it is opened read-only.
99
 *
100
 * This function does nothing if a lower file is already
101
 * associated with the eCryptfs inode.
102
 *
103
 * Returns zero on success; non-zero otherwise
104
 */
105
static int ecryptfs_init_lower_file(struct dentry *dentry,
106
				    struct file **lower_file)
107
{
108
	const struct cred *cred = current_cred();
109
	struct path path = ecryptfs_lower_path(dentry);
110
	int rc;
111

112
	rc = ecryptfs_privileged_open(lower_file, path.dentry, path.mnt, cred);
113
	if (rc) {
114
		printk(KERN_ERR "Error opening lower file "
115
		       "for lower_dentry [0x%p] and lower_mnt [0x%p]; "
116
		       "rc = [%d]\n", path.dentry, path.mnt, rc);
117
		(*lower_file) = NULL;
118
	}
119
	return rc;
120
}
121

122
int ecryptfs_get_lower_file(struct dentry *dentry, struct inode *inode)
123
{
124
	struct ecryptfs_inode_info *inode_info;
125
	int count, rc = 0;
126

127
	inode_info = ecryptfs_inode_to_private(inode);
128
	mutex_lock(&inode_info->lower_file_mutex);
129
	count = atomic_inc_return(&inode_info->lower_file_count);
130
	if (WARN_ON_ONCE(count < 1))
131
		rc = -EINVAL;
132
	else if (count == 1) {
133
		rc = ecryptfs_init_lower_file(dentry,
134
					      &inode_info->lower_file);
135
		if (rc)
136
			atomic_set(&inode_info->lower_file_count, 0);
137
	}
138
	mutex_unlock(&inode_info->lower_file_mutex);
139
	return rc;
140
}
141

142
void ecryptfs_put_lower_file(struct inode *inode)
143
{
144
	struct ecryptfs_inode_info *inode_info;
145

146
	inode_info = ecryptfs_inode_to_private(inode);
147
	if (atomic_dec_and_mutex_lock(&inode_info->lower_file_count,
148
				      &inode_info->lower_file_mutex)) {
149
		filemap_write_and_wait(inode->i_mapping);
150
		fput(inode_info->lower_file);
151
		inode_info->lower_file = NULL;
152
		mutex_unlock(&inode_info->lower_file_mutex);
153
	}
154
}
155

156
enum {
157
	Opt_sig, Opt_ecryptfs_sig, Opt_cipher, Opt_ecryptfs_cipher,
158
	Opt_ecryptfs_key_bytes, Opt_passthrough, Opt_xattr_metadata,
159
	Opt_encrypted_view, Opt_fnek_sig, Opt_fn_cipher,
160
	Opt_fn_cipher_key_bytes, Opt_unlink_sigs, Opt_mount_auth_tok_only,
161
	Opt_check_dev_ruid
162
};
163

164
static const struct fs_parameter_spec ecryptfs_fs_param_spec[] = {
165
	fsparam_string	("sig",			    Opt_sig),
166
	fsparam_string	("ecryptfs_sig",	    Opt_ecryptfs_sig),
167
	fsparam_string	("cipher",		    Opt_cipher),
168
	fsparam_string	("ecryptfs_cipher",	    Opt_ecryptfs_cipher),
169
	fsparam_u32	("ecryptfs_key_bytes",	    Opt_ecryptfs_key_bytes),
170
	fsparam_flag	("ecryptfs_passthrough",    Opt_passthrough),
171
	fsparam_flag	("ecryptfs_xattr_metadata", Opt_xattr_metadata),
172
	fsparam_flag	("ecryptfs_encrypted_view", Opt_encrypted_view),
173
	fsparam_string	("ecryptfs_fnek_sig",	    Opt_fnek_sig),
174
	fsparam_string	("ecryptfs_fn_cipher",	    Opt_fn_cipher),
175
	fsparam_u32	("ecryptfs_fn_key_bytes",   Opt_fn_cipher_key_bytes),
176
	fsparam_flag	("ecryptfs_unlink_sigs",    Opt_unlink_sigs),
177
	fsparam_flag	("ecryptfs_mount_auth_tok_only", Opt_mount_auth_tok_only),
178
	fsparam_flag	("ecryptfs_check_dev_ruid", Opt_check_dev_ruid),
179
	{}
180
};
181

182
static int ecryptfs_init_global_auth_toks(
183
	struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
184
{
185
	struct ecryptfs_global_auth_tok *global_auth_tok;
186
	struct ecryptfs_auth_tok *auth_tok;
187
	int rc = 0;
188

189
	list_for_each_entry(global_auth_tok,
190
			    &mount_crypt_stat->global_auth_tok_list,
191
			    mount_crypt_stat_list) {
192
		rc = ecryptfs_keyring_auth_tok_for_sig(
193
			&global_auth_tok->global_auth_tok_key, &auth_tok,
194
			global_auth_tok->sig);
195
		if (rc) {
196
			printk(KERN_ERR "Could not find valid key in user "
197
			       "session keyring for sig specified in mount "
198
			       "option: [%s]\n", global_auth_tok->sig);
199
			global_auth_tok->flags |= ECRYPTFS_AUTH_TOK_INVALID;
200
			goto out;
201
		} else {
202
			global_auth_tok->flags &= ~ECRYPTFS_AUTH_TOK_INVALID;
203
			up_write(&(global_auth_tok->global_auth_tok_key)->sem);
204
		}
205
	}
206
out:
207
	return rc;
208
}
209

210
static void ecryptfs_init_mount_crypt_stat(
211
	struct ecryptfs_mount_crypt_stat *mount_crypt_stat)
212
{
213
	memset((void *)mount_crypt_stat, 0,
214
	       sizeof(struct ecryptfs_mount_crypt_stat));
215
	INIT_LIST_HEAD(&mount_crypt_stat->global_auth_tok_list);
216
	mutex_init(&mount_crypt_stat->global_auth_tok_list_mutex);
217
	mount_crypt_stat->flags |= ECRYPTFS_MOUNT_CRYPT_STAT_INITIALIZED;
218
}
219

220
struct ecryptfs_fs_context {
221
	/* Mount option status trackers */
222
	bool check_ruid;
223
	bool sig_set;
224
	bool cipher_name_set;
225
	bool cipher_key_bytes_set;
226
	bool fn_cipher_name_set;
227
	bool fn_cipher_key_bytes_set;
228
};
229

230
/**
231
 * ecryptfs_parse_param
232
 * @fc: The ecryptfs filesystem context
233
 * @param: The mount parameter to parse
234
 *
235
 * The signature of the key to use must be the description of a key
236
 * already in the keyring. Mounting will fail if the key can not be
237
 * found.
238
 *
239
 * Returns zero on success; non-zero on error
240
 */
241
static int ecryptfs_parse_param(
242
	struct fs_context *fc,
243
	struct fs_parameter *param)
244
{
245
	int rc;
246
	int opt;
247
	struct fs_parse_result result;
248
	struct ecryptfs_fs_context *ctx = fc->fs_private;
249
	struct ecryptfs_sb_info *sbi = fc->s_fs_info;
250
	struct ecryptfs_mount_crypt_stat *mount_crypt_stat =
251
		&sbi->mount_crypt_stat;
252

253
	opt = fs_parse(fc, ecryptfs_fs_param_spec, param, &result);
254
	if (opt < 0)
255
		return opt;
256

257
	switch (opt) {
258
	case Opt_sig:
259
	case Opt_ecryptfs_sig:
260
		rc = ecryptfs_add_global_auth_tok(mount_crypt_stat,
261
						  param->string, 0);
262
		if (rc) {
263
			printk(KERN_ERR "Error attempting to register "
264
			       "global sig; rc = [%d]\n", rc);
265
			return rc;
266
		}
267
		ctx->sig_set = 1;
268
		break;
269
	case Opt_cipher:
270
	case Opt_ecryptfs_cipher:
271
		strscpy(mount_crypt_stat->global_default_cipher_name,
272
			param->string);
273
		ctx->cipher_name_set = 1;
274
		break;
275
	case Opt_ecryptfs_key_bytes:
276
		mount_crypt_stat->global_default_cipher_key_size =
277
			result.uint_32;
278
		ctx->cipher_key_bytes_set = 1;
279
		break;
280
	case Opt_passthrough:
281
		mount_crypt_stat->flags |=
282
			ECRYPTFS_PLAINTEXT_PASSTHROUGH_ENABLED;
283
		break;
284
	case Opt_xattr_metadata:
285
		mount_crypt_stat->flags |= ECRYPTFS_XATTR_METADATA_ENABLED;
286
		break;
287
	case Opt_encrypted_view:
288
		mount_crypt_stat->flags |= ECRYPTFS_XATTR_METADATA_ENABLED;
289
		mount_crypt_stat->flags |= ECRYPTFS_ENCRYPTED_VIEW_ENABLED;
290
		break;
291
	case Opt_fnek_sig:
292
		strscpy(mount_crypt_stat->global_default_fnek_sig,
293
			param->string);
294
		rc = ecryptfs_add_global_auth_tok(
295
			mount_crypt_stat,
296
			mount_crypt_stat->global_default_fnek_sig,
297
			ECRYPTFS_AUTH_TOK_FNEK);
298
		if (rc) {
299
			printk(KERN_ERR "Error attempting to register "
300
			       "global fnek sig [%s]; rc = [%d]\n",
301
			       mount_crypt_stat->global_default_fnek_sig, rc);
302
			return rc;
303
		}
304
		mount_crypt_stat->flags |=
305
			(ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES
306
			 | ECRYPTFS_GLOBAL_ENCFN_USE_MOUNT_FNEK);
307
		break;
308
	case Opt_fn_cipher:
309
		strscpy(mount_crypt_stat->global_default_fn_cipher_name,
310
			param->string);
311
		ctx->fn_cipher_name_set = 1;
312
		break;
313
	case Opt_fn_cipher_key_bytes:
314
		mount_crypt_stat->global_default_fn_cipher_key_bytes =
315
			result.uint_32;
316
		ctx->fn_cipher_key_bytes_set = 1;
317
		break;
318
	case Opt_unlink_sigs:
319
		mount_crypt_stat->flags |= ECRYPTFS_UNLINK_SIGS;
320
		break;
321
	case Opt_mount_auth_tok_only:
322
		mount_crypt_stat->flags |= ECRYPTFS_GLOBAL_MOUNT_AUTH_TOK_ONLY;
323
		break;
324
	case Opt_check_dev_ruid:
325
		ctx->check_ruid = 1;
326
		break;
327
	default:
328
		return -EINVAL;
329
	}
330

331
	return 0;
332
}
333

334
static int ecryptfs_validate_options(struct fs_context *fc)
335
{
336
	int rc = 0;
337
	u8 cipher_code;
338
	struct ecryptfs_fs_context *ctx = fc->fs_private;
339
	struct ecryptfs_sb_info *sbi = fc->s_fs_info;
340
	struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
341

342

343
	mount_crypt_stat = &sbi->mount_crypt_stat;
344

345
	if (!ctx->sig_set) {
346
		rc = -EINVAL;
347
		ecryptfs_printk(KERN_ERR, "You must supply at least one valid "
348
				"auth tok signature as a mount "
349
				"parameter; see the eCryptfs README\n");
350
		goto out;
351
	}
352
	if (!ctx->cipher_name_set) {
353
		int cipher_name_len = strlen(ECRYPTFS_DEFAULT_CIPHER);
354

355
		BUG_ON(cipher_name_len > ECRYPTFS_MAX_CIPHER_NAME_SIZE);
356
		strcpy(mount_crypt_stat->global_default_cipher_name,
357
		       ECRYPTFS_DEFAULT_CIPHER);
358
	}
359
	if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
360
	    && !ctx->fn_cipher_name_set)
361
		strcpy(mount_crypt_stat->global_default_fn_cipher_name,
362
		       mount_crypt_stat->global_default_cipher_name);
363
	if (!ctx->cipher_key_bytes_set)
364
		mount_crypt_stat->global_default_cipher_key_size = 0;
365
	if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
366
	    && !ctx->fn_cipher_key_bytes_set)
367
		mount_crypt_stat->global_default_fn_cipher_key_bytes =
368
			mount_crypt_stat->global_default_cipher_key_size;
369

370
	cipher_code = ecryptfs_code_for_cipher_string(
371
		mount_crypt_stat->global_default_cipher_name,
372
		mount_crypt_stat->global_default_cipher_key_size);
373
	if (!cipher_code) {
374
		ecryptfs_printk(KERN_ERR,
375
				"eCryptfs doesn't support cipher: %s\n",
376
				mount_crypt_stat->global_default_cipher_name);
377
		rc = -EINVAL;
378
		goto out;
379
	}
380

381
	mutex_lock(&key_tfm_list_mutex);
382
	if (!ecryptfs_tfm_exists(mount_crypt_stat->global_default_cipher_name,
383
				 NULL)) {
384
		rc = ecryptfs_add_new_key_tfm(
385
			NULL, mount_crypt_stat->global_default_cipher_name,
386
			mount_crypt_stat->global_default_cipher_key_size);
387
		if (rc) {
388
			printk(KERN_ERR "Error attempting to initialize "
389
			       "cipher with name = [%s] and key size = [%td]; "
390
			       "rc = [%d]\n",
391
			       mount_crypt_stat->global_default_cipher_name,
392
			       mount_crypt_stat->global_default_cipher_key_size,
393
			       rc);
394
			rc = -EINVAL;
395
			mutex_unlock(&key_tfm_list_mutex);
396
			goto out;
397
		}
398
	}
399
	if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES)
400
	    && !ecryptfs_tfm_exists(
401
		    mount_crypt_stat->global_default_fn_cipher_name, NULL)) {
402
		rc = ecryptfs_add_new_key_tfm(
403
			NULL, mount_crypt_stat->global_default_fn_cipher_name,
404
			mount_crypt_stat->global_default_fn_cipher_key_bytes);
405
		if (rc) {
406
			printk(KERN_ERR "Error attempting to initialize "
407
			       "cipher with name = [%s] and key size = [%td]; "
408
			       "rc = [%d]\n",
409
			       mount_crypt_stat->global_default_fn_cipher_name,
410
			       mount_crypt_stat->global_default_fn_cipher_key_bytes,
411
			       rc);
412
			rc = -EINVAL;
413
			mutex_unlock(&key_tfm_list_mutex);
414
			goto out;
415
		}
416
	}
417
	mutex_unlock(&key_tfm_list_mutex);
418
	rc = ecryptfs_init_global_auth_toks(mount_crypt_stat);
419
	if (rc)
420
		printk(KERN_WARNING "One or more global auth toks could not "
421
		       "properly register; rc = [%d]\n", rc);
422
out:
423
	return rc;
424
}
425

426
struct kmem_cache *ecryptfs_sb_info_cache;
427
static struct file_system_type ecryptfs_fs_type;
428

429
/*
430
 * ecryptfs_get_tree
431
 * @fc: The filesystem context
432
 */
433
static int ecryptfs_get_tree(struct fs_context *fc)
434
{
435
	struct super_block *s;
436
	struct ecryptfs_fs_context *ctx = fc->fs_private;
437
	struct ecryptfs_sb_info *sbi = fc->s_fs_info;
438
	struct ecryptfs_mount_crypt_stat *mount_crypt_stat;
439
	const char *err = "Getting sb failed";
440
	struct inode *inode;
441
	struct path path;
442
	int rc;
443

444
	if (!fc->source) {
445
		rc = -EINVAL;
446
		err = "Device name cannot be null";
447
		goto out;
448
	}
449

450
	mount_crypt_stat = &sbi->mount_crypt_stat;
451
	rc = ecryptfs_validate_options(fc);
452
	if (rc) {
453
		err = "Error validating options";
454
		goto out;
455
	}
456

457
	s = sget_fc(fc, NULL, set_anon_super_fc);
458
	if (IS_ERR(s)) {
459
		rc = PTR_ERR(s);
460
		goto out;
461
	}
462

463
	rc = super_setup_bdi(s);
464
	if (rc)
465
		goto out1;
466

467
	ecryptfs_set_superblock_private(s, sbi);
468

469
	/* ->kill_sb() will take care of sbi after that point */
470
	sbi = NULL;
471
	s->s_op = &ecryptfs_sops;
472
	s->s_xattr = ecryptfs_xattr_handlers;
473
	set_default_d_op(s, &ecryptfs_dops);
474

475
	err = "Reading sb failed";
476
	rc = kern_path(fc->source, LOOKUP_FOLLOW | LOOKUP_DIRECTORY, &path);
477
	if (rc) {
478
		ecryptfs_printk(KERN_WARNING, "kern_path() failed\n");
479
		goto out1;
480
	}
481
	if (path.dentry->d_sb->s_type == &ecryptfs_fs_type) {
482
		rc = -EINVAL;
483
		printk(KERN_ERR "Mount on filesystem of type "
484
			"eCryptfs explicitly disallowed due to "
485
			"known incompatibilities\n");
486
		goto out_free;
487
	}
488

489
	if (is_idmapped_mnt(path.mnt)) {
490
		rc = -EINVAL;
491
		printk(KERN_ERR "Mounting on idmapped mounts currently disallowed\n");
492
		goto out_free;
493
	}
494

495
	if (ctx->check_ruid &&
496
	    !uid_eq(d_inode(path.dentry)->i_uid, current_uid())) {
497
		rc = -EPERM;
498
		printk(KERN_ERR "Mount of device (uid: %d) not owned by "
499
		       "requested user (uid: %d)\n",
500
			i_uid_read(d_inode(path.dentry)),
501
			from_kuid(&init_user_ns, current_uid()));
502
		goto out_free;
503
	}
504

505
	ecryptfs_set_superblock_lower(s, path.dentry->d_sb);
506

507
	/**
508
	 * Set the POSIX ACL flag based on whether they're enabled in the lower
509
	 * mount.
510
	 */
511
	s->s_flags = fc->sb_flags & ~SB_POSIXACL;
512
	s->s_flags |= path.dentry->d_sb->s_flags & SB_POSIXACL;
513

514
	/**
515
	 * Force a read-only eCryptfs mount when:
516
	 *   1) The lower mount is ro
517
	 *   2) The ecryptfs_encrypted_view mount option is specified
518
	 */
519
	if (sb_rdonly(path.dentry->d_sb) || mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)
520
		s->s_flags |= SB_RDONLY;
521

522
	s->s_maxbytes = path.dentry->d_sb->s_maxbytes;
523
	s->s_blocksize = path.dentry->d_sb->s_blocksize;
524
	s->s_magic = ECRYPTFS_SUPER_MAGIC;
525
	s->s_stack_depth = path.dentry->d_sb->s_stack_depth + 1;
526

527
	rc = -EINVAL;
528
	if (s->s_stack_depth > FILESYSTEM_MAX_STACK_DEPTH) {
529
		pr_err("eCryptfs: maximum fs stacking depth exceeded\n");
530
		goto out_free;
531
	}
532

533
	inode = ecryptfs_get_inode(d_inode(path.dentry), s);
534
	rc = PTR_ERR(inode);
535
	if (IS_ERR(inode))
536
		goto out_free;
537

538
	s->s_root = d_make_root(inode);
539
	if (!s->s_root) {
540
		rc = -ENOMEM;
541
		goto out_free;
542
	}
543

544
	ecryptfs_set_dentry_lower(s->s_root, path.dentry);
545
	ecryptfs_superblock_to_private(s)->lower_mnt = path.mnt;
546

547
	s->s_flags |= SB_ACTIVE;
548
	fc->root = dget(s->s_root);
549
	return 0;
550

551
out_free:
552
	path_put(&path);
553
out1:
554
	deactivate_locked_super(s);
555
out:
556
	if (sbi)
557
		ecryptfs_destroy_mount_crypt_stat(&sbi->mount_crypt_stat);
558

559
	printk(KERN_ERR "%s; rc = [%d]\n", err, rc);
560
	return rc;
561
}
562

563
/**
564
 * ecryptfs_kill_block_super
565
 * @sb: The ecryptfs super block
566
 *
567
 * Used to bring the superblock down and free the private data.
568
 */
569
static void ecryptfs_kill_block_super(struct super_block *sb)
570
{
571
	struct ecryptfs_sb_info *sb_info = ecryptfs_superblock_to_private(sb);
572
	kill_anon_super(sb);
573
	if (!sb_info)
574
		return;
575
	mntput(sb_info->lower_mnt);
576
	ecryptfs_destroy_mount_crypt_stat(&sb_info->mount_crypt_stat);
577
	kmem_cache_free(ecryptfs_sb_info_cache, sb_info);
578
}
579

580
static void ecryptfs_free_fc(struct fs_context *fc)
581
{
582
	struct ecryptfs_fs_context *ctx = fc->fs_private;
583
	struct ecryptfs_sb_info *sbi = fc->s_fs_info;
584

585
	kfree(ctx);
586

587
	if (sbi) {
588
		ecryptfs_destroy_mount_crypt_stat(&sbi->mount_crypt_stat);
589
		kmem_cache_free(ecryptfs_sb_info_cache, sbi);
590
	}
591
}
592

593
static const struct fs_context_operations ecryptfs_context_ops = {
594
	.free		= ecryptfs_free_fc,
595
	.parse_param	= ecryptfs_parse_param,
596
	.get_tree	= ecryptfs_get_tree,
597
	.reconfigure	= NULL,
598
};
599

600
static int ecryptfs_init_fs_context(struct fs_context *fc)
601
{
602
	struct ecryptfs_fs_context *ctx;
603
	struct ecryptfs_sb_info *sbi = NULL;
604

605
	ctx = kzalloc(sizeof(struct ecryptfs_fs_context), GFP_KERNEL);
606
	if (!ctx)
607
		return -ENOMEM;
608
	sbi = kmem_cache_zalloc(ecryptfs_sb_info_cache, GFP_KERNEL);
609
	if (!sbi) {
610
		kfree(ctx);
611
		ctx = NULL;
612
		return -ENOMEM;
613
	}
614

615
	ecryptfs_init_mount_crypt_stat(&sbi->mount_crypt_stat);
616

617
	fc->fs_private = ctx;
618
	fc->s_fs_info = sbi;
619
	fc->ops = &ecryptfs_context_ops;
620
	return 0;
621
}
622

623
static struct file_system_type ecryptfs_fs_type = {
624
	.owner = THIS_MODULE,
625
	.name = "ecryptfs",
626
	.init_fs_context = ecryptfs_init_fs_context,
627
	.parameters = ecryptfs_fs_param_spec,
628
	.kill_sb = ecryptfs_kill_block_super,
629
	.fs_flags = 0
630
};
631
MODULE_ALIAS_FS("ecryptfs");
632

633
/*
634
 * inode_info_init_once
635
 *
636
 * Initializes the ecryptfs_inode_info_cache when it is created
637
 */
638
static void
639
inode_info_init_once(void *vptr)
640
{
641
	struct ecryptfs_inode_info *ei = (struct ecryptfs_inode_info *)vptr;
642

643
	inode_init_once(&ei->vfs_inode);
644
}
645

646
static struct ecryptfs_cache_info {
647
	struct kmem_cache **cache;
648
	const char *name;
649
	size_t size;
650
	slab_flags_t flags;
651
	void (*ctor)(void *obj);
652
} ecryptfs_cache_infos[] = {
653
	{
654
		.cache = &ecryptfs_auth_tok_list_item_cache,
655
		.name = "ecryptfs_auth_tok_list_item",
656
		.size = sizeof(struct ecryptfs_auth_tok_list_item),
657
	},
658
	{
659
		.cache = &ecryptfs_file_info_cache,
660
		.name = "ecryptfs_file_cache",
661
		.size = sizeof(struct ecryptfs_file_info),
662
	},
663
	{
664
		.cache = &ecryptfs_inode_info_cache,
665
		.name = "ecryptfs_inode_cache",
666
		.size = sizeof(struct ecryptfs_inode_info),
667
		.flags = SLAB_ACCOUNT,
668
		.ctor = inode_info_init_once,
669
	},
670
	{
671
		.cache = &ecryptfs_sb_info_cache,
672
		.name = "ecryptfs_sb_cache",
673
		.size = sizeof(struct ecryptfs_sb_info),
674
	},
675
	{
676
		.cache = &ecryptfs_header_cache,
677
		.name = "ecryptfs_headers",
678
		.size = PAGE_SIZE,
679
	},
680
	{
681
		.cache = &ecryptfs_xattr_cache,
682
		.name = "ecryptfs_xattr_cache",
683
		.size = PAGE_SIZE,
684
	},
685
	{
686
		.cache = &ecryptfs_key_record_cache,
687
		.name = "ecryptfs_key_record_cache",
688
		.size = sizeof(struct ecryptfs_key_record),
689
	},
690
	{
691
		.cache = &ecryptfs_key_sig_cache,
692
		.name = "ecryptfs_key_sig_cache",
693
		.size = sizeof(struct ecryptfs_key_sig),
694
	},
695
	{
696
		.cache = &ecryptfs_global_auth_tok_cache,
697
		.name = "ecryptfs_global_auth_tok_cache",
698
		.size = sizeof(struct ecryptfs_global_auth_tok),
699
	},
700
	{
701
		.cache = &ecryptfs_key_tfm_cache,
702
		.name = "ecryptfs_key_tfm_cache",
703
		.size = sizeof(struct ecryptfs_key_tfm),
704
	},
705
};
706

707
static void ecryptfs_free_kmem_caches(void)
708
{
709
	int i;
710

711
	/*
712
	 * Make sure all delayed rcu free inodes are flushed before we
713
	 * destroy cache.
714
	 */
715
	rcu_barrier();
716

717
	for (i = 0; i < ARRAY_SIZE(ecryptfs_cache_infos); i++) {
718
		struct ecryptfs_cache_info *info;
719

720
		info = &ecryptfs_cache_infos[i];
721
		kmem_cache_destroy(*(info->cache));
722
	}
723
}
724

725
/**
726
 * ecryptfs_init_kmem_caches
727
 *
728
 * Returns zero on success; non-zero otherwise
729
 */
730
static int ecryptfs_init_kmem_caches(void)
731
{
732
	int i;
733

734
	for (i = 0; i < ARRAY_SIZE(ecryptfs_cache_infos); i++) {
735
		struct ecryptfs_cache_info *info;
736

737
		info = &ecryptfs_cache_infos[i];
738
		*(info->cache) = kmem_cache_create(info->name, info->size, 0,
739
				SLAB_HWCACHE_ALIGN | info->flags, info->ctor);
740
		if (!*(info->cache)) {
741
			ecryptfs_free_kmem_caches();
742
			ecryptfs_printk(KERN_WARNING, "%s: "
743
					"kmem_cache_create failed\n",
744
					info->name);
745
			return -ENOMEM;
746
		}
747
	}
748
	return 0;
749
}
750

751
static struct kobject *ecryptfs_kobj;
752

753
static ssize_t version_show(struct kobject *kobj,
754
			    struct kobj_attribute *attr, char *buff)
755
{
756
	return sysfs_emit(buff, "%d\n", ECRYPTFS_VERSIONING_MASK);
757
}
758

759
static struct kobj_attribute version_attr = __ATTR_RO(version);
760

761
static struct attribute *attributes[] = {
762
	&version_attr.attr,
763
	NULL,
764
};
765

766
static const struct attribute_group attr_group = {
767
	.attrs = attributes,
768
};
769

770
static int do_sysfs_registration(void)
771
{
772
	int rc;
773

774
	ecryptfs_kobj = kobject_create_and_add("ecryptfs", fs_kobj);
775
	if (!ecryptfs_kobj) {
776
		printk(KERN_ERR "Unable to create ecryptfs kset\n");
777
		rc = -ENOMEM;
778
		goto out;
779
	}
780
	rc = sysfs_create_group(ecryptfs_kobj, &attr_group);
781
	if (rc) {
782
		printk(KERN_ERR
783
		       "Unable to create ecryptfs version attributes\n");
784
		kobject_put(ecryptfs_kobj);
785
	}
786
out:
787
	return rc;
788
}
789

790
static void do_sysfs_unregistration(void)
791
{
792
	sysfs_remove_group(ecryptfs_kobj, &attr_group);
793
	kobject_put(ecryptfs_kobj);
794
}
795

796
static int __init ecryptfs_init(void)
797
{
798
	int rc;
799

800
	if (ECRYPTFS_DEFAULT_EXTENT_SIZE > PAGE_SIZE) {
801
		rc = -EINVAL;
802
		ecryptfs_printk(KERN_ERR, "The eCryptfs extent size is "
803
				"larger than the host's page size, and so "
804
				"eCryptfs cannot run on this system. The "
805
				"default eCryptfs extent size is [%u] bytes; "
806
				"the page size is [%lu] bytes.\n",
807
				ECRYPTFS_DEFAULT_EXTENT_SIZE,
808
				(unsigned long)PAGE_SIZE);
809
		goto out;
810
	}
811
	rc = ecryptfs_init_kmem_caches();
812
	if (rc) {
813
		printk(KERN_ERR
814
		       "Failed to allocate one or more kmem_cache objects\n");
815
		goto out;
816
	}
817
	rc = do_sysfs_registration();
818
	if (rc) {
819
		printk(KERN_ERR "sysfs registration failed\n");
820
		goto out_free_kmem_caches;
821
	}
822
	rc = ecryptfs_init_kthread();
823
	if (rc) {
824
		printk(KERN_ERR "%s: kthread initialization failed; "
825
		       "rc = [%d]\n", __func__, rc);
826
		goto out_do_sysfs_unregistration;
827
	}
828
	rc = ecryptfs_init_messaging();
829
	if (rc) {
830
		printk(KERN_ERR "Failure occurred while attempting to "
831
				"initialize the communications channel to "
832
				"ecryptfsd\n");
833
		goto out_destroy_kthread;
834
	}
835
	rc = ecryptfs_init_crypto();
836
	if (rc) {
837
		printk(KERN_ERR "Failure whilst attempting to init crypto; "
838
		       "rc = [%d]\n", rc);
839
		goto out_release_messaging;
840
	}
841
	rc = register_filesystem(&ecryptfs_fs_type);
842
	if (rc) {
843
		printk(KERN_ERR "Failed to register filesystem\n");
844
		goto out_destroy_crypto;
845
	}
846
	if (ecryptfs_verbosity > 0)
847
		printk(KERN_CRIT "eCryptfs verbosity set to %d. Secret values "
848
			"will be written to the syslog!\n", ecryptfs_verbosity);
849

850
	goto out;
851
out_destroy_crypto:
852
	ecryptfs_destroy_crypto();
853
out_release_messaging:
854
	ecryptfs_release_messaging();
855
out_destroy_kthread:
856
	ecryptfs_destroy_kthread();
857
out_do_sysfs_unregistration:
858
	do_sysfs_unregistration();
859
out_free_kmem_caches:
860
	ecryptfs_free_kmem_caches();
861
out:
862
	return rc;
863
}
864

865
static void __exit ecryptfs_exit(void)
866
{
867
	int rc;
868

869
	rc = ecryptfs_destroy_crypto();
870
	if (rc)
871
		printk(KERN_ERR "Failure whilst attempting to destroy crypto; "
872
		       "rc = [%d]\n", rc);
873
	ecryptfs_release_messaging();
874
	ecryptfs_destroy_kthread();
875
	do_sysfs_unregistration();
876
	unregister_filesystem(&ecryptfs_fs_type);
877
	ecryptfs_free_kmem_caches();
878
}
879

880
MODULE_AUTHOR("Michael A. Halcrow <[email protected]>");
881
MODULE_DESCRIPTION("eCryptfs");
882

883
MODULE_LICENSE("GPL");
884

885
module_init(ecryptfs_init)
886
module_exit(ecryptfs_exit)
887

888