1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
|
/*
* policy.go - Functions for getting and setting policies on a specified
* directory or file.
*
* Copyright 2017 Google Inc.
* Author: Joe Richey (joerichey@google.com)
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License. You may obtain a copy of
* the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
* License for the specific language governing permissions and limitations under
* the License.
*/
package metadata
import (
"encoding/hex"
"fmt"
"log"
"math"
"os"
"os/user"
"strconv"
"unsafe"
"github.com/pkg/errors"
"golang.org/x/sys/unix"
"github.com/google/fscrypt/util"
)
var (
// ErrEncryptionNotSupported indicates that encryption is not supported
// on the given filesystem, and there is no way to enable it.
ErrEncryptionNotSupported = errors.New("encryption not supported")
// ErrEncryptionNotEnabled indicates that encryption is not supported on
// the given filesystem, but there is a way to enable it.
ErrEncryptionNotEnabled = errors.New("encryption not enabled")
)
// ErrAlreadyEncrypted indicates that the path is already encrypted.
type ErrAlreadyEncrypted struct {
Path string
}
func (err *ErrAlreadyEncrypted) Error() string {
return fmt.Sprintf("file or directory %q is already encrypted", err.Path)
}
// ErrBadEncryptionOptions indicates that unsupported encryption options were given.
type ErrBadEncryptionOptions struct {
Path string
Options *EncryptionOptions
}
func (err *ErrBadEncryptionOptions) Error() string {
return fmt.Sprintf(`cannot encrypt %q because the kernel doesn't support the requested encryption options.
The options are %s`, err.Path, err.Options)
}
// ErrDirectoryNotOwned indicates a directory can't be encrypted because it's
// owned by another user.
type ErrDirectoryNotOwned struct {
Path string
Owner uint32
}
func (err *ErrDirectoryNotOwned) Error() string {
owner := strconv.Itoa(int(err.Owner))
if u, e := user.LookupId(owner); e == nil && u.Username != "" {
owner = u.Username
}
return fmt.Sprintf(`cannot encrypt %q because it's owned by another user (%s).
Encryption can only be enabled on a directory you own, even if you have
write access to the directory.`, err.Path, owner)
}
// ErrNotEncrypted indicates that the path is not encrypted.
type ErrNotEncrypted struct {
Path string
}
func (err *ErrNotEncrypted) Error() string {
return fmt.Sprintf("file or directory %q is not encrypted", err.Path)
}
func getPolicyIoctl(file *os.File, request uintptr, arg unsafe.Pointer) error {
_, _, errno := unix.Syscall(unix.SYS_IOCTL, file.Fd(), request, uintptr(arg))
if errno == 0 {
return nil
}
return errno
}
func setPolicy(file *os.File, arg unsafe.Pointer) error {
_, _, errno := unix.Syscall(unix.SYS_IOCTL, file.Fd(), unix.FS_IOC_SET_ENCRYPTION_POLICY, uintptr(arg))
if errno != 0 {
return errno
}
if err := file.Sync(); err != nil {
return err
}
return nil
}
// Maps EncryptionOptions.Padding <-> FSCRYPT_POLICY_FLAGS
var (
paddingArray = []int64{4, 8, 16, 32}
flagsArray = []int64{unix.FSCRYPT_POLICY_FLAGS_PAD_4, unix.FSCRYPT_POLICY_FLAGS_PAD_8,
unix.FSCRYPT_POLICY_FLAGS_PAD_16, unix.FSCRYPT_POLICY_FLAGS_PAD_32}
)
// flagsToPadding returns the amount of padding specified in the policy flags.
func flagsToPadding(flags uint8) int64 {
paddingFlag := int64(flags & unix.FS_POLICY_FLAGS_PAD_MASK)
// This lookup should always succeed
padding, ok := util.Lookup(paddingFlag, flagsArray, paddingArray)
if !ok {
log.Panicf("padding flag of %x not found", paddingFlag)
}
return padding
}
func buildV1PolicyData(policy *unix.FscryptPolicyV1) *PolicyData {
return &PolicyData{
KeyDescriptor: hex.EncodeToString(policy.Master_key_descriptor[:]),
Options: &EncryptionOptions{
Padding: flagsToPadding(policy.Flags),
Contents: EncryptionOptions_Mode(policy.Contents_encryption_mode),
Filenames: EncryptionOptions_Mode(policy.Filenames_encryption_mode),
PolicyVersion: 1,
},
}
}
func buildV2PolicyData(policy *unix.FscryptPolicyV2) *PolicyData {
return &PolicyData{
KeyDescriptor: hex.EncodeToString(policy.Master_key_identifier[:]),
Options: &EncryptionOptions{
Padding: flagsToPadding(policy.Flags),
Contents: EncryptionOptions_Mode(policy.Contents_encryption_mode),
Filenames: EncryptionOptions_Mode(policy.Filenames_encryption_mode),
PolicyVersion: 2,
},
}
}
// GetPolicy returns the Policy data for the given directory or file (includes
// the KeyDescriptor and the encryption options). Returns an error if the
// path is not encrypted or the policy couldn't be retrieved.
func GetPolicy(path string) (*PolicyData, error) {
file, err := os.Open(path)
if err != nil {
return nil, err
}
defer file.Close()
// First try the new version of the ioctl. This works for both v1 and v2 policies.
var arg unix.FscryptGetPolicyExArg
arg.Size = uint64(unsafe.Sizeof(arg.Policy))
policyPtr := util.Ptr(arg.Policy[:])
err = getPolicyIoctl(file, unix.FS_IOC_GET_ENCRYPTION_POLICY_EX, unsafe.Pointer(&arg))
if err == unix.ENOTTY {
// Fall back to the old version of the ioctl. This works for v1 policies only.
err = getPolicyIoctl(file, unix.FS_IOC_GET_ENCRYPTION_POLICY, policyPtr)
arg.Size = uint64(unsafe.Sizeof(unix.FscryptPolicyV1{}))
}
switch err {
case nil:
break
case unix.ENOTTY:
return nil, ErrEncryptionNotSupported
case unix.EOPNOTSUPP:
return nil, ErrEncryptionNotEnabled
case unix.ENODATA, unix.ENOENT:
// ENOENT was returned instead of ENODATA on some filesystems before v4.11.
return nil, &ErrNotEncrypted{path}
default:
return nil, errors.Wrapf(err, "failed to get encryption policy of %q", path)
}
switch arg.Policy[0] { // arg.policy.version
case unix.FSCRYPT_POLICY_V1:
if arg.Size != uint64(unsafe.Sizeof(unix.FscryptPolicyV1{})) {
// should never happen
return nil, errors.New("unexpected size for v1 policy")
}
return buildV1PolicyData((*unix.FscryptPolicyV1)(policyPtr)), nil
case unix.FSCRYPT_POLICY_V2:
if arg.Size != uint64(unsafe.Sizeof(unix.FscryptPolicyV2{})) {
// should never happen
return nil, errors.New("unexpected size for v2 policy")
}
return buildV2PolicyData((*unix.FscryptPolicyV2)(policyPtr)), nil
default:
return nil, errors.Errorf("unsupported encryption policy version [%d]",
arg.Policy[0])
}
}
// For improved performance, use the DIRECT_KEY flag when using ciphers that
// support it, e.g. Adiantum. It is safe because fscrypt won't reuse the key
// for any other policy. (Multiple directories with same policy are okay.)
func shouldUseDirectKeyFlag(options *EncryptionOptions) bool {
// Contents and filenames encryption modes must be the same
if options.Contents != options.Filenames {
return false
}
// Currently only Adiantum supports DIRECT_KEY.
return options.Contents == EncryptionOptions_Adiantum
}
func buildPolicyFlags(options *EncryptionOptions) uint8 {
// This lookup should always succeed (as policy is valid)
flags, ok := util.Lookup(options.Padding, paddingArray, flagsArray)
if !ok {
log.Panicf("padding of %d was not found", options.Padding)
}
if shouldUseDirectKeyFlag(options) {
flags |= unix.FSCRYPT_POLICY_FLAG_DIRECT_KEY
}
return uint8(flags)
}
func setV1Policy(file *os.File, options *EncryptionOptions, descriptorBytes []byte) error {
policy := unix.FscryptPolicyV1{
Version: unix.FSCRYPT_POLICY_V1,
Contents_encryption_mode: uint8(options.Contents),
Filenames_encryption_mode: uint8(options.Filenames),
Flags: uint8(buildPolicyFlags(options)),
}
// The descriptor should always be the correct length (as policy is valid)
if len(descriptorBytes) != unix.FSCRYPT_KEY_DESCRIPTOR_SIZE {
log.Panic("wrong descriptor size for v1 policy")
}
copy(policy.Master_key_descriptor[:], descriptorBytes)
return setPolicy(file, unsafe.Pointer(&policy))
}
func setV2Policy(file *os.File, options *EncryptionOptions, descriptorBytes []byte) error {
policy := unix.FscryptPolicyV2{
Version: unix.FSCRYPT_POLICY_V2,
Contents_encryption_mode: uint8(options.Contents),
Filenames_encryption_mode: uint8(options.Filenames),
Flags: uint8(buildPolicyFlags(options)),
}
// The descriptor should always be the correct length (as policy is valid)
if len(descriptorBytes) != unix.FSCRYPT_KEY_IDENTIFIER_SIZE {
log.Panic("wrong descriptor size for v2 policy")
}
copy(policy.Master_key_identifier[:], descriptorBytes)
return setPolicy(file, unsafe.Pointer(&policy))
}
// SetPolicy sets up the specified directory to be encrypted with the specified
// policy. Returns an error if we cannot set the policy for any reason (not a
// directory, invalid options or KeyDescriptor, etc).
func SetPolicy(path string, data *PolicyData) error {
file, err := os.Open(path)
if err != nil {
return err
}
defer file.Close()
if err = data.CheckValidity(); err != nil {
return errors.Wrap(err, "invalid policy")
}
descriptorBytes, err := hex.DecodeString(data.KeyDescriptor)
if err != nil {
return errors.New("invalid key descriptor: " + data.KeyDescriptor)
}
switch data.Options.PolicyVersion {
case 1:
err = setV1Policy(file, data.Options, descriptorBytes)
case 2:
err = setV2Policy(file, data.Options, descriptorBytes)
default:
err = errors.Errorf("policy version of %d is invalid", data.Options.PolicyVersion)
}
if err == unix.EINVAL {
// Before kernel v4.11, many different errors all caused unix.EINVAL to be returned.
// We try to disambiguate this error here. This disambiguation will not always give
// the correct error due to a potential race condition on path.
if info, statErr := os.Stat(path); statErr != nil || !info.IsDir() {
// Checking if the path is not a directory
err = unix.ENOTDIR
} else if _, policyErr := GetPolicy(path); policyErr == nil {
// Checking if a policy is already set on this directory
err = unix.EEXIST
}
}
switch err {
case nil:
return nil
case unix.EACCES:
var stat unix.Stat_t
if statErr := unix.Stat(path, &stat); statErr == nil && stat.Uid != uint32(os.Geteuid()) {
return &ErrDirectoryNotOwned{path, stat.Uid}
}
case unix.EEXIST:
return &ErrAlreadyEncrypted{path}
case unix.EINVAL:
return &ErrBadEncryptionOptions{path, data.Options}
case unix.ENOTTY:
return ErrEncryptionNotSupported
case unix.EOPNOTSUPP:
return ErrEncryptionNotEnabled
}
return errors.Wrapf(err, "failed to set encryption policy on %q", path)
}
// CheckSupport returns an error if the filesystem containing path does not
// support filesystem encryption. This can be for many reasons including an
// incompatible kernel or filesystem or not enabling the right feature flags.
func CheckSupport(path string) error {
file, err := os.Open(path)
if err != nil {
return err
}
defer file.Close()
// On supported directories, giving a bad policy will return EINVAL
badPolicy := unix.FscryptPolicyV1{
Version: math.MaxUint8,
Contents_encryption_mode: math.MaxUint8,
Filenames_encryption_mode: math.MaxUint8,
Flags: math.MaxUint8,
}
err = setPolicy(file, unsafe.Pointer(&badPolicy))
switch err {
case nil:
log.Panicf(`FS_IOC_SET_ENCRYPTION_POLICY succeeded when it should have failed.
Please open an issue, filesystem %q may be corrupted.`, path)
case unix.EINVAL, unix.EACCES:
return nil
case unix.ENOTTY:
return ErrEncryptionNotSupported
case unix.EOPNOTSUPP:
return ErrEncryptionNotEnabled
}
return errors.Wrapf(err, "unexpected error checking for encryption support on filesystem %q", path)
}
|
