fs/crypto/policy.c
Source file repositories/reference/linux-study-clean/fs/crypto/policy.c
File Facts
- System
- Linux kernel
- Corpus path
fs/crypto/policy.c- Extension
.c- Size
- 27954 bytes
- Lines
- 896
- Domain
- Core OS
- Bucket
- VFS And Filesystem Core
- Inferred role
- Core OS: exported/initcall integration point
- Status
- integration implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Exports symbols or registers init work; inspect boot/module ordering and who consumes the exported contract.
- Touches user memory; correctness depends on fault-safe copying and privilege boundary handling.
- Allocates kernel memory; connect allocation flags and lifetime to context constraints.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/export.hlinux/fs_context.hlinux/mount.hlinux/random.hlinux/seq_file.hlinux/string.hfscrypt_private.h
Detected Declarations
function Copyrightfunction fscrypt_policy_to_key_specfunction fscrypt_valid_enc_modes_v2function fscrypt_valid_enc_modes_v2function supported_direct_key_modesfunction supported_iv_ino_lblk_policyfunction fscrypt_policy_v2_du_bitsfunction fscrypt_supported_v1_policyfunction fscrypt_supported_v2_policyfunction fscrypt_supported_policyfunction fscrypt_new_contextfunction fscrypt_policy_from_contextfunction fscrypt_get_policyfunction set_encryption_policyfunction fscrypt_ioctl_set_policyfunction fscrypt_ioctl_get_policyfunction fscrypt_ioctl_get_policy_exfunction fscrypt_ioctl_get_noncefunction fscrypt_has_permitted_contextfunction fscrypt_context_for_new_inodefunction fscrypt_set_contextfunction fscrypt_parse_test_dummy_encryptionfunction fscrypt_dummy_policies_equalfunction fscrypt_show_test_dummy_encryptionexport fscrypt_ioctl_set_policyexport fscrypt_ioctl_get_policyexport fscrypt_ioctl_get_policy_exexport fscrypt_ioctl_get_nonceexport fscrypt_has_permitted_contextexport fscrypt_context_for_new_inodeexport fscrypt_set_contextexport fscrypt_parse_test_dummy_encryptionexport fscrypt_dummy_policies_equalexport fscrypt_show_test_dummy_encryption
Annotated Snippet
fscrypt_policy_v2_du_bits(policy, inode)) > 32) {
fscrypt_warn(inode,
"Can't use %s policy on filesystem '%s' because its maximum file size is too large",
type, sb->s_id);
return false;
}
return true;
}
static bool fscrypt_supported_v1_policy(const struct fscrypt_policy_v1 *policy,
const struct inode *inode)
{
if (!fscrypt_valid_enc_modes_v1(policy->contents_encryption_mode,
policy->filenames_encryption_mode)) {
fscrypt_warn(inode,
"Unsupported encryption modes (contents %d, filenames %d)",
policy->contents_encryption_mode,
policy->filenames_encryption_mode);
return false;
}
if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK |
FSCRYPT_POLICY_FLAG_DIRECT_KEY)) {
fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)",
policy->flags);
return false;
}
if ((policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY) &&
!supported_direct_key_modes(inode, policy->contents_encryption_mode,
policy->filenames_encryption_mode))
return false;
if (IS_CASEFOLDED(inode)) {
/* With v1, there's no way to derive dirhash keys. */
fscrypt_warn(inode,
"v1 policies can't be used on casefolded directories");
return false;
}
return true;
}
static bool fscrypt_supported_v2_policy(const struct fscrypt_policy_v2 *policy,
const struct inode *inode)
{
int count = 0;
if (!fscrypt_valid_enc_modes_v2(policy->contents_encryption_mode,
policy->filenames_encryption_mode)) {
fscrypt_warn(inode,
"Unsupported encryption modes (contents %d, filenames %d)",
policy->contents_encryption_mode,
policy->filenames_encryption_mode);
return false;
}
if (policy->flags & ~(FSCRYPT_POLICY_FLAGS_PAD_MASK |
FSCRYPT_POLICY_FLAG_DIRECT_KEY |
FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64 |
FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) {
fscrypt_warn(inode, "Unsupported encryption flags (0x%02x)",
policy->flags);
return false;
}
count += !!(policy->flags & FSCRYPT_POLICY_FLAG_DIRECT_KEY);
count += !!(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64);
count += !!(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32);
if (count > 1) {
fscrypt_warn(inode, "Mutually exclusive encryption flags (0x%02x)",
policy->flags);
return false;
}
if (policy->log2_data_unit_size) {
if (!inode->i_sb->s_cop->supports_subblock_data_units) {
fscrypt_warn(inode,
"Filesystem does not support configuring crypto data unit size");
return false;
}
if (policy->log2_data_unit_size > inode->i_blkbits ||
policy->log2_data_unit_size < SECTOR_SHIFT /* 9 */) {
fscrypt_warn(inode,
"Unsupported log2_data_unit_size in encryption policy: %d",
policy->log2_data_unit_size);
return false;
}
if (policy->log2_data_unit_size != inode->i_blkbits &&
(policy->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32)) {
Annotation
- Immediate include surface: `linux/export.h`, `linux/fs_context.h`, `linux/mount.h`, `linux/random.h`, `linux/seq_file.h`, `linux/string.h`, `fscrypt_private.h`.
- Detected declarations: `function Copyright`, `function fscrypt_policy_to_key_spec`, `function fscrypt_valid_enc_modes_v2`, `function fscrypt_valid_enc_modes_v2`, `function supported_direct_key_modes`, `function supported_iv_ino_lblk_policy`, `function fscrypt_policy_v2_du_bits`, `function fscrypt_supported_v1_policy`, `function fscrypt_supported_v2_policy`, `function fscrypt_supported_policy`.
- Atlas domain: Core OS / VFS And Filesystem Core.
- Implementation status: integration implementation candidate.
- This snippet crosses the user/kernel memory boundary; validate fault handling and access checks before translating the pattern.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.