From 518771e4e247762f60c5594de427a8c86f19bd57 Mon Sep 17 00:00:00 2001 From: Jakob Unterwurzacher Date: Sun, 3 May 2020 15:22:10 +0200 Subject: [PATCH] fusefrontend_reverse: use inomap for inode number translation Gets rid of static inode number value limitations. Fixes https://github.com/rfjakob/gocryptfs/issues/457 --- .../fusefrontend_reverse/reverse_longnames.go | 2 +- internal/fusefrontend_reverse/rfs.go | 31 ++++++----- internal/fusefrontend_reverse/virtualfile.go | 52 ++++++++----------- internal/inomap/inomap.go | 16 ++++-- internal/inomap/inomap_test.go | 2 +- internal/inomap/qino.go | 26 ++++++---- tests/reverse/inomap_test.go | 10 ++-- 7 files changed, 77 insertions(+), 62 deletions(-) diff --git a/internal/fusefrontend_reverse/reverse_longnames.go b/internal/fusefrontend_reverse/reverse_longnames.go index f07e413..199356b 100644 --- a/internal/fusefrontend_reverse/reverse_longnames.go +++ b/internal/fusefrontend_reverse/reverse_longnames.go @@ -122,5 +122,5 @@ func (rfs *ReverseFS) newNameFile(relPath string) (nodefs.File, fuse.Status) { } content := []byte(rfs.nameTransform.EncryptName(pName, dirIV)) parentFile := filepath.Join(pDir, pName) - return rfs.newVirtualFile(content, rfs.args.Cipherdir, parentFile, inoBaseNameFile) + return rfs.newVirtualFile(content, rfs.args.Cipherdir, parentFile, inoTagNameFile) } diff --git a/internal/fusefrontend_reverse/rfs.go b/internal/fusefrontend_reverse/rfs.go index 49ce0a1..6bbdfb5 100644 --- a/internal/fusefrontend_reverse/rfs.go +++ b/internal/fusefrontend_reverse/rfs.go @@ -15,6 +15,7 @@ import ( "github.com/rfjakob/gocryptfs/internal/contentenc" "github.com/rfjakob/gocryptfs/internal/cryptocore" "github.com/rfjakob/gocryptfs/internal/fusefrontend" + "github.com/rfjakob/gocryptfs/internal/inomap" "github.com/rfjakob/gocryptfs/internal/nametransform" "github.com/rfjakob/gocryptfs/internal/pathiv" "github.com/rfjakob/gocryptfs/internal/syscallcompat" @@ -38,6 +39,9 @@ type ReverseFS struct { contentEnc *contentenc.ContentEnc // Tests wheter a path is excluded (hiden) from the user. Used by -exclude. excluder ignore.IgnoreParser + // inoMap translates inode numbers from different devices to unique inode + // numbers. + inoMap *inomap.InoMap } var _ pathfs.FileSystem = &ReverseFS{} @@ -54,6 +58,7 @@ func NewFS(args fusefrontend.Args, c *contentenc.ContentEnc, n nametransform.Nam args: args, nameTransform: n, contentEnc: c, + inoMap: inomap.New(), } fs.prepareExcluder(args) return fs @@ -180,6 +185,7 @@ func (rfs *ReverseFS) GetAttr(relPath string, context *fuse.Context) (*fuse.Attr if err != nil { return nil, fuse.ToStatus(err) } + rfs.inoMap.TranslateStat(&st) var a fuse.Attr a.FromStat(&st) if rfs.args.ForceOwner != nil { @@ -211,26 +217,25 @@ func (rfs *ReverseFS) GetAttr(relPath string, context *fuse.Context) (*fuse.Attr } return &a, status } + // Normal file / directory dirfd, name, err := rfs.openBackingDir(pPath) if err != nil { return nil, fuse.ToStatus(err) } // Stat the backing file/dir using Fstatat - var st unix.Stat_t - err = syscallcompat.Fstatat(dirfd, name, &st, unix.AT_SYMLINK_NOFOLLOW) - syscall.Close(dirfd) - if err != nil { - return nil, fuse.ToStatus(err) - } - // Instead of risking an inode number collision, we return an error. - if st.Ino > inoBaseMin { - tlog.Warn.Printf("GetAttr %q: backing file inode number %d crosses reserved space, max=%d. Returning EOVERFLOW.", - relPath, st.Ino, inoBaseMin) - return nil, fuse.ToStatus(syscall.EOVERFLOW) + var st syscall.Stat_t + { + var st2 unix.Stat_t + err = syscallcompat.Fstatat(dirfd, name, &st2, unix.AT_SYMLINK_NOFOLLOW) + syscall.Close(dirfd) + if err != nil { + return nil, fuse.ToStatus(err) + } + st = syscallcompat.Unix2syscall(st2) } + rfs.inoMap.TranslateStat(&st) var a fuse.Attr - st2 := syscallcompat.Unix2syscall(st) - a.FromStat(&st2) + a.FromStat(&st) // Calculate encrypted file size if a.IsRegular() { a.Size = rfs.contentEnc.PlainSizeToCipherSize(a.Size) diff --git a/internal/fusefrontend_reverse/virtualfile.go b/internal/fusefrontend_reverse/virtualfile.go index 963c801..7d1c18c 100644 --- a/internal/fusefrontend_reverse/virtualfile.go +++ b/internal/fusefrontend_reverse/virtualfile.go @@ -10,6 +10,7 @@ import ( "github.com/hanwen/go-fuse/fuse" "github.com/hanwen/go-fuse/fuse/nodefs" + "github.com/rfjakob/gocryptfs/internal/inomap" "github.com/rfjakob/gocryptfs/internal/nametransform" "github.com/rfjakob/gocryptfs/internal/pathiv" "github.com/rfjakob/gocryptfs/internal/syscallcompat" @@ -20,19 +21,10 @@ const ( // virtualFileMode is the mode to use for virtual files (gocryptfs.diriv and // *.name). They are always readable, as stated in func Access virtualFileMode = syscall.S_IFREG | 0444 - // inoBaseDirIV is the start of the inode number range that is used - // for virtual gocryptfs.diriv files. inoBaseNameFile is the thing for - // *.name files. - // The value 10^19 is just below 2^60. A power of 10 has been chosen so the - // "ls -li" output (which is base-10) is easy to read. - // 10^19 is the largest power of 10 that is smaller than - // INT64_MAX (=UINT64_MAX/2). This avoids signedness issues. - inoBaseDirIV = uint64(1000000000000000000) - inoBaseNameFile = uint64(2000000000000000000) - // inoBaseMin marks the start of the inode number space that is - // reserved for virtual files. It is the lowest of the inoBaseXXX values - // above. - inoBaseMin = inoBaseDirIV + // We use inomap's `Tag` feature to generate unique inode numbers for + // virtual files. These are the tags we use. + inoTagDirIV = 1 + inoTagNameFile = 2 ) func (rfs *ReverseFS) newDirIVFile(cRelPath string) (nodefs.File, fuse.Status) { @@ -42,20 +34,23 @@ func (rfs *ReverseFS) newDirIVFile(cRelPath string) (nodefs.File, fuse.Status) { return nil, fuse.ToStatus(err) } iv := pathiv.Derive(cDir, pathiv.PurposeDirIV) - return rfs.newVirtualFile(iv, rfs.args.Cipherdir, dir, inoBaseDirIV) + return rfs.newVirtualFile(iv, rfs.args.Cipherdir, dir, inoTagDirIV) } type virtualFile struct { // Embed nodefs.defaultFile for a ENOSYS implementation of all methods nodefs.File + // pointer to parent filesystem + rfs *ReverseFS // file content content []byte // backing directory cipherdir string // path to a parent file (relative to cipherdir) parentFile string - // inode number of a virtual file is inode of parent file plus inoBase - inoBase uint64 + // inomap `Tag`. + // Depending on the file type, either `inoTagDirIV` or `inoTagNameFile`. + inoTag uint8 } // newVirtualFile creates a new in-memory file that does not have a representation @@ -63,16 +58,17 @@ type virtualFile struct { // from "parentFile" (plaintext path relative to "cipherdir"). // For a "gocryptfs.diriv" file, you would use the parent directory as // "parentFile". -func (rfs *ReverseFS) newVirtualFile(content []byte, cipherdir string, parentFile string, inoBase uint64) (nodefs.File, fuse.Status) { - if inoBase < inoBaseMin { - log.Panicf("BUG: virtual inode number base %d is below reserved space", inoBase) +func (rfs *ReverseFS) newVirtualFile(content []byte, cipherdir string, parentFile string, inoTag uint8) (nodefs.File, fuse.Status) { + if inoTag == 0 { + log.Panicf("BUG: inoTag for virtual file is zero - this will cause ino collisions!") } return &virtualFile{ File: nodefs.NewDefaultFile(), + rfs: rfs, content: content, cipherdir: cipherdir, parentFile: parentFile, - inoBase: inoBase, + inoTag: inoTag, }, fuse.OK } @@ -97,22 +93,18 @@ func (f *virtualFile) GetAttr(a *fuse.Attr) fuse.Status { } defer syscall.Close(dirfd) name := filepath.Base(f.parentFile) - var st unix.Stat_t - err = syscallcompat.Fstatat(dirfd, name, &st, unix.AT_SYMLINK_NOFOLLOW) + var st2 unix.Stat_t + err = syscallcompat.Fstatat(dirfd, name, &st2, unix.AT_SYMLINK_NOFOLLOW) if err != nil { tlog.Debug.Printf("GetAttr: Fstatat %q: %v\n", f.parentFile, err) return fuse.ToStatus(err) } - if st.Ino > inoBaseMin { - tlog.Warn.Printf("virtualFile.GetAttr: parent file inode number %d crosses reserved space, max=%d. Returning EOVERFLOW.", - st.Ino, inoBaseMin) - return fuse.ToStatus(syscall.EOVERFLOW) - } - st.Ino = st.Ino + f.inoBase + st := syscallcompat.Unix2syscall(st2) + q := inomap.NewQIno(uint64(st.Dev), f.inoTag, uint64(st.Ino)) + st.Ino = f.rfs.inoMap.Translate(q) st.Size = int64(len(f.content)) st.Mode = virtualFileMode st.Nlink = 1 - st2 := syscallcompat.Unix2syscall(st) - a.FromStat(&st2) + a.FromStat(&st) return fuse.OK } diff --git a/internal/inomap/inomap.go b/internal/inomap/inomap.go index c277849..0ca43e4 100644 --- a/internal/inomap/inomap.go +++ b/internal/inomap/inomap.go @@ -15,6 +15,7 @@ package inomap import ( + "fmt" "log" "sync" "syscall" @@ -72,23 +73,30 @@ func (m *InoMap) spill(in QIno) (out uint64) { func (m *InoMap) Translate(in QIno) (out uint64) { m.Lock() defer m.Unlock() + defer func() { + fmt.Printf("Translate: %v -> %d\n", in, out) + }() if in.Ino > maxPassthruIno { - return m.spill(in) + out = m.spill(in) + return out } ns, found := m.namespaceMap[in.namespaceData] // Use existing namespace if found { - return uint64(ns)<<48 | in.Ino + out = uint64(ns)<<48 | in.Ino + return out } // No free namespace slots? if m.namespaceNext >= maxNamespaceId { - return m.spill(in) + out = m.spill(in) + return out } ns = m.namespaceNext m.namespaceNext++ m.namespaceMap[in.namespaceData] = ns - return uint64(ns)<<48 | in.Ino + out = uint64(ns)<<48 | in.Ino + return out } // TranslateStat translates the inode number contained in "st" if neccessary. diff --git a/internal/inomap/inomap_test.go b/internal/inomap/inomap_test.go index 8efc960..78cb405 100644 --- a/internal/inomap/inomap_test.go +++ b/internal/inomap/inomap_test.go @@ -106,7 +106,7 @@ func TestUniqueness(t *testing.T) { var q QIno outMap := make(map[uint64]struct{}) for q.Dev = 0; q.Dev < 10; q.Dev++ { - for q.Flags = 0; q.Flags < 10; q.Flags++ { + for q.Tag = 0; q.Tag < 10; q.Tag++ { // some go into spill for q.Ino = maxPassthruIno - 100; q.Ino < maxPassthruIno+100; q.Ino++ { out := m.Translate(q) diff --git a/internal/inomap/qino.go b/internal/inomap/qino.go index a74a96d..ed514e8 100644 --- a/internal/inomap/qino.go +++ b/internal/inomap/qino.go @@ -7,9 +7,11 @@ import ( type namespaceData struct { // Stat_t.Dev is uint64 on 32- and 64-bit Linux Dev uint64 - // Flags acts like an extension of the Dev field. + // Tag acts like an extension of the Dev field. // It is used by reverse mode for virtual files. - Flags uint8 + // Normal (forward) mode does not use it and it + // stays always zero there. + Tag uint8 } // QIno = Qualified Inode number. @@ -21,15 +23,21 @@ type QIno struct { Ino uint64 } -// QInoFromStat fills a new QIno struct with the passed Stat_t info. -func QInoFromStat(st *syscall.Stat_t) QIno { +// NewQIno returns a filled QIno struct +func NewQIno(dev uint64, tag uint8, ino uint64) QIno { return QIno{ namespaceData: namespaceData{ - // There are some architectures that use 32-bit values here - // (darwin, freebsd-32, maybe others). Add an explicit cast to make - // this function work everywhere. - Dev: uint64(st.Dev), + Dev: dev, + Tag: tag, }, - Ino: uint64(st.Ino), + Ino: ino, } } + +// QInoFromStat fills a new QIno struct with the passed Stat_t info. +func QInoFromStat(st *syscall.Stat_t) QIno { + // There are some architectures that use 32-bit values here + // (darwin, freebsd-32, maybe others). Add an explicit cast to make + // this function work everywhere. + return NewQIno(uint64(st.Dev), 0, uint64(st.Ino)) +} diff --git a/tests/reverse/inomap_test.go b/tests/reverse/inomap_test.go index e3bd207..5f7fb45 100644 --- a/tests/reverse/inomap_test.go +++ b/tests/reverse/inomap_test.go @@ -128,8 +128,10 @@ func TestVirtualFileIno(t *testing.T) { if origInos.parent == cipherInos.diriv { t.Errorf("diriv ino collision: %d == %d", origInos.parent, cipherInos.diriv) } - if origInos.parent != cipherInos.diriv-1000000000000000000 { - t.Errorf("diriv ino mismatch: %d != %d", origInos.parent, cipherInos.diriv) + // Lower 48 bits should come from the backing file + const mask = 0xffffffffffff + if origInos.parent&mask != cipherInos.diriv&mask { + t.Errorf("diriv ino mismatch: %#x vs %#x", origInos.parent, cipherInos.diriv) } if origInos.child != cipherInos.child { t.Errorf("child ino mismatch: %d vs %d", origInos.child, cipherInos.child) @@ -137,7 +139,7 @@ func TestVirtualFileIno(t *testing.T) { if origInos.child == cipherInos.name { t.Errorf("name ino collision: %d == %d", origInos.child, cipherInos.name) } - if origInos.child != cipherInos.name-2000000000000000000 { - t.Errorf("name ino mismatch: %d vs %d", origInos.child, cipherInos.name) + if origInos.child&mask != cipherInos.name&mask { + t.Errorf("name ino mismatch: %#x vs %#x", origInos.child, cipherInos.name) } }