fusefrontend_reverse: use inomap for inode number translation

Gets rid of static inode number value limitations. Fixes https://github.com/rfjakob/gocryptfs/issues/457
2020-05-03 15:22:10 +02:00 · 2020-05-03 15:22:10 +02:00 · 518771e4e2
parent db93a6c54c
commit 518771e4e2
7 changed files with 77 additions and 62 deletions
--- a/internal/fusefrontend_reverse/reverse_longnames.go
+++ b/internal/fusefrontend_reverse/reverse_longnames.go
@ -122,5 +122,5 @@ func (rfs *ReverseFS) newNameFile(relPath string) (nodefs.File, fuse.Status) {
 	}
 	content := []byte(rfs.nameTransform.EncryptName(pName, dirIV))
 	parentFile := filepath.Join(pDir, pName)
-	return rfs.newVirtualFile(content, rfs.args.Cipherdir, parentFile, inoBaseNameFile)
+	return rfs.newVirtualFile(content, rfs.args.Cipherdir, parentFile, inoTagNameFile)
 }
--- a/internal/fusefrontend_reverse/rfs.go
+++ b/internal/fusefrontend_reverse/rfs.go
@ -15,6 +15,7 @@ import (
 	"github.com/rfjakob/gocryptfs/internal/contentenc"
 	"github.com/rfjakob/gocryptfs/internal/cryptocore"
 	"github.com/rfjakob/gocryptfs/internal/fusefrontend"
 	"github.com/rfjakob/gocryptfs/internal/inomap"
 	"github.com/rfjakob/gocryptfs/internal/nametransform"
 	"github.com/rfjakob/gocryptfs/internal/pathiv"
 	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
@ -38,6 +39,9 @@ type ReverseFS struct {
 	contentEnc *contentenc.ContentEnc
 	// Tests wheter a path is excluded (hiden) from the user. Used by -exclude.
 	excluder ignore.IgnoreParser
 	// inoMap translates inode numbers from different devices to unique inode
 	// numbers.
 	inoMap *inomap.InoMap
 }
 var _ pathfs.FileSystem = &ReverseFS{}
@ -54,6 +58,7 @@ func NewFS(args fusefrontend.Args, c *contentenc.ContentEnc, n nametransform.Nam
 		args:          args,
 		nameTransform: n,
 		contentEnc:    c,
 		inoMap:        inomap.New(),
 	}
 	fs.prepareExcluder(args)
 	return fs
@ -180,6 +185,7 @@ func (rfs *ReverseFS) GetAttr(relPath string, context *fuse.Context) (*fuse.Attr
 		if err != nil {
 			return nil, fuse.ToStatus(err)
 		}
 		rfs.inoMap.TranslateStat(&st)
 		var a fuse.Attr
 		a.FromStat(&st)
 		if rfs.args.ForceOwner != nil {
@ -211,26 +217,25 @@ func (rfs *ReverseFS) GetAttr(relPath string, context *fuse.Context) (*fuse.Attr
 		}
 		return &a, status
 	}
 	// Normal file / directory
 	dirfd, name, err := rfs.openBackingDir(pPath)
 	if err != nil {
 		return nil, fuse.ToStatus(err)
 	}
 	// Stat the backing file/dir using Fstatat
-	var st unix.Stat_t
+	var st syscall.Stat_t
-	err = syscallcompat.Fstatat(dirfd, name, &st, unix.AT_SYMLINK_NOFOLLOW)
+	{
-	syscall.Close(dirfd)
+		var st2 unix.Stat_t
-	if err != nil {
+		err = syscallcompat.Fstatat(dirfd, name, &st2, unix.AT_SYMLINK_NOFOLLOW)
-		return nil, fuse.ToStatus(err)
+		syscall.Close(dirfd)
-	}
+		if err != nil {
-	// Instead of risking an inode number collision, we return an error.
+			return nil, fuse.ToStatus(err)
-	if st.Ino > inoBaseMin {
+		}
-		tlog.Warn.Printf("GetAttr %q: backing file inode number %d crosses reserved space, max=%d. Returning EOVERFLOW.",
+		st = syscallcompat.Unix2syscall(st2)
 			relPath, st.Ino, inoBaseMin)
 		return nil, fuse.ToStatus(syscall.EOVERFLOW)
 	}
 	rfs.inoMap.TranslateStat(&st)
 	var a fuse.Attr
-	st2 := syscallcompat.Unix2syscall(st)
+	a.FromStat(&st)
 	a.FromStat(&st2)
 	// Calculate encrypted file size
 	if a.IsRegular() {
 		a.Size = rfs.contentEnc.PlainSizeToCipherSize(a.Size)
--- a/internal/fusefrontend_reverse/virtualfile.go
+++ b/internal/fusefrontend_reverse/virtualfile.go
@ -10,6 +10,7 @@ import (
 	"github.com/hanwen/go-fuse/fuse"
 	"github.com/hanwen/go-fuse/fuse/nodefs"
 	"github.com/rfjakob/gocryptfs/internal/inomap"
 	"github.com/rfjakob/gocryptfs/internal/nametransform"
 	"github.com/rfjakob/gocryptfs/internal/pathiv"
 	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
@ -20,19 +21,10 @@ const (
 	// virtualFileMode is the mode to use for virtual files (gocryptfs.diriv and
 	// *.name). They are always readable, as stated in func Access
 	virtualFileMode = syscall.S_IFREG | 0444
-	// inoBaseDirIV is the start of the inode number range that is used
+	// We use inomap's `Tag` feature to generate unique inode numbers for
-	// for virtual gocryptfs.diriv files. inoBaseNameFile is the thing for
+	// virtual files. These are the tags we use.
-	// *.name files.
+	inoTagDirIV    = 1
-	// The value 10^19 is just below 2^60. A power of 10 has been chosen so the
+	inoTagNameFile = 2
 	// "ls -li" output (which is base-10) is easy to read.
 	// 10^19 is the largest power of 10 that is smaller than
 	// INT64_MAX (=UINT64_MAX/2). This avoids signedness issues.
 	inoBaseDirIV    = uint64(1000000000000000000)
 	inoBaseNameFile = uint64(2000000000000000000)
 	// inoBaseMin marks the start of the inode number space that is
 	// reserved for virtual files. It is the lowest of the inoBaseXXX values
 	// above.
 	inoBaseMin = inoBaseDirIV
 )
 func (rfs *ReverseFS) newDirIVFile(cRelPath string) (nodefs.File, fuse.Status) {
@ -42,20 +34,23 @@ func (rfs *ReverseFS) newDirIVFile(cRelPath string) (nodefs.File, fuse.Status) {
 		return nil, fuse.ToStatus(err)
 	}
 	iv := pathiv.Derive(cDir, pathiv.PurposeDirIV)
-	return rfs.newVirtualFile(iv, rfs.args.Cipherdir, dir, inoBaseDirIV)
+	return rfs.newVirtualFile(iv, rfs.args.Cipherdir, dir, inoTagDirIV)
 }
 type virtualFile struct {
 	// Embed nodefs.defaultFile for a ENOSYS implementation of all methods
 	nodefs.File
 	// pointer to parent filesystem
 	rfs *ReverseFS
 	// file content
 	content []byte
 	// backing directory
 	cipherdir string
 	// path to a parent file (relative to cipherdir)
 	parentFile string
-	// inode number of a virtual file is inode of parent file plus inoBase
+	// inomap `Tag`.
-	inoBase uint64
+	// Depending on the file type, either `inoTagDirIV` or `inoTagNameFile`.
 	inoTag uint8
 }
 // newVirtualFile creates a new in-memory file that does not have a representation
@ -63,16 +58,17 @@ type virtualFile struct {
 // from "parentFile" (plaintext path relative to "cipherdir").
 // For a "gocryptfs.diriv" file, you would use the parent directory as
 // "parentFile".
-func (rfs *ReverseFS) newVirtualFile(content []byte, cipherdir string, parentFile string, inoBase uint64) (nodefs.File, fuse.Status) {
+func (rfs *ReverseFS) newVirtualFile(content []byte, cipherdir string, parentFile string, inoTag uint8) (nodefs.File, fuse.Status) {
-	if inoBase < inoBaseMin {
+	if inoTag == 0 {
-		log.Panicf("BUG: virtual inode number base %d is below reserved space", inoBase)
+		log.Panicf("BUG: inoTag for virtual file is zero - this will cause ino collisions!")
 	}
 	return &virtualFile{
 		File:       nodefs.NewDefaultFile(),
 		rfs:        rfs,
 		content:    content,
 		cipherdir:  cipherdir,
 		parentFile: parentFile,
-		inoBase:    inoBase,
+		inoTag:     inoTag,
 	}, fuse.OK
 }
@ -97,22 +93,18 @@ func (f *virtualFile) GetAttr(a *fuse.Attr) fuse.Status {
 	}
 	defer syscall.Close(dirfd)
 	name := filepath.Base(f.parentFile)
-	var st unix.Stat_t
+	var st2 unix.Stat_t
-	err = syscallcompat.Fstatat(dirfd, name, &st, unix.AT_SYMLINK_NOFOLLOW)
+	err = syscallcompat.Fstatat(dirfd, name, &st2, unix.AT_SYMLINK_NOFOLLOW)
 	if err != nil {
 		tlog.Debug.Printf("GetAttr: Fstatat %q: %v\n", f.parentFile, err)
 		return fuse.ToStatus(err)
 	}
-	if st.Ino > inoBaseMin {
+	st := syscallcompat.Unix2syscall(st2)
-		tlog.Warn.Printf("virtualFile.GetAttr: parent file inode number %d crosses reserved space, max=%d. Returning EOVERFLOW.",
+	q := inomap.NewQIno(uint64(st.Dev), f.inoTag, uint64(st.Ino))
-			st.Ino, inoBaseMin)
+	st.Ino = f.rfs.inoMap.Translate(q)
 		return fuse.ToStatus(syscall.EOVERFLOW)
 	}
 	st.Ino = st.Ino + f.inoBase
 	st.Size = int64(len(f.content))
 	st.Mode = virtualFileMode
 	st.Nlink = 1
-	st2 := syscallcompat.Unix2syscall(st)
+	a.FromStat(&st)
 	a.FromStat(&st2)
 	return fuse.OK
 }
--- a/internal/inomap/inomap.go
+++ b/internal/inomap/inomap.go
@ -15,6 +15,7 @@
 package inomap
 import (
 	"fmt"
 	"log"
 	"sync"
 	"syscall"
@ -72,23 +73,30 @@ func (m *InoMap) spill(in QIno) (out uint64) {
 func (m *InoMap) Translate(in QIno) (out uint64) {
 	m.Lock()
 	defer m.Unlock()
 	defer func() {
 		fmt.Printf("Translate: %v -> %d\n", in, out)
 	}()
 	if in.Ino > maxPassthruIno {
-		return m.spill(in)
+		out = m.spill(in)
 		return out
 	}
 	ns, found := m.namespaceMap[in.namespaceData]
 	// Use existing namespace
 	if found {
-		return uint64(ns)<<48 | in.Ino
+		out = uint64(ns)<<48 | in.Ino
 		return out
 	}
 	// No free namespace slots?
 	if m.namespaceNext >= maxNamespaceId {
-		return m.spill(in)
+		out = m.spill(in)
 		return out
 	}
 	ns = m.namespaceNext
 	m.namespaceNext++
 	m.namespaceMap[in.namespaceData] = ns
-	return uint64(ns)<<48 | in.Ino
+	out = uint64(ns)<<48 | in.Ino
 	return out
 }
 // TranslateStat translates the inode number contained in "st" if neccessary.
--- a/internal/inomap/inomap_test.go
+++ b/internal/inomap/inomap_test.go
@ -106,7 +106,7 @@ func TestUniqueness(t *testing.T) {
 	var q QIno
 	outMap := make(map[uint64]struct{})
 	for q.Dev = 0; q.Dev < 10; q.Dev++ {
-		for q.Flags = 0; q.Flags < 10; q.Flags++ {
+		for q.Tag = 0; q.Tag < 10; q.Tag++ {
 			// some go into spill
 			for q.Ino = maxPassthruIno - 100; q.Ino < maxPassthruIno+100; q.Ino++ {
 				out := m.Translate(q)
--- a/internal/inomap/qino.go
+++ b/internal/inomap/qino.go
@ -7,9 +7,11 @@ import (
 type namespaceData struct {
 	// Stat_t.Dev is uint64 on 32- and 64-bit Linux
 	Dev uint64
-	// Flags acts like an extension of the Dev field.
+	// Tag acts like an extension of the Dev field.
 	// It is used by reverse mode for virtual files.
-	Flags uint8
+	// Normal (forward) mode does not use it and it
 	// stays always zero there.
 	Tag uint8
 }
 // QIno = Qualified Inode number.
@ -21,15 +23,21 @@ type QIno struct {
 	Ino uint64
 }
-// QInoFromStat fills a new QIno struct with the passed Stat_t info.
+// NewQIno returns a filled QIno struct
-func QInoFromStat(st *syscall.Stat_t) QIno {
+func NewQIno(dev uint64, tag uint8, ino uint64) QIno {
 	return QIno{
 		namespaceData: namespaceData{
-			// There are some architectures that use 32-bit values here
+			Dev: dev,
-			// (darwin, freebsd-32, maybe others). Add an explicit cast to make
+			Tag: tag,
 			// this function work everywhere.
 			Dev: uint64(st.Dev),
 		},
-		Ino: uint64(st.Ino),
+		Ino: ino,
 	}
 }
 // QInoFromStat fills a new QIno struct with the passed Stat_t info.
 func QInoFromStat(st *syscall.Stat_t) QIno {
 	// There are some architectures that use 32-bit values here
 	// (darwin, freebsd-32, maybe others). Add an explicit cast to make
 	// this function work everywhere.
 	return NewQIno(uint64(st.Dev), 0, uint64(st.Ino))
 }
--- a/tests/reverse/inomap_test.go
+++ b/tests/reverse/inomap_test.go
@ -128,8 +128,10 @@ func TestVirtualFileIno(t *testing.T) {
 	if origInos.parent == cipherInos.diriv {
 		t.Errorf("diriv ino collision: %d == %d", origInos.parent, cipherInos.diriv)
 	}
-	if origInos.parent != cipherInos.diriv-1000000000000000000 {
+	// Lower 48 bits should come from the backing file
-		t.Errorf("diriv ino mismatch: %d != %d", origInos.parent, cipherInos.diriv)
+	const mask = 0xffffffffffff
 	if origInos.parent&mask != cipherInos.diriv&mask {
 		t.Errorf("diriv ino mismatch: %#x vs %#x", origInos.parent, cipherInos.diriv)
 	}
 	if origInos.child != cipherInos.child {
 		t.Errorf("child ino mismatch: %d vs %d", origInos.child, cipherInos.child)
@ -137,7 +139,7 @@ func TestVirtualFileIno(t *testing.T) {
 	if origInos.child == cipherInos.name {
 		t.Errorf("name ino collision: %d == %d", origInos.child, cipherInos.name)
 	}
-	if origInos.child != cipherInos.name-2000000000000000000 {
+	if origInos.child&mask != cipherInos.name&mask {
-		t.Errorf("name ino mismatch: %d vs %d", origInos.child, cipherInos.name)
+		t.Errorf("name ino mismatch: %#x vs %#x", origInos.child, cipherInos.name)
 	}
 }