From 778c955eea1fdc16666f51f6f0a2fab0f580dbf0 Mon Sep 17 00:00:00 2001 From: Jakob Unterwurzacher Date: Sat, 1 Apr 2017 17:19:15 +0200 Subject: [PATCH] fusefrontend_reverse: switch to stable inode numbers The volatile inode numbers that we used before cause "find" to complain and error out. Virtual inode numbers are derived from their parent file inode number by adding 10^19, which is hopefully large enough no never cause problems in practice. If the backing directory contains inode numbers higher than that, stat() on these files will return EOVERFLOW. Example directory lising after this change: $ ls -i 926473 gocryptfs.conf 1000000000000926466 gocryptfs.diriv 944878 gocryptfs.longname.hmZojMqC6ns47eyVxLlH2ailKjN9bxfosi3C-FR8mjA 1000000000000944878 gocryptfs.longname.hmZojMqC6ns47eyVxLlH2ailKjN9bxfosi3C-FR8mjA.name 934408 Tdfbf02CKsTaGVYnAsSypA --- internal/fusefrontend/args.go | 4 +- internal/fusefrontend_reverse/ino_map.go | 19 ---- internal/fusefrontend_reverse/rfs.go | 94 ++++++++------------ internal/fusefrontend_reverse/rpath.go | 5 ++ internal/fusefrontend_reverse/virtualfile.go | 22 ++++- 5 files changed, 61 insertions(+), 83 deletions(-) delete mode 100644 internal/fusefrontend_reverse/ino_map.go diff --git a/internal/fusefrontend/args.go b/internal/fusefrontend/args.go index 4029913..ddfb9dc 100644 --- a/internal/fusefrontend/args.go +++ b/internal/fusefrontend/args.go @@ -6,7 +6,9 @@ import ( // Args is a container for arguments that are passed from main() to fusefrontend type Args struct { - Masterkey []byte + Masterkey []byte + // Cipherdir is the backing storage directory (absolute path). + // For reverse mode, Cipherdir actually contains *plaintext* files. Cipherdir string CryptoBackend cryptocore.AEADTypeEnum PlaintextNames bool diff --git a/internal/fusefrontend_reverse/ino_map.go b/internal/fusefrontend_reverse/ino_map.go deleted file mode 100644 index dae8222..0000000 --- a/internal/fusefrontend_reverse/ino_map.go +++ /dev/null @@ -1,19 +0,0 @@ -package fusefrontend_reverse - -import ( - "sync/atomic" -) - -func newInoGen() *inoGenT { - var ino uint64 = 1 - return &inoGenT{&ino} -} - -type inoGenT struct { - ino *uint64 -} - -// Get the next inode counter value -func (i *inoGenT) next() uint64 { - return atomic.AddUint64(i.ino, 1) -} diff --git a/internal/fusefrontend_reverse/rfs.go b/internal/fusefrontend_reverse/rfs.go index 18f7506..a94f448 100644 --- a/internal/fusefrontend_reverse/rfs.go +++ b/internal/fusefrontend_reverse/rfs.go @@ -5,7 +5,6 @@ import ( "log" "os" "path/filepath" - "sync" "syscall" "github.com/hanwen/go-fuse/fuse" @@ -20,12 +19,6 @@ import ( "github.com/rfjakob/gocryptfs/internal/tlog" ) -const ( - // virtualFileMode is the mode to use for virtual files (gocryptfs.diriv and gocryptfs.longname.*.name) - // they are always readable, as stated in func Access - virtualFileMode = syscall.S_IFREG | 0444 -) - // ReverseFS implements the pathfs.FileSystem interface and provides an // encrypted view of a plaintext directory. type ReverseFS struct { @@ -39,12 +32,6 @@ type ReverseFS struct { nameTransform *nametransform.NameTransform // Content encryption helper contentEnc *contentenc.ContentEnc - // Inode number generator - inoGen *inoGenT - // Maps backing files device+inode pairs to user-facing unique inode numbers - inoMap map[fusefrontend.DevInoStruct]uint64 - // Protects map access - inoMapLock sync.Mutex } var _ pathfs.FileSystem = &ReverseFS{} @@ -68,8 +55,6 @@ func NewFS(args fusefrontend.Args) *ReverseFS { args: args, nameTransform: nameTransform, contentEnc: contentEnc, - inoGen: newInoGen(), - inoMap: map[fusefrontend.DevInoStruct]uint64{}, } } @@ -102,7 +87,7 @@ func (rfs *ReverseFS) isNameFile(relPath string) bool { return fileType == nametransform.LongNameFilename } -// isTranslatedConfig returns true if the default config file name is in +// isTranslatedConfig returns true if the default config file name is in use // and the ciphertext path is "gocryptfs.conf". // "gocryptfs.conf" then maps to ".gocryptfs.reverse.conf" in the plaintext // directory. @@ -116,47 +101,22 @@ func (rfs *ReverseFS) isTranslatedConfig(relPath string) bool { return false } -func (rfs *ReverseFS) inoAwareStat(relPlainPath string) (*fuse.Attr, fuse.Status) { - absPath, err := rfs.abs(relPlainPath, nil) - if err != nil { - return nil, fuse.ToStatus(err) - } - var fi os.FileInfo - if relPlainPath == "" { - // Look through symlinks for the root dir - fi, err = os.Stat(absPath) - } else { - fi, err = os.Lstat(absPath) - } - if err != nil { - return nil, fuse.ToStatus(err) - } - st := fi.Sys().(*syscall.Stat_t) - // The file has hard links. We have to give it a stable inode number so - // tar or rsync can find them. - if fi.Mode().IsRegular() && st.Nlink > 1 { - di := fusefrontend.DevInoFromStat(st) - rfs.inoMapLock.Lock() - stableIno := rfs.inoMap[di] - if stableIno == 0 { - rfs.inoMap[di] = rfs.inoGen.next() - } - rfs.inoMapLock.Unlock() - st.Ino = stableIno - } else { - st.Ino = rfs.inoGen.next() - } - a := &fuse.Attr{} - a.FromStat(st) - return a, fuse.OK -} - // GetAttr - FUSE call +// "relPath" is the relative ciphertext path func (rfs *ReverseFS) GetAttr(relPath string, context *fuse.Context) (*fuse.Attr, fuse.Status) { + // Handle "gocryptfs.conf" if rfs.isTranslatedConfig(relPath) { - return rfs.inoAwareStat(configfile.ConfReverseName) + absConfPath, _ := rfs.abs(configfile.ConfReverseName, nil) + var st syscall.Stat_t + err := syscall.Lstat(absConfPath, &st) + if err != nil { + return nil, fuse.ToStatus(err) + } + var a fuse.Attr + a.FromStat(&st) + return &a, fuse.OK } - // Handle virtual files + // Handle virtual files (gocryptfs.diriv, *.name) var f nodefs.File var status fuse.Status virtual := false @@ -177,15 +137,31 @@ func (rfs *ReverseFS) GetAttr(relPath string, context *fuse.Context) (*fuse.Attr status = f.GetAttr(&a) return &a, status } - - cPath, err := rfs.decryptPath(relPath) + // Decrypt path to "plaintext relative path" + pRelPath, err := rfs.decryptPath(relPath) if err != nil { return nil, fuse.ToStatus(err) } - a, status := rfs.inoAwareStat(cPath) - if !status.Ok() { - return nil, status + absPath, _ := rfs.abs(pRelPath, nil) + // Stat the backing file + var st syscall.Stat_t + if relPath == "" { + // Look through symlinks for the root dir + err = syscall.Stat(absPath, &st) + } else { + err = syscall.Lstat(absPath, &st) } + if err != nil { + return nil, fuse.ToStatus(err) + } + // Instead of risking an inode number collision, we return an error. + if st.Ino > virtualInoBase { + tlog.Warn.Printf("GetAttr %q: backing file inode number %d crosses reserved space, max=%d. Returning EOVERFLOW.", + relPath, st.Ino, virtualInoBase) + return nil, fuse.ToStatus(syscall.EOVERFLOW) + } + var a fuse.Attr + a.FromStat(&st) // Calculate encrypted file size if a.IsRegular() { a.Size = rfs.contentEnc.PlainSizeToCipherSize(a.Size) @@ -200,7 +176,7 @@ func (rfs *ReverseFS) GetAttr(relPath string, context *fuse.Context) (*fuse.Attr a.Size = uint64(len(linkTarget)) } - return a, fuse.OK + return &a, fuse.OK } // Access - FUSE call diff --git a/internal/fusefrontend_reverse/rpath.go b/internal/fusefrontend_reverse/rpath.go index 02f4e9a..5082d11 100644 --- a/internal/fusefrontend_reverse/rpath.go +++ b/internal/fusefrontend_reverse/rpath.go @@ -37,6 +37,11 @@ func derivePathIV(path string, purpose ivPurposeType) []byte { return hash[:nametransform.DirIVLen] } +// abs basically returns storage dir + "/" + relPath. +// It takes an error parameter so it can directly wrap decryptPath like this: +// a, err := rfs.abs(rfs.decryptPath(relPath)) +// abs never generates an error on its own. In other words, abs(p, nil) never +// fails. func (rfs *ReverseFS) abs(relPath string, err error) (string, error) { if err != nil { return "", err diff --git a/internal/fusefrontend_reverse/virtualfile.go b/internal/fusefrontend_reverse/virtualfile.go index 2bd9e88..00fa726 100644 --- a/internal/fusefrontend_reverse/virtualfile.go +++ b/internal/fusefrontend_reverse/virtualfile.go @@ -9,6 +9,18 @@ import ( "github.com/rfjakob/gocryptfs/internal/tlog" ) +const ( + // virtualFileMode is the mode to use for virtual files (gocryptfs.diriv and + // *.name). They are always readable, as stated in func Access + virtualFileMode = syscall.S_IFREG | 0444 + // virtualInoBase is the start of the inode number range that is used + // for virtual files. + // The value 10^19 is just below 2^60. A power of 10 has been chosen so the + // "ls -li" output (which is base-10) is easy to read. + // 10^19 is the largest power of 10 that is smaller than UINT64_MAX/2. + virtualInoBase = uint64(1000000000000000000) +) + func (rfs *ReverseFS) newDirIVFile(cRelPath string) (nodefs.File, fuse.Status) { cDir := saneDir(cRelPath) absDir, err := rfs.abs(rfs.decryptPath(cDir)) @@ -25,8 +37,6 @@ type virtualFile struct { content []byte // absolute path to a parent file parentFile string - // inode number - ino uint64 } // newVirtualFile creates a new in-memory file that does not have a representation @@ -38,7 +48,6 @@ func (rfs *ReverseFS) newVirtualFile(content []byte, parentFile string) (nodefs. File: nodefs.NewDefaultFile(), content: content, parentFile: parentFile, - ino: rfs.inoGen.next(), }, fuse.OK } @@ -62,7 +71,12 @@ func (f *virtualFile) GetAttr(a *fuse.Attr) fuse.Status { tlog.Debug.Printf("GetAttr: Lstat %q: %v\n", f.parentFile, err) return fuse.ToStatus(err) } - st.Ino = f.ino + if st.Ino > virtualInoBase { + tlog.Warn.Printf("virtualFile.GetAttr: parent file inode number %d crosses reserved space, max=%d. Returning EOVERFLOW.", + st.Ino, virtualInoBase) + return fuse.ToStatus(syscall.EOVERFLOW) + } + st.Ino = st.Ino + virtualInoBase st.Size = int64(len(f.content)) st.Mode = virtualFileMode st.Nlink = 1