fusefrontend_reverse: secure OpenDir against symlink races

...by using the new OpenNofollow helper. The benchmark shows a small but acceptable performance loss: $ ./benchmark-reverse.bash LS: 2.182 CAT: 18.221 Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165
2017-12-05 23:11:46 +01:00 · 2017-12-05 23:11:46 +01:00 · 926cb93b50
commit 926cb93b50
parent e604ce6dea
1 changed files with 9 additions and 3 deletions
--- a/internal/fusefrontend_reverse/rfs.go
+++ b/internal/fusefrontend_reverse/rfs.go
@ -17,6 +17,7 @@ import (
 	"github.com/rfjakob/gocryptfs/internal/fusefrontend"
 	"github.com/rfjakob/gocryptfs/internal/nametransform"
 	"github.com/rfjakob/gocryptfs/internal/pathiv"
+	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
 	"github.com/rfjakob/gocryptfs/internal/tlog"
 )

@ -253,9 +254,14 @@ func (rfs *ReverseFS) OpenDir(cipherPath string, context *fuse.Context) ([]fuse.
 		return nil, fuse.ToStatus(err)
 	}
 	// Read plaintext dir
-	entries, status := rfs.loopbackfs.OpenDir(relPath, context)
-	if entries == nil {
-		return nil, status
+	fd, err := syscallcompat.OpenNofollow(rfs.args.Cipherdir, relPath, syscall.O_RDONLY, 0)
+	if err != nil {
+		return nil, fuse.ToStatus(err)
+	}
+	defer syscall.Close(fd)
+	entries, err := syscallcompat.Getdents(fd)
+	if err != nil {
+		return nil, fuse.ToStatus(err)
 	}
 	if rfs.args.PlaintextNames {
 		return rfs.openDirPlaintextnames(cipherPath, entries)