fusefrontend: make Rename() symlink-safe

Use Openat() and the openBackingDir() helper so we
never follow symlinks.
This commit is contained in:
Jakob Unterwurzacher 2018-09-22 20:56:01 +02:00
parent 897bb8924f
commit a1fb456618

View File

@ -485,65 +485,39 @@ func (fs *FS) Rename(oldPath string, newPath string, context *fuse.Context) (cod
if fs.isFiltered(newPath) { if fs.isFiltered(newPath) {
return fuse.EPERM return fuse.EPERM
} }
cOldPath, err := fs.getBackingPath(oldPath) oldDirfd, oldCName, err := fs.openBackingDir(oldPath)
if err != nil { if err != nil {
return fuse.ToStatus(err) return fuse.ToStatus(err)
} }
cNewPath, err := fs.getBackingPath(newPath) defer syscall.Close(oldDirfd)
newDirfd, newCName, err := fs.openBackingDir(newPath)
if err != nil { if err != nil {
return fuse.ToStatus(err) return fuse.ToStatus(err)
} }
defer syscall.Close(newDirfd)
// The Rename may cause a directory to take the place of another directory. // The Rename may cause a directory to take the place of another directory.
// That directory may still be in the DirIV cache, clear it. // That directory may still be in the DirIV cache, clear it.
fs.nameTransform.DirIVCache.Clear() fs.nameTransform.DirIVCache.Clear()
// Easy case. // Easy case.
if fs.args.PlaintextNames { if fs.args.PlaintextNames {
return fuse.ToStatus(syscall.Rename(cOldPath, cNewPath)) return fuse.ToStatus(syscallcompat.Renameat(oldDirfd, oldCName, newDirfd, newCName))
} }
// Handle long source file name // Long destination file name: create .name file
oldDirFd := -1 nameFileAlreadyThere := false
finalOldDirFd := -1 if nametransform.IsLongContent(newCName) {
var finalOldPath = cOldPath err = fs.nameTransform.WriteLongName(newDirfd, newCName, newPath)
cOldName := filepath.Base(cOldPath)
if nametransform.IsLongContent(cOldName) {
oldDirFd, err = syscall.Open(filepath.Dir(cOldPath), syscall.O_RDONLY|syscall.O_DIRECTORY, 0)
if err != nil {
return fuse.ToStatus(err)
}
defer syscall.Close(oldDirFd)
finalOldDirFd = oldDirFd
// Use relative path
finalOldPath = cOldName
}
// Handle long destination file name
newDirFd := -1
finalNewDirFd := -1
finalNewPath := cNewPath
cNewName := filepath.Base(cNewPath)
if nametransform.IsLongContent(cNewName) {
newDirFd, err = syscall.Open(filepath.Dir(cNewPath), syscall.O_RDONLY|syscall.O_DIRECTORY, 0)
if err != nil {
return fuse.ToStatus(err)
}
defer syscall.Close(newDirFd)
finalNewDirFd = newDirFd
// Use relative path
finalNewPath = cNewName
// Create destination .name file
err = fs.nameTransform.WriteLongName(newDirFd, cNewName, newPath)
// Failure to write the .name file is expected when the target path already // Failure to write the .name file is expected when the target path already
// exists. Since hashes are pretty unique, there is no need to modify the // exists. Since hashes are pretty unique, there is no need to modify the
// file anyway. We still set newDirFd to nil to ensure that we do not delete // .name file in this case, and we ignore the error.
// the file on error.
if err == syscall.EEXIST { if err == syscall.EEXIST {
newDirFd = -1 nameFileAlreadyThere = true
} else if err != nil { } else if err != nil {
return fuse.ToStatus(err) return fuse.ToStatus(err)
} }
} }
// Actual rename // Actual rename
tlog.Debug.Printf("Renameat oldfd=%d oldpath=%s newfd=%d newpath=%s\n", finalOldDirFd, finalOldPath, finalNewDirFd, finalNewPath) tlog.Debug.Printf("Renameat %d/%s -> %d/%s\n", oldDirfd, oldCName, newDirfd, newCName)
err = syscallcompat.Renameat(finalOldDirFd, finalOldPath, finalNewDirFd, finalNewPath) err = syscallcompat.Renameat(oldDirfd, oldCName, newDirfd, newCName)
if err == syscall.ENOTEMPTY || err == syscall.EEXIST { if err == syscall.ENOTEMPTY || err == syscall.EEXIST {
// If an empty directory is overwritten we will always get an error as // If an empty directory is overwritten we will always get an error as
// the "empty" directory will still contain gocryptfs.diriv. // the "empty" directory will still contain gocryptfs.diriv.
@ -552,18 +526,18 @@ func (fs *FS) Rename(oldPath string, newPath string, context *fuse.Context) (cod
// again. // again.
tlog.Debug.Printf("Rename: Handling ENOTEMPTY") tlog.Debug.Printf("Rename: Handling ENOTEMPTY")
if fs.Rmdir(newPath, context) == fuse.OK { if fs.Rmdir(newPath, context) == fuse.OK {
err = syscallcompat.Renameat(finalOldDirFd, finalOldPath, finalNewDirFd, finalNewPath) err = syscallcompat.Renameat(oldDirfd, oldCName, newDirfd, newCName)
} }
} }
if err != nil { if err != nil {
if newDirFd >= 0 { if nametransform.IsLongContent(newCName) && nameFileAlreadyThere == false {
// Roll back .name creation // Roll back .name creation unless the .name file was already there
nametransform.DeleteLongName(newDirFd, cNewName) nametransform.DeleteLongName(newDirfd, newCName)
} }
return fuse.ToStatus(err) return fuse.ToStatus(err)
} }
if oldDirFd >= 0 { if nametransform.IsLongContent(oldCName) {
nametransform.DeleteLongName(oldDirFd, cOldName) nametransform.DeleteLongName(oldDirfd, oldCName)
} }
return fuse.OK return fuse.OK
} }