fusefrontend_reverse: use OpenNofollow in virtualFile.GetAttr

Makes it robust against symlink races.

Final piece, closes https://github.com/rfjakob/gocryptfs/issues/165
This commit is contained in:
Jakob Unterwurzacher 2018-01-17 21:36:38 +01:00
parent 959e1fc1e2
commit a2677bce2a
2 changed files with 29 additions and 12 deletions

View File

@ -113,6 +113,6 @@ func (rfs *ReverseFS) newNameFile(relPath string) (nodefs.File, fuse.Status) {
return nil, fuse.ToStatus(err) return nil, fuse.ToStatus(err)
} }
content := []byte(rfs.nameTransform.EncryptName(pName, dirIV)) content := []byte(rfs.nameTransform.EncryptName(pName, dirIV))
parentFile := filepath.Join(rfs.args.Cipherdir, pDir, pName) parentFile := filepath.Join(pDir, pName)
return rfs.newVirtualFile(content, parentFile, inoBaseNameFile) return rfs.newVirtualFile(content, rfs.args.Cipherdir, parentFile, inoBaseNameFile)
} }

View File

@ -2,13 +2,17 @@ package fusefrontend_reverse
import ( import (
"log" "log"
"path/filepath"
"syscall" "syscall"
"golang.org/x/sys/unix"
"github.com/hanwen/go-fuse/fuse" "github.com/hanwen/go-fuse/fuse"
"github.com/hanwen/go-fuse/fuse/nodefs" "github.com/hanwen/go-fuse/fuse/nodefs"
"github.com/rfjakob/gocryptfs/internal/nametransform" "github.com/rfjakob/gocryptfs/internal/nametransform"
"github.com/rfjakob/gocryptfs/internal/pathiv" "github.com/rfjakob/gocryptfs/internal/pathiv"
"github.com/rfjakob/gocryptfs/internal/syscallcompat"
"github.com/rfjakob/gocryptfs/internal/tlog" "github.com/rfjakob/gocryptfs/internal/tlog"
) )
@ -33,11 +37,12 @@ const (
func (rfs *ReverseFS) newDirIVFile(cRelPath string) (nodefs.File, fuse.Status) { func (rfs *ReverseFS) newDirIVFile(cRelPath string) (nodefs.File, fuse.Status) {
cDir := nametransform.Dir(cRelPath) cDir := nametransform.Dir(cRelPath)
absDir, err := rfs.abs(rfs.decryptPath(cDir)) dir, err := rfs.decryptPath(cDir)
if err != nil { if err != nil {
return nil, fuse.ToStatus(err) return nil, fuse.ToStatus(err)
} }
return rfs.newVirtualFile(pathiv.Derive(cDir, pathiv.PurposeDirIV), absDir, inoBaseDirIV) iv := pathiv.Derive(cDir, pathiv.PurposeDirIV)
return rfs.newVirtualFile(iv, rfs.args.Cipherdir, dir, inoBaseDirIV)
} }
type virtualFile struct { type virtualFile struct {
@ -45,7 +50,9 @@ type virtualFile struct {
nodefs.File nodefs.File
// file content // file content
content []byte content []byte
// absolute path to a parent file // backing directory
cipherdir string
// path to a parent file (relative to cipherdir)
parentFile string parentFile string
// inode number of a virtual file is inode of parent file plus inoBase // inode number of a virtual file is inode of parent file plus inoBase
inoBase uint64 inoBase uint64
@ -53,15 +60,17 @@ type virtualFile struct {
// newVirtualFile creates a new in-memory file that does not have a representation // newVirtualFile creates a new in-memory file that does not have a representation
// on disk. "content" is the file content. Timestamps and file owner are copied // on disk. "content" is the file content. Timestamps and file owner are copied
// from "parentFile" (absolute plaintext path). For a "gocryptfs.diriv" file, you // from "parentFile" (plaintext path relative to "cipherdir").
// would use the parent directory as "parentFile". // For a "gocryptfs.diriv" file, you would use the parent directory as
func (rfs *ReverseFS) newVirtualFile(content []byte, parentFile string, inoBase uint64) (nodefs.File, fuse.Status) { // "parentFile".
func (rfs *ReverseFS) newVirtualFile(content []byte, cipherdir string, parentFile string, inoBase uint64) (nodefs.File, fuse.Status) {
if inoBase < inoBaseMin { if inoBase < inoBaseMin {
log.Panicf("BUG: virtual inode number base %d is below reserved space", inoBase) log.Panicf("BUG: virtual inode number base %d is below reserved space", inoBase)
} }
return &virtualFile{ return &virtualFile{
File: nodefs.NewDefaultFile(), File: nodefs.NewDefaultFile(),
content: content, content: content,
cipherdir: cipherdir,
parentFile: parentFile, parentFile: parentFile,
inoBase: inoBase, inoBase: inoBase,
}, fuse.OK }, fuse.OK
@ -81,10 +90,17 @@ func (f *virtualFile) Read(buf []byte, off int64) (resultData fuse.ReadResult, s
// GetAttr - FUSE call // GetAttr - FUSE call
func (f *virtualFile) GetAttr(a *fuse.Attr) fuse.Status { func (f *virtualFile) GetAttr(a *fuse.Attr) fuse.Status {
var st syscall.Stat_t dir := filepath.Dir(f.parentFile)
err := syscall.Lstat(f.parentFile, &st) dirfd, err := syscallcompat.OpenNofollow(f.cipherdir, dir, syscall.O_RDONLY|syscall.O_DIRECTORY, 0)
if err != nil { if err != nil {
tlog.Debug.Printf("GetAttr: Lstat %q: %v\n", f.parentFile, err) return fuse.ToStatus(err)
}
defer syscall.Close(dirfd)
name := filepath.Base(f.parentFile)
var st unix.Stat_t
err = syscallcompat.Fstatat(dirfd, name, &st, unix.AT_SYMLINK_NOFOLLOW)
if err != nil {
tlog.Debug.Printf("GetAttr: Fstatat %q: %v\n", f.parentFile, err)
return fuse.ToStatus(err) return fuse.ToStatus(err)
} }
if st.Ino > inoBaseMin { if st.Ino > inoBaseMin {
@ -96,6 +112,7 @@ func (f *virtualFile) GetAttr(a *fuse.Attr) fuse.Status {
st.Size = int64(len(f.content)) st.Size = int64(len(f.content))
st.Mode = virtualFileMode st.Mode = virtualFileMode
st.Nlink = 1 st.Nlink = 1
a.FromStat(&st) st2 := syscallcompat.Unix2syscall(st)
a.FromStat(&st2)
return fuse.OK return fuse.OK
} }