fusefrontend: drop xattr user namespace restriction
We used to restrict setting xattrs to the "user." namespace. I don't see a real reason for this anymore, and it causes trouble for users who are using acls. Tests will be added in the next commit. https://github.com/rfjakob/gocryptfs/issues/453
This commit is contained in:
parent
9ec042f2f6
commit
ca9e912a28
|
@ -27,10 +27,6 @@ func (fs *FS) GetXAttr(relPath string, attr string, context *fuse.Context) ([]by
|
||||||
if fs.isFiltered(relPath) {
|
if fs.isFiltered(relPath) {
|
||||||
return nil, fuse.EPERM
|
return nil, fuse.EPERM
|
||||||
}
|
}
|
||||||
if disallowedXAttrName(attr) {
|
|
||||||
return nil, _EOPNOTSUPP
|
|
||||||
}
|
|
||||||
|
|
||||||
cAttr := fs.encryptXattrName(attr)
|
cAttr := fs.encryptXattrName(attr)
|
||||||
|
|
||||||
cData, status := fs.getXAttr(relPath, cAttr, context)
|
cData, status := fs.getXAttr(relPath, cAttr, context)
|
||||||
|
@ -53,10 +49,6 @@ func (fs *FS) SetXAttr(relPath string, attr string, data []byte, flags int, cont
|
||||||
if fs.isFiltered(relPath) {
|
if fs.isFiltered(relPath) {
|
||||||
return fuse.EPERM
|
return fuse.EPERM
|
||||||
}
|
}
|
||||||
if disallowedXAttrName(attr) {
|
|
||||||
return _EOPNOTSUPP
|
|
||||||
}
|
|
||||||
|
|
||||||
flags = filterXattrSetFlags(flags)
|
flags = filterXattrSetFlags(flags)
|
||||||
cAttr := fs.encryptXattrName(attr)
|
cAttr := fs.encryptXattrName(attr)
|
||||||
cData := fs.encryptXattrValue(data)
|
cData := fs.encryptXattrValue(data)
|
||||||
|
@ -70,10 +62,6 @@ func (fs *FS) RemoveXAttr(relPath string, attr string, context *fuse.Context) fu
|
||||||
if fs.isFiltered(relPath) {
|
if fs.isFiltered(relPath) {
|
||||||
return fuse.EPERM
|
return fuse.EPERM
|
||||||
}
|
}
|
||||||
if disallowedXAttrName(attr) {
|
|
||||||
return _EOPNOTSUPP
|
|
||||||
}
|
|
||||||
|
|
||||||
cAttr := fs.encryptXattrName(attr)
|
cAttr := fs.encryptXattrName(attr)
|
||||||
return fs.removeXAttr(relPath, cAttr, context)
|
return fs.removeXAttr(relPath, cAttr, context)
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,10 +13,6 @@ import (
|
||||||
"github.com/rfjakob/gocryptfs/internal/syscallcompat"
|
"github.com/rfjakob/gocryptfs/internal/syscallcompat"
|
||||||
)
|
)
|
||||||
|
|
||||||
func disallowedXAttrName(attr string) bool {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
// On Darwin it is needed to unset XATTR_NOSECURITY 0x0008
|
// On Darwin it is needed to unset XATTR_NOSECURITY 0x0008
|
||||||
func filterXattrSetFlags(flags int) int {
|
func filterXattrSetFlags(flags int) int {
|
||||||
// See https://opensource.apple.com/source/xnu/xnu-1504.15.3/bsd/sys/xattr.h.auto.html
|
// See https://opensource.apple.com/source/xnu/xnu-1504.15.3/bsd/sys/xattr.h.auto.html
|
||||||
|
|
|
@ -5,7 +5,6 @@ package fusefrontend
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"strings"
|
|
||||||
"syscall"
|
"syscall"
|
||||||
|
|
||||||
"golang.org/x/sys/unix"
|
"golang.org/x/sys/unix"
|
||||||
|
@ -15,15 +14,6 @@ import (
|
||||||
"github.com/rfjakob/gocryptfs/internal/syscallcompat"
|
"github.com/rfjakob/gocryptfs/internal/syscallcompat"
|
||||||
)
|
)
|
||||||
|
|
||||||
// Only allow the "user" namespace, block "trusted" and "security", as
|
|
||||||
// these may be interpreted by the system, and we don't want to cause
|
|
||||||
// trouble with our encrypted garbage.
|
|
||||||
const xattrUserPrefix = "user."
|
|
||||||
|
|
||||||
func disallowedXAttrName(attr string) bool {
|
|
||||||
return !strings.HasPrefix(attr, xattrUserPrefix)
|
|
||||||
}
|
|
||||||
|
|
||||||
func filterXattrSetFlags(flags int) int {
|
func filterXattrSetFlags(flags int) int {
|
||||||
return flags
|
return flags
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
// +build linux
|
|
||||||
|
|
||||||
package fusefrontend
|
|
||||||
|
|
||||||
import (
|
|
||||||
"testing"
|
|
||||||
)
|
|
||||||
|
|
||||||
func TestDisallowedLinuxAttributes(t *testing.T) {
|
|
||||||
if !disallowedXAttrName("xxxx") {
|
|
||||||
t.Fatalf("Names that don't start with 'user.' should fail")
|
|
||||||
}
|
|
||||||
}
|
|
Loading…
Reference in New Issue