Commit Graph

180 Commits

Author SHA1 Message Date
Jakob Unterwurzacher
bcc8378a2c Fix the easy golint warnings
Reported by https://goreportcard.com/report/github.com/rfjakob/gocryptfs
2018-04-08 20:26:25 +02:00
Jakob Unterwurzacher
cab0cda449 tests: retry umount
Gnome may still have files open causing spurious test
failures.
2018-04-08 20:09:05 +02:00
Jakob Unterwurzacher
9d7392a5be tests: cli_test: fix fd leak
One fd leak found in TestMountBackground.
2018-04-07 15:46:41 +02:00
Jakob Unterwurzacher
22031d7e53 tests: matrix: check for fd leaks
And fix two in test_helpers.Mount().

Leftover fds can cause an unmount failure like this later:
fusermount: failed to unmount /tmp/gocryptfs-test-parent/873632270/default-plain: Device or resource busy
so try to catch them early.
2018-04-07 15:24:00 +02:00
Jakob Unterwurzacher
8b443c8484 fsck: add xattr support
With testcases.
2018-04-02 20:25:59 +02:00
Jakob Unterwurzacher
a0fd3eca98 fsck: test against example_filesystems 2018-04-02 18:43:50 +02:00
Jakob Unterwurzacher
b6c8960b01 fsck: clean up log output
Make sure we get only 1 warning output per
problem.

Also, add new corruption types to broken_fs_v1.4.
2018-04-02 18:32:30 +02:00
Jakob Unterwurzacher
f28d85fad5 fsck: add initial implementation
Most corruption cases except xattr should be covered.
With test filesystem.

The output is still pretty ugly. xattr support will
be added in the next commits.
2018-04-02 16:38:18 +02:00
Jakob Unterwurzacher
6e637f38ff tests: add a few explicit file Close() in matrix_test
These can cause EBUSY errors when unmounting.
2018-04-01 14:51:07 +02:00
Jakob Unterwurzacher
8fcd39a3b0 main: add "-fsck" flag
The fsck operation is not yet implemented, this commits
just adds the flag and improves cli flag handling.
2018-04-01 14:25:10 +02:00
Jakob Unterwurzacher
1a3d04ab87 Switch from private copy to pkg/xattr
Now that https://github.com/pkg/xattr/pull/24
has been merged there is no reason to keep
our private copy.

Switch to the upstream version.
2018-03-28 19:19:58 +02:00
Jakob Unterwurzacher
b1f362d28a tests: replace xattr.Supported
This function has been deprecated by the pkg/xattr
upstream, so write our own.
2018-03-26 21:54:17 +02:00
Jakob Unterwurzacher
db778aae7d fusefrontend: handle empty xattrs efficiently
We handle empty files by storing an actual empty file
on disk. Handle xattrs similarily and encrypt the
empty value to the empty value.
2018-03-25 21:06:10 +02:00
Jakob Unterwurzacher
1ed3d51df1 fusefrontend: add xattr support
At the moment, only for reverse mode.

https://github.com/rfjakob/gocryptfs/issues/217
2018-03-25 21:06:10 +02:00
Jakob Unterwurzacher
f20974c4da test_helpers: add SwitchTestParentDir
SwitchTestParentDir changes testParentDir. This is used when you want
to perform tests on a special filesystem. For example, the xattr tests
cannot run on tmpfs and use /var/tmp instead of /tmp.
2018-03-24 21:40:11 +01:00
Jakob Unterwurzacher
9bc039a4ba Add -masterkey=stdin functionality
https://github.com/rfjakob/gocryptfs/issues/218
2018-03-22 00:02:10 +01:00
Jakob Unterwurzacher
4b75b578a2 tests: extractloop.sh: better cleanup logic, handle missing /proc
macos does not have /proc, so don't try to read it.
2018-03-13 22:41:26 +01:00
Jakob Unterwurzacher
e46f6b940f tests: extractloop.sh: don't abort if md5sum is missing
MacOS does not have it installed by default.
2018-03-13 22:16:15 +01:00
Jakob Unterwurzacher
8373410678 macos: extractloop.sh: exclude symlink & mute ln error message
Extracting the symlink fails with

	linux-3.0/arch/microblaze/boot/dts/system.dts: Can't set permissions to 0755

so just exclude it.

The ln error Looks scary but is harmless, so get rid of it.
The symlink is only created to make it more convenient to view the
csv log.
2018-03-07 21:36:52 +01:00
Jakob Unterwurzacher
51de6cd940 macos: tests: make extractloop.bash work on macos
macos' bash and ln lack a few features we used.
2018-03-07 20:37:10 +01:00
Jakob Unterwurzacher
02693912e5 tests: convert remaining wget calls to dl-linux-tarball.bash helper
Makes the scripts work when wget is not available (macos)
2018-03-07 09:45:20 +01:00
Jakob Unterwurzacher
d09a51b80a macos: tests: use curl of wget is not available 2018-03-07 09:40:48 +01:00
Jakob Unterwurzacher
98f735ff6e tests: drop "-z" from fusermount to catch forgotten fds
macos does not have lazy unmount, so let's not use it
on linux either.
If the unmount fails, run "lsof" to find the open file.

Also fix the first bug we found this way.
2018-03-06 21:28:09 +01:00
Jakob Unterwurzacher
18d4159d18 macos: fix fd leak in reverse tests
Causes "Resource busy" unmount failures on macos
2018-03-05 23:21:08 +01:00
Jakob Unterwurzacher
1789a5ea5b tests: matrix_test: skip cases when without_openssl is set
Fixes test-without-openssl.bash.
2018-03-05 23:11:27 +01:00
Jakob Unterwurzacher
35192abb57 test_helpers: add missing newline 2018-03-05 23:06:27 +01:00
Jakob Unterwurzacher
870779ab1d macos: doTestUtimesNano: skip UTIME_OMIT and nanoseconds testcases
Not supported on macos.

Beef up the first test case a little by using different second
values.
2018-03-05 22:52:05 +01:00
Jakob Unterwurzacher
426b9536df tests: TestUtimesNano: replace ugly compareUtimes wrapper 2018-03-05 22:22:35 +01:00
Jakob Unterwurzacher
3064d72b97 tests: fix a few fd leaks
We relied on the finalizer to close a few fds.
For some reason, this did not cause problems on Linux,
but on MacOS, it causes unmount failures:

umount(/private/tmp/gocryptfs-test-parent/194654785/default-plain): Resource busy -- try 'diskutil unmount'
2018-03-05 22:00:59 +01:00
Jakob Unterwurzacher
aa65091bb9 macos: skip TestUtimesNanoSymlink early
Gets rid of the touch error message upon running the tests.
2018-03-05 21:36:16 +01:00
Jakob Unterwurzacher
b820fa691d macos: adjust TestTooLongSymlink length for darwin
Limit is much lower than on linux
2018-03-05 21:23:57 +01:00
Jakob Unterwurzacher
29496baa70 MacOS: skip TestUtimesNanoSymlink and TestUtimesNanoFd
These cannot work on MacOS.
2018-02-28 20:48:33 +01:00
Jakob Unterwurzacher
48d5f10c79 test_helpers: use an intermediate pipe for subprocess stdout
To Go test logic waits for stderr and stdout to close, so
when we share it with a subprocess, it will wait for it to
exit as well.

We don't want the tests to hang when the unmount fails.

Seen on MacOS as reported at
https://github.com/rfjakob/gocryptfs/issues/213
2018-02-28 20:03:54 +01:00
Jakob Unterwurzacher
3b8f5cbb17 readpassword: convert from string to []byte
This will allows us to overwrite the password
with zeros once we are done with it.

https://github.com/rfjakob/gocryptfs/issues/211
2018-02-18 14:26:54 +01:00
Jakob Unterwurzacher
991708af01 Documentation: add extractloop example output 2018-01-21 20:04:37 +01:00
Jakob Unterwurzacher
8951eb2472 fusefronted: add PlaintextNames special-cases for Create & Rename
gocryptfs.longname.XXX files were considered magic in PlaintextNames
mode, which was wrong.

Fix that and add tests.

Fixes https://github.com/rfjakob/gocryptfs/issues/174
2018-01-17 00:25:36 +01:00
Sebastian Lackner
a24342f656 fusefrontend: Handle PlaintextNames mode in Link
In PlaintextNames mode the "gocryptfs.longname." prefix does not have any
special meaning.

https://github.com/rfjakob/gocryptfs/issues/174
2017-12-25 15:07:37 +01:00
Jakob Unterwurzacher
87736eb833 fusefrontend_reverse: secure Access against symlink races (somewhat)
Unfortunately, faccessat in Linux ignores AT_SYMLINK_NOFOLLOW,
so this is not completely atomic.

Given that the information you get from access is not very
interesting, it seems good enough.

https://github.com/rfjakob/gocryptfs/issues/165
2017-12-07 00:11:35 +01:00
Jakob Unterwurzacher
6bd2da89d3 tets_helpers: handle t=nil in InitFS
The reverse tests call InitFS with t=nil. By
calling panic we get a better error message instead
of a generic nil pointer dereference.
2017-12-06 23:03:37 +01:00
Sebastian Lackner
614745ee57 fusefrontend: allow_other: close race between mkdir and chown
Fixes the same problem as described in 72b975867a,
except for directories instead of device nodes.
2017-11-29 13:28:04 +01:00
Sebastian Lackner
2591900b69 fusefrontend: Handle PlaintextNames mode in Unlink
In PlaintextNames mode the "gocryptfs.longname." prefix does not have any
special meaning. We should not attempt to delete any .name files.

Partially fixes https://github.com/rfjakob/gocryptfs/issues/174
2017-11-28 09:28:06 +01:00
Sebastian Lackner
3f68b0c09a fusefrontend: Handle PlaintextNames mode in Mknod
In PlaintextNames mode the "gocryptfs.longname." prefix does not have any
special meaning. We should not attempt to read the directory IV or to
create special .name files.

Partially fixes https://github.com/rfjakob/gocryptfs/issues/174
2017-11-28 09:28:06 +01:00
Jakob Unterwurzacher
72b975867a fusefronted: allow_other: close race between mknod and chown
If the user manages to replace the directory with
a symlink at just the right time, we could be tricked
into chown'ing the wrong file.

This change fixes the race by using fchownat, which
unfortunately is not available on darwin, hence a compat
wrapper is added.

Scenario, as described by @slackner at
https://github.com/rfjakob/gocryptfs/issues/177 :

1. Create a forward mount point with `plaintextnames` enabled
2. Mount as root user with `allow_other`
3. For testing purposes create a file `/tmp/file_owned_by_root`
   which is owned by the root user
4. As a regular user run inside of the GoCryptFS mount:

```
mkdir tempdir
mknod tempdir/file_owned_by_root p &
mv tempdir tempdir2
ln -s /tmp tempdir
```

When the steps are done fast enough and in the right order
(run in a loop!), the device file will be created in
`tempdir`, but the `lchown` will be executed by following
the symlink. As a result, the ownership of the file located
at `/tmp/file_owned_by_root` will be changed.
2017-11-27 21:04:45 +01:00
Jakob Unterwurzacher
1bb47b6796 reverse: reject too-long symlink target reads with ENAMETOOLONG
If the symlink target gets too long due to base64 encoding, we should
return ENAMETOOLONG instead of having the kernel reject the data and
returning an I/O error to the user.

Fixes https://github.com/rfjakob/gocryptfs/issues/167
2017-11-26 21:37:12 +01:00
Sebastian Lackner
90687215a4 fusefrontend_reverse: Do not mix up cache information for different directories
Fixes https://github.com/rfjakob/gocryptfs/issues/168

Steps to reproduce the problem:

* Create a regular reverse mount point
* Create files with the same very long name in multiple directories - so far
  everything works as expected, and it will appear with a different name each
  time, for example, gocryptfs.longname.A in directory A and
  gocryptfs.longname.B in directory B
* Try to access a path with A/gocryptfs.longname.B or B/gocryptfs.longname.A -
  this should fail, but it actually works.

The problem is that the longname cache only uses the path as key and not the
dir or divIV. Assume an attacker can directly interact with a reverse mount and
knows the relation longname path -> unencoded path in one directory, it allows
to test if the same unencoded filename appears in any other directory.
2017-11-25 16:20:48 +01:00
Sebastian Lackner
9f56b33e0c fusefrontend: Fix longname handling for renames with existing target
Fixes https://github.com/rfjakob/gocryptfs/issues/170

Steps to reproduce the problem:

* Create a regular forward mount point
* Create a file with a shortname and one with a long filename
* Try to run 'mv <shortname> <longname>'

This should actually work and replace the existing file, but instead it
fails with:

    mv: cannot move '<shortname>' to '<longname>': File exists

The problem is the creation of the .name file. If the target already exists
we can safely ignore the EEXIST error and just keep the existing .name file.
2017-11-25 16:19:09 +01:00
Sebastian Lackner
d257bb34c1 tests: Add test for access to encrypted version of '.' and '..'
To show that https://github.com/rfjakob/gocryptfs/issues/163 has been fixed.
2017-11-23 08:48:00 +01:00
Sebastian Lackner
f3c777d5ea main: Add '-devrandom' commandline option
Allows to use /dev/random for generating the master key instead of the
default Go implementation. When the kernel random generator has been
properly initialized both are considered equally secure, however:

* Versions of Go prior to 1.9 just fall back to /dev/urandom if the
  getrandom() syscall would be blocking (Go Bug #19274)

* Kernel versions prior to 3.17 do not support getrandom(), and there
  is no check if the random generator has been properly initialized
  before reading from /dev/urandom

This is especially useful for embedded hardware with low-entroy. Please
note that generation of the master key might block indefinitely if the
kernel cannot harvest enough entropy.
2017-11-21 23:37:06 +01:00
Jakob Unterwurzacher
64e5906ffa fusefrontend_reverse: workaround ext4 test failure
The extended TestLongnameStat() exposes a pathological case
when run on ext4, as ext4 reuses inode numbers immediately.

This change modifies the test to not delete the files immediately,
so the inode numbers cannot be reused immediately.

Fix for the underlying issue is a TODO.
2017-10-03 21:15:17 +02:00
Jakob Unterwurzacher
4da245c69d fusefrontend_reverse: fix 176-byte names
A file with a name of exactly 176 bytes length caused this error:

  ls: cannot access ./tmp/dsg/sXSGJLTuZuW1FarwIkJs0w/b6mGjdxIRpaeanTo0rbh0A/QjMRrQZC_4WLhmHI1UOBcA/gocryptfs.longname.QV-UipdDXeUVdl05WruoEzBNPrQCfpu6OzJL0_QnDKY: No such file or directory
  ls: cannot access ./tmp/dsg/sXSGJLTuZuW1FarwIkJs0w/b6mGjdxIRpaeanTo0rbh0A/QjMRrQZC_4WLhmHI1UOBcA/gocryptfs.longname.QV-UipdDXeUVdl05WruoEzBNPrQCfpu6OzJL0_QnDKY.name: No such file or directory
  -????????? ? ?     ?             ?            ? gocryptfs.longname.QV-UipdDXeUVdl05WruoEzBNPrQCfpu6OzJL0_QnDKY
  -????????? ? ?     ?             ?            ? gocryptfs.longname.QV-UipdDXeUVdl05WruoEzBNPrQCfpu6OzJL0_QnDKY.name

Root cause was a wrong shortNameMax constant that failed to
account for the obligatory padding byte.

Fix the constant and also expand the TestLongnameStat test case
to test ALL file name lengths from 1-255 bytes.

Fixes https://github.com/rfjakob/gocryptfs/issues/143 .
2017-10-01 13:50:25 +02:00