Jakob Unterwurzacher
a2677bce2a
fusefrontend_reverse: use OpenNofollow in virtualFile.GetAttr
...
Makes it robust against symlink races.
Final piece, closes https://github.com/rfjakob/gocryptfs/issues/165
2018-01-17 21:36:38 +01:00
Jakob Unterwurzacher
959e1fc1e2
fusefrontend_reverse: use OpenNofollow in findLongnameParent
...
Protects findLongnameParent against symlink races.
Also add comments to several functions along the way.
Reported at https://github.com/rfjakob/gocryptfs/issues/165
2018-01-17 20:54:05 +01:00
Jakob Unterwurzacher
8951eb2472
fusefronted: add PlaintextNames special-cases for Create & Rename
...
gocryptfs.longname.XXX files were considered magic in PlaintextNames
mode, which was wrong.
Fix that and add tests.
Fixes https://github.com/rfjakob/gocryptfs/issues/174
2018-01-17 00:25:36 +01:00
Jakob Unterwurzacher
36ffd813cd
Run go fmt
2018-01-16 23:18:53 +01:00
Jakob Unterwurzacher
7d477d692b
MacOS: rely on OSXFuse to create mountpoint below /Volumes
...
OSXFuse automatically creates the mountpoint if it is
below /Volumes because this would require root permissions
which the user might not have.
Reported at https://github.com/rfjakob/gocryptfs/issues/194
2018-01-16 23:18:53 +01:00
Felix Lechner
a4dff6aea0
Provide basic man page for xray tool ( #193 )
...
Provide basic man page for xray tool
2018-01-10 20:27:03 +01:00
Felix Lechner
63c3878b7c
Fix spelling
2018-01-10 09:26:48 +01:00
Jakob Unterwurzacher
025f33e366
package-source.bash: archive HEAD instead of master
...
To be able to check out an older version and create
a tarball from it, let `git archive` operate on HEAD.
This used to be broken in a bad way: we use `git describe`
which operates on HEAD to name the tarball, but always archived
HEAD.
2018-01-07 22:29:02 +01:00
Jakob Unterwurzacher
1ae218b417
package-source.bash: also create source-only tarball
...
We used to only create a source + dependecies tarball,
but having a source-only tarball makes packaging deb/rpm
easier.
2018-01-07 19:01:59 +01:00
Sebastian Lackner
a85dbcab38
fusefrontend: Use Linkat syscall to implement Link
2017-12-25 15:07:37 +01:00
Sebastian Lackner
a24342f656
fusefrontend: Handle PlaintextNames mode in Link
...
In PlaintextNames mode the "gocryptfs.longname." prefix does not have any
special meaning.
https://github.com/rfjakob/gocryptfs/issues/174
2017-12-25 15:07:37 +01:00
Rohan Talip
ca594b2349
Pinned the link to line 38 of performance.txt to version 1.4.1 since f0e29d9b90 (diff-86b7f3262ae352959ee0e04cccaac1b0)
added an extra line.
2017-12-25 15:06:19 +01:00
Sebastian Lackner
631974f9e0
fusefrontend_reverse: Use O_DIRECTORY in OpenDir implementation
...
Also get rid of the defer - it is not really necessary here.
2017-12-11 21:18:20 +01:00
Sebastian Lackner
96dc2ca709
fusefrontend_reverse: Reject access to device nodes in newFile function
...
Steps to reproduce:
* Create a regular reverse mount point
* Create a file "test" in the original directory
* Access the corresponding encrypted directory in the mount point (ls <encrypted dir>)
* Quickly delete the file in the original data - instead create a device node
* Access the file again, it will access the device node and attempt to read from it
Fixes https://github.com/rfjakob/gocryptfs/issues/187
2017-12-11 09:55:16 +01:00
Sebastian Lackner
3af51736f3
fusefrontend_reverse: Use openBackingDir in GetAttr
...
Also fixes 48bd59f38843e5ebd4e4c9f666f1aea1c9990803 - the directory FD should
also be closed in case of an error.
2017-12-07 23:36:11 +01:00
Sebastian Lackner
ad0f110191
fusefrontend_reverse: Use openBackingDir in Readlink
2017-12-07 23:36:11 +01:00
Jakob Unterwurzacher
48bd59f388
fusefrontend_reverse: fix fd leak in GetAttr
...
Fixes https://github.com/rfjakob/gocryptfs/issues/184
2017-12-07 09:01:12 +01:00
Jakob Unterwurzacher
87736eb833
fusefrontend_reverse: secure Access against symlink races (somewhat)
...
Unfortunately, faccessat in Linux ignores AT_SYMLINK_NOFOLLOW,
so this is not completely atomic.
Given that the information you get from access is not very
interesting, it seems good enough.
https://github.com/rfjakob/gocryptfs/issues/165
2017-12-07 00:11:35 +01:00
Jakob Unterwurzacher
2ceef01afe
syscallcompat: add Faccessat
...
Add faccessat(2) with a hack for symlink, because the
kernel does not actually looks at the passed flags.
From man 2 faccessat:
C library/kernel differences
The raw faccessat() system call takes only the first three argu‐
ments. The AT_EACCESS and AT_SYMLINK_NOFOLLOW flags are actually
implemented within the glibc wrapper function for faccessat().
2017-12-07 00:05:28 +01:00
Jakob Unterwurzacher
6bd2da89d3
tets_helpers: handle t=nil in InitFS
...
The reverse tests call InitFS with t=nil. By
calling panic we get a better error message instead
of a generic nil pointer dereference.
2017-12-06 23:03:37 +01:00
Jakob Unterwurzacher
e042eb38fa
fusefrontend_reverse: secure Readlink against symlink races
...
...by using Readlinkat.
Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165
2017-12-06 21:13:08 +01:00
Jakob Unterwurzacher
f97494e89b
syscallcompat: add Readlinkat
...
We need readlinkat to implement Readlink
symlink-race-free.
2017-12-06 21:07:24 +01:00
Jakob Unterwurzacher
6beb45e5b7
syscallcompat: add Darwin version of unix2syscall
...
The "Atim" field is called "Atimespec" on Darwin,
same for Mtim and Ctim.
2017-12-06 00:18:38 +01:00
Jakob Unterwurzacher
a3bdc2bf2b
fusefrontend_reverse: secure GetAttr against symlink races
...
...by using the OpenNofollow helper & Fstatat.
Also introduce a helper to convert from unix.Stat_t to
syscall.Stat_t.
Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165
2017-12-06 00:06:31 +01:00
Jakob Unterwurzacher
03bf604fc0
syscallcompat: OpenNofollow: use O_DIRECTORY flag
...
...when opening intermedia directories to give us an
extra layer of safety.
From the FreeBSD man page:
This flag can be used to prevent applications with elevated
privileges from opening files which are even unsafe to open with O_RDONLY,
such as device nodes.
2017-12-05 23:31:07 +01:00
Jakob Unterwurzacher
926cb93b50
fusefrontend_reverse: secure OpenDir against symlink races
...
...by using the new OpenNofollow helper.
The benchmark shows a small but acceptable performance loss:
$ ./benchmark-reverse.bash
LS: 2.182
CAT: 18.221
Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165
2017-12-05 23:14:12 +01:00
Jakob Unterwurzacher
e604ce6dea
syscallcompat: OpenNofollow: fix relPath="" case
...
Sometimes want to open baseDir itself. This case
was broken, fix it.
2017-12-05 23:08:55 +01:00
Jakob Unterwurzacher
47b13e0a8d
Documentation: Add reverse mode benchmark results
2017-12-05 22:54:08 +01:00
Jakob Unterwurzacher
70bcf58a9b
syscallcompat: convert Getdents to fd input, add emulation
...
Now that we have Fstatat we can use it in Getdents to
get rid of the path name.
Also, add an emulated version of getdents for MacOS. This allows
to drop the !HaveGetdents special cases from fusefrontend.
Modify the getdents test to test both native getdents and the emulated
version.
2017-12-03 19:33:26 +01:00
Jakob Unterwurzacher
e33593d30d
syscallcompat: add Fstatat + emulation + test
...
Fstatat has recently been added to x/sys/unix. Make
it available for use in gocryptfs.
2017-12-03 19:32:59 +01:00
Jakob Unterwurzacher
441e796e70
fusefrontend_reverse: secure StatFs agains symlink races
...
...by ignoring the path that was passed in.
https://github.com/rfjakob/gocryptfs/issues/165
2017-12-02 21:36:07 +01:00
Jakob Unterwurzacher
316b916358
fusefrontend_reverse: secure Open against symlink races
...
...using the new syscallcompat.OpenNofollow helper.
This change secures Open() against symlink race attacks
as described in https://github.com/rfjakob/gocryptfs/issues/165
2017-12-02 21:07:56 +01:00
Jakob Unterwurzacher
91e042e2ba
syscallcompat: add OpenNofollow helper
...
OpenNofollow = symlink-race-safe Open
Prepares fixing https://github.com/rfjakob/gocryptfs/issues/165
2017-12-02 20:35:44 +01:00
Jakob Unterwurzacher
1d28973611
syscallcompat: move test setup into its own file
...
The infrastructure will also be used by the upcoming
OpenNofollow tests.
2017-12-02 19:57:23 +01:00
Jakob Unterwurzacher
77191c3485
syscallcompat: use Unlinkat and Symlinkat from x/sys/unix
...
I'm unsure why I did not notice this earlier, but the
syscall wrappers provided by x/sys/unix seem to do just
fine.
Drop our own version.
2017-12-02 18:36:18 +01:00
Sebastian Lackner
616a468180
syscallcompat: Improve the Openat and Mknodat syscall emulation
...
This avoids the conversion to an absolute path.
2017-12-01 09:41:52 +01:00
Sebastian Lackner
f30522a0c1
syscallcompat: Fix syscall emulation for absolute paths
...
For absolute paths, the file descriptor should be ignored. In such a case
there is also no need to hold the lock or change the working directory.
2017-12-01 09:41:52 +01:00
Sebastian Lackner
9bcde0c09e
fusefrontend: Improve documentation of mkdirWithIv and WriteDirIV
...
As requested in https://github.com/rfjakob/gocryptfs/pull/179
2017-12-01 09:41:52 +01:00
Jakob Unterwurzacher
e97c23e083
syscallcompat: check that we get NOFOLLOW wherever possible
...
...and fix the instances where the AT_SYMLINK_NOFOLLOW /
O_NOFOLLOW / O_EXCL flag was missing.
2017-11-30 19:40:53 +01:00
Jakob Unterwurzacher
22282aefe6
syscallcompat: add tests for emulated syscalls
...
Also fix the bug in emulateFchmodat that was found by the tests.
2017-11-30 19:10:21 +01:00
Jakob Unterwurzacher
bd79a8cd0d
syscallcompat: build emulated syscalls under linux, too
...
This will allow to test them under linux as well.
2017-11-30 17:07:55 +01:00
Sebastian Lackner
614745ee57
fusefrontend: allow_other: close race between mkdir and chown
...
Fixes the same problem as described in 72b975867a3b9bdf53fc2da62e2ba4a328d7e4ab,
except for directories instead of device nodes.
2017-11-29 13:28:04 +01:00
Sebastian Lackner
67bcbe81e8
fusefrontend: Use Fchownat to implement Chown
2017-11-29 13:05:46 +01:00
Sebastian Lackner
0162392a28
fusefrontend: Use Fchmodat to implement Chmod
2017-11-29 12:55:41 +01:00
Sebastian Lackner
0f44c617d0
syscallcompat: Introduce unlinkat syscall with flags argument
2017-11-29 12:41:23 +01:00
Sebastian Lackner
5d44a31b41
fusefrontend: Use openBackingPath in Unlink and simplify code
2017-11-28 09:28:06 +01:00
Sebastian Lackner
2591900b69
fusefrontend: Handle PlaintextNames mode in Unlink
...
In PlaintextNames mode the "gocryptfs.longname." prefix does not have any
special meaning. We should not attempt to delete any .name files.
Partially fixes https://github.com/rfjakob/gocryptfs/issues/174
2017-11-28 09:28:06 +01:00
Sebastian Lackner
eba49402e4
fusefrontend: Introduce a openBackingPath helper and use it to simplify Mknod and Symlink
2017-11-28 09:28:06 +01:00
Sebastian Lackner
ad2720e0f9
fusefrontend: allow_other: close race between symlink and chown
...
Fixes the same problem as described in 72b975867a3b9bdf53fc2da62e2ba4a328d7e4ab,
except for symlinks instead of device nodes.
2017-11-28 09:28:06 +01:00
Sebastian Lackner
5a56810603
fusefrontend: Use the Symlinkat syscall for longname handling
2017-11-28 09:28:06 +01:00