Commit Graph

278 Commits

Author SHA1 Message Date
Jakob Unterwurzacher
ec74d1d2f4 Update go-fuse import path to github.com/hanwen/go-fuse/v2
We need
fd7328faf9
to fix a crash reported in https://github.com/rfjakob/gocryptfs/issues/430 :

  2019/10/30 17:14:16 Unknown opcode 2016
  panic: runtime error: invalid memory address or nil pointer dereference
  [signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x508d38]

This patch is only in the v2.x.x branch. Upgrade to v2, as the
old API is also supported there.

Running

  git grep hanwen/go-fuse | grep -v hanwen/go-fuse/v2

to check for forgotten references comes back clean.
2020-05-17 14:23:47 +02:00
Jakob Unterwurzacher
16221facb9 ctlsock: create exported ctlsock client library
The former interal ctlsock server package is renamed
to ctlsocksrv.
2020-05-09 17:36:41 +02:00
Jakob Unterwurzacher
9f9d59ded9 inomap: rework logic to efficiently support flags
Adding flags allows to use inomap in reverse mode,
replacing the clunky inoBaseDirIV/inoBaseNameFile
logic that causes problems with high underlying
inode numbers ( https://github.com/rfjakob/gocryptfs/issues/457 )

Microbenchmarks (values below) show that the "SingleDev"
case is now much slower due to an extra map lookup,
but this has no visible effects in ./test.bash results,
so there was no time spent optimizing the case further.

$ go test -bench=.
goos: linux
goarch: amd64
pkg: github.com/rfjakob/gocryptfs/internal/inomap
BenchmarkTranslateSingleDev-4   	18757510	        61.5 ns/op
BenchmarkTranslateManyDevs-4    	18061515	        64.5 ns/op
PASS
ok  	github.com/rfjakob/gocryptfs/internal/inomap	2.467s
2020-04-19 22:00:56 +02:00
Jakob Unterwurzacher
488111ce39 inomap: split into separate package
inomap will also be used by fusefrontend_reverse
in the future. Split if off openfiletable to make
it independent.
2020-04-13 14:54:04 +02:00
Jakob Unterwurzacher
ca9e912a28 fusefrontend: drop xattr user namespace restriction
We used to restrict setting xattrs to the "user."
namespace. I don't see a real reason for this
anymore, and it causes trouble for users who are using
acls.

Tests will be added in the next commit.

https://github.com/rfjakob/gocryptfs/issues/453
2020-02-29 20:12:43 +01:00
Jakob Unterwurzacher
8ec804d825 fs: add uint64 cast to fix Darwin build
Error from Travis CI was:

 +GOOS=darwin
 +GOARCH=amd64
 +go build -tags without_openssl
 # github.com/rfjakob/gocryptfs/internal/fusefrontend
 internal/fusefrontend/fs.go:88:45: cannot use st.Dev (type int32) as type uint64 in argument to openfiletable.NewInumMap

Add uint64 to fix it.
2019-11-16 23:21:37 +01:00
Jakob Unterwurzacher
bb6155a51f fusefrontend: use inummap
translate inode numbers on different devices to fix
collisions.

Fixes https://github.com/rfjakob/gocryptfs/issues/435
2019-11-16 21:36:27 +01:00
Jakob Unterwurzacher
e4148028af fusefrontend: warn about missing diriv
The comment is outdated, at this point, we should
really not get any errors from ReadDirIVAt.

The change is best seen when running the fsck tests. Before:

  fsck: error opening dir "missing_diriv": 2=no such file or directory

After:

  OpenDir "K2m0E6qzIfoLkVZJanoUiQ": could not read gocryptfs.diriv: no such file or directory
  fsck: error opening dir "missing_diriv": 5=input/output error

See https://github.com/rfjakob/gocryptfs/issues/403 , where
the extra info would have been helpful.
2019-11-03 20:38:15 +01:00
Jakob Unterwurzacher
93939961f5 fusefrontend: don't return EIO on directory with corrupt file names
This was meant as a way to inform the user that
something is very wrong, however, users are hitting
the condition on MacOS due to ".DS_Store" files, and
also on NFS due to ".nfsXXX" files.

Drop the whole thing as it seems to cause more pain
than gain.

Fixes https://github.com/rfjakob/gocryptfs/issues/431
2019-11-03 20:12:05 +01:00
Jakob Unterwurzacher
00af4f4864 fusefrontend: unregister from openfiletable before closing the fd
Closing the fd means the inode number may be reused immediately
by a new file, so we have to get the old fileID out of the table
beforehand!

Hopefully fixes https://github.com/rfjakob/gocryptfs/issues/363
2019-10-06 21:47:36 +02:00
Jakob Unterwurzacher
43265940fa fusefrontend: print file hexdump on header error
This should help debugging https://github.com/rfjakob/gocryptfs/issues/363 ,
but does no harm in normal operation as it only prints ciphertext to the log.
2019-10-06 19:37:51 +02:00
Jakob Unterwurzacher
0a4db7d9e9 Fix -idle unmounting despite activity
Fixes https://github.com/rfjakob/gocryptfs/issues/421
2019-09-08 16:29:20 +02:00
Jakob Unterwurzacher
7d81494a64 fusefrontend: get rid of last hardcoded "gocryptfs.diriv" instances
Makes it easier to change the name (as some people want to):
https://github.com/rfjakob/gocryptfs/issues/37
2019-04-09 20:51:33 +02:00
Eduardo M KALINOWSKI
3bc100aeb3 reverse mode: support wildcard exclude (--exclude-wildcard)
This adds support for gitignore-like wildcards and exclude patters in
reverse mode. It (somewhat) fixes #273: no regexp support, but the
syntax should be powerful enough to satisfy most needs.

Also, since adding a lot of --exclude options can be tedious, it adds
the --exclude-from option to read patterns from a file (or files).
2019-03-26 20:56:37 +01:00
Jakob Unterwurzacher
19cb6d046a nametransform: reject names longer than 255 chars
Looks like we allowed creating longer names by accident.
Fix that, and add a test that verifies it.
2019-02-17 17:05:05 +01:00
Jakob Unterwurzacher
b08cbce5c1 fusefronted: comment why Access() does not check context.Uid
https://github.com/rfjakob/gocryptfs/issues/347
2019-01-20 14:37:36 +01:00
Jakob Unterwurzacher
962c523644 fusefrontend: ensure directories without W or X perms can be deleted
This fixed the "Permission denied" bug, but still has the problem that
the directory may be replaced behind our back. Mitigated by the fact
that we skip the workaround when running as root with -allow_other.

https://github.com/rfjakob/gocryptfs/issues/354
2019-01-20 14:29:28 +01:00
Jakob Unterwurzacher
3d6b2685fb Revert "syscallcompat: drop Faccessat AT_SYMLINK_NOFOLLOW helper"
Breaks mounting on MacOS: unix.Faccessat on Darwin does NOT (yet)
support AT_SYMLINK_NOFOLLOW. See d44fe89ba4 .

This reverts commit 0805a63df1.
2019-01-20 13:10:59 +01:00
Jakob Unterwurzacher
0805a63df1 syscallcompat: drop Faccessat AT_SYMLINK_NOFOLLOW helper
unix.Faccessat has added support for AT_SYMLINK_NOFOLLOW in July 2018,
bd9dbc187b (diff-341484dbbe3180cd7a31ef2ad2d679b6)
which means we no longer need our own helper.

Closes https://github.com/rfjakob/gocryptfs/issues/347
2019-01-20 12:59:59 +01:00
Sebastian Lackner
452b8b00f4 fusefrontend: Always use intFd() method instead of int(f.fd.Fd()). 2019-01-16 20:55:20 +01:00
Sebastian Lackner
682e642cfa fusefrontend: Rework the Utimens handling on macOS.
For Linux, everything effectively stays the same. For both path-based and
fd-based Utimens() calls, we use unix.UtimesNanoAt(). To avoid introducing
a separate syscall wrapper for futimens() (as done in go-fuse, for example),
we instead use the /proc/self/fd - trick.

On macOS, this changes quite a lot:

* Path-based Utimens() calls were previously completely broken, since
  unix.UtimensNanoAt() ignores the passed file descriptor. Note that this
  cannot be fixed easily since there IS no appropriate syscall available on
  macOS prior to High Sierra (10.13). We emulate this case by using
  Fchdir() + setattrlist().

* Fd-based Utimens() calls were previously translated to f.GetAttr() (to
  fill any empty parameters) and syscall.Futimes(), which does not does
  support nanosecond precision. Both issues can be fixed by switching to
  fsetattrlist().

Fixes https://github.com/rfjakob/gocryptfs/issues/350
2019-01-16 20:55:20 +01:00
Sebastian Lackner
8f33145651 fusefrontend: Print 'too many open files' warning for both short and long names.
While we're at it, also replace os.* constants with syscall.* constants.
2019-01-15 22:07:37 +01:00
Jakob Unterwurzacher
a7d59032d3 syscallcompat: rework Fchmodat to FchmodatNofollow
We never want Fchmodat to follow symlinks, so follow what
Qemu does, and call our function FchmodatNofollow.
2019-01-14 21:54:16 +01:00
Jakob Unterwurzacher
e885f08746 fusefrontend: drop last remaining call into loopbackFileSystem
The only call forwarded to loopbackFileSystem was Statfs,
which is trivial to implement.

Implement it and drop loopbackFileSystem, as having it carries the
risk that a coding error bypasses the usual encryption/decryption
chain.
2019-01-13 20:27:35 +01:00
Sebastian Lackner
d44fe89ba4 fusefrontend: Do not pass unsupported flags to Faccessat on macOS.
Fixes mounting of forward mounts on macOS High Sierra.
2019-01-13 14:10:34 +01:00
Sebastian Lackner
99e8b6d288 fusefrontend: Preserve SUID/SGID/sticky-bits in openWriteOnlyFile and Rmdir.
Fixes https://github.com/rfjakob/gocryptfs/issues/336 and
https://github.com/rfjakob/gocryptfs/issues/337.
2019-01-12 21:24:50 +01:00
Sebastian Lackner
efc280330c fusefrontend: -allow_other: Use SymlinkatUser in Symlink FUSE call.
Instead of manually adjusting the user after creating the symlink,
adjust effective permissions and let the kernel deal with it.

Related to https://github.com/rfjakob/gocryptfs/issues/338.
2019-01-12 21:22:58 +01:00
Sebastian Lackner
1fbe7798cf fusefrontend: -allow_other: Use MknodatUser in Mknod FUSE call.
Instead of manually adjusting the user and mode after creating the
device file, adjust effective permissions and let the kernel deal
with it.

Related to https://github.com/rfjakob/gocryptfs/issues/338.
2019-01-12 21:20:16 +01:00
Sebastian Lackner
a525e33eaa fusefrontend: -allow_other: Use MkdiratUser in Mkdir FUSE call.
Revert commit fcaca5fc94.

Instead of manually adjusting the user and mode after creating the
directory, adjust effective permissions and let the kernel deal with it.

Related to https://github.com/rfjakob/gocryptfs/issues/338.
2019-01-12 21:20:07 +01:00
Sebastian Lackner
03b9d65cce fusefrontend: -allow_other: Use OpenatUser in Create FUSE call.
Revert commit b22cc03c75.

Instead of manually adjusting the user and mode after creating the
file, adjust effective permissions and let the kernel deal with it.

Related to https://github.com/rfjakob/gocryptfs/issues/338.
2019-01-12 20:54:39 +01:00
Sebastian Lackner
669322482a fusefrontend: Don't chown gocryptfs.diriv files.
The current code has a risk of race-conditions, since we pass a path
containing "/" to Fchownat. We could fix this by opening a file descriptor,
however, this does not seem worth the effort. We also don't chown *.name files.
2019-01-12 20:35:50 +01:00
Sebastian Lackner
fcaca5fc94 fusefrontend: -allow_other: set file mode after chown in Mkdir().
Make sure that the directory belongs to the correct owner before users
can access it. For directories with SUID/SGID mode, there is a risk of
race-conditions when files are created before the correct owner is set.
They will then inherit the wrong user and/or group.

See https://github.com/rfjakob/gocryptfs/issues/327 for more details.
2019-01-09 20:48:00 +01:00
Jakob Unterwurzacher
b22cc03c75 fusefrontend: -allow_other: set file mode *after* chown in Create()
Reported by @slackner at https://github.com/rfjakob/gocryptfs/issues/327 :

Possible race-conditions between file creation and Fchownat

* Assume a system contains a gocryptfs mount as root user
  with -allow_other
* As a regular user create a new file with mode containing
  the SUID flag and write access for other users
* Before gocryptfs executes the Fchownat call, try to open
  the file again, write some exploit code to it, and try to run it.

For a short time, the file is owned by root and has the SUID flag, so
this is pretty dangerous.
2019-01-08 21:50:10 +01:00
Sebastian Lackner
57a52d6aef fusefrontend: Clarify access mode check related to O_WRONLY handling.
Use O_ACCMODE mask in openWriteOnlyFile for improved readability.
2019-01-07 21:25:23 +01:00
Sebastian Lackner
2332462e78 fusefrontend: Filter O_CREAT in mangleOpenFlags. 2019-01-07 21:19:13 +01:00
Sebastian Lackner
aa2fa24c42 fusefrontend: Check result of Fchmod syscall.
Fixes https://github.com/rfjakob/gocryptfs/issues/328
2019-01-06 21:00:17 +01:00
Sebastian Lackner
40d2427fd7 fusefrontend: Fix computation of cipherSz in Allocate FUSE call.
Do not use PlainSizeToCipherSize() since this adds the 18 bytes file header.

Partially fixes https://github.com/rfjakob/gocryptfs/issues/311
2019-01-06 20:56:59 +01:00
Sebastian Lackner
8310dd95be fusefrontend: Properly convert plaintext <-> ciphertext offsets in SeekData().
Fixes https://github.com/rfjakob/gocryptfs/issues/304
2019-01-06 12:21:54 +01:00
Sebastian Lackner
7e05e809b7 main: Run 'ensure fds' code early during the program startup.
The files are apparently processed in alphabetic order, so cli_args.go is
processed before main.go. In order to run before the go-fuse imports, put
the 'ensure fds' code in a separate package. Debug messages are omitted
to avoid additional imports (that might contain other code messing up our
file descriptors).
2019-01-05 16:12:16 +01:00
Sebastian Lackner
5055f39bd5 fusefrontend: Allow to set/remove xattr on directory without read permission.
Setting/removing extended attributes on directories was partially fixed with
commit eff35e60b6. However, on most file systems
it is also possible to do these operations without read access (see tests).

Since we cannot open a write-access fd to a directory, we have to use the
/proc/self/fd trick (already used for ListXAttr) for the other operations aswell.
For simplicity, let's separate the Linux and Darwin code again (basically revert
commit f320b76fd1), and always use the
/proc/self/fd trick on Linux. On Darwin we use the best-effort approach with
openBackingFile() as a fallback.

More discussion about the available options is available in
https://github.com/rfjakob/gocryptfs/issues/308.
2019-01-05 12:34:40 +01:00
Sebastian Lackner
f17721c364 A few more spelling fixes. 2019-01-05 12:27:55 +01:00
Jakob Unterwurzacher
65eded4a22 tests: bump maxCacheFds to 3
As the dirCache now has 3 entries, the tests should accept
up to 3 extra fds without declaring an fd leak.
2019-01-04 23:50:01 +01:00
Jakob Unterwurzacher
c32066c5b0 fusefrontend: fix fd leak in dirCache
The missing break meant that we may find a second
hit in the cache, Dup() a second fd, and leak the first
one.

Thanks @slackner for finding this.
2019-01-04 23:35:48 +01:00
Jakob Unterwurzacher
3473a84963 fusefrontend: print warning when Create() runs out of file descriptors
We alread have this warning in Open(), but xfstests generic/488
causes "too many open files" via Create. Add the same message so
the user sees what is going on.
2019-01-04 23:15:04 +01:00
Jakob Unterwurzacher
eff35e60b6 fusefrontend: fix setting xattrs on directories
Directories cannot be opened read-write. Retry with RDONLY.
2019-01-04 22:22:24 +01:00
Jakob Unterwurzacher
3365cfc02b fusefrontend: disable dirCache stats printing
This was inadvertedly kept enabled after benchmarking.
2019-01-04 22:07:02 +01:00
Jakob Unterwurzacher
c0a7a14cde fusefrontend: upgrade to three-entry dirCache
3 entries should work well for up to three parallel users.
It works well for extractloop.bash (two parallel tar extracts).
2019-01-04 21:45:03 +01:00
Sebastian Lackner
acf7e52022 fusefrontend: Allow to create sparse file of size 4096.
When the old size is zero, there are no existing blocks to merge the
new data with. Directly use Ftruncate if the size is block-aligned.

Fixes https://github.com/rfjakob/gocryptfs/issues/305
2019-01-04 01:38:47 +01:00
Sebastian Lackner
ab169443fd A few more spelling fixes.
Found with the 'codespell' utility.
2019-01-04 01:23:44 +01:00
Sebastian Lackner
a1ba4b6576 Omit syscall.O_RDONLY flag when passing O_PATH.
When O_PATH is specified in flags, flag bits other than O_CLOEXEC, O_DIRECTORY,
and O_NOFOLLOW are ignored.
2019-01-03 18:24:05 +01:00