v2api: delete (most) fusefrontend v1 files

All the functionality in these files has been reimplemented
for the v2 api. Drop the old files.

11 files changed, 22 insertions, 2219 deletions

diff --git a/internal/fusefrontend/file.go b/internal/fusefrontend/file.go
deleted file mode 100644
index 2e03aa7..0000000
--- a/internal/fusefrontend/file.go
+++ /dev/null
@@ -1,482 +0,0 @@
-package fusefrontend
-
-// FUSE operations on file handles
-
-import (
-	"bytes"
-	"encoding/hex"
-	"fmt"
-	"io"
-	"log"
-	"os"
-	"sync"
-	"syscall"
-	"time"
-
-	"github.com/hanwen/go-fuse/v2/fuse"
-	"github.com/hanwen/go-fuse/v2/fuse/nodefs"
-
-	"github.com/rfjakob/gocryptfs/internal/contentenc"
-	"github.com/rfjakob/gocryptfs/internal/inomap"
-	"github.com/rfjakob/gocryptfs/internal/openfiletable"
-	"github.com/rfjakob/gocryptfs/internal/serialize_reads"
-	"github.com/rfjakob/gocryptfs/internal/stupidgcm"
-	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
-	"github.com/rfjakob/gocryptfs/internal/tlog"
-)
-
-var _ nodefs.File = &File{} // Verify that interface is implemented.
-
-// File - based on loopbackFile in go-fuse/fuse/nodefs/files.go
-type File struct {
-	fd *os.File
-	// Has Release() already been called on this file? This also means that the
-	// wlock entry has been freed, so let's not crash trying to access it.
-	// Due to concurrency, Release can overtake other operations. These will
-	// return EBADF in that case.
-	released bool
-	// fdLock prevents the fd to be closed while we are in the middle of
-	// an operation.
-	// Every FUSE entrypoint should RLock(). The only user of Lock() is
-	// Release(), which closes the fd and sets "released" to true.
-	fdLock sync.RWMutex
-	// Content encryption helper
-	contentEnc *contentenc.ContentEnc
-	// Device and inode number uniquely identify the backing file
-	qIno inomap.QIno
-	// Entry in the open file table
-	fileTableEntry *openfiletable.Entry
-	// Store where the last byte was written
-	lastWrittenOffset int64
-	// The opCount is used to judge whether "lastWrittenOffset" is still
-	// guaranteed to be correct.
-	lastOpCount uint64
-	// Parent filesystem
-	fs *FS
-	// We embed a nodefs.NewDefaultFile() that returns ENOSYS for every operation we
-	// have not implemented. This prevents build breakage when the go-fuse library
-	// adds new methods to the nodefs.File interface.
-	nodefs.File
-}
-
-// NewFile returns a new go-fuse File instance.
-func NewFile(fd *os.File, fs *FS) (*File, fuse.Status) {
-	var st syscall.Stat_t
-	err := syscall.Fstat(int(fd.Fd()), &st)
-	if err != nil {
-		tlog.Warn.Printf("NewFile: Fstat on fd %d failed: %v\n", fd.Fd(), err)
-		return nil, fuse.ToStatus(err)
-	}
-	qi := inomap.QInoFromStat(&st)
-	e := openfiletable.Register(qi)
-
-	return &File{
-		fd:             fd,
-		contentEnc:     fs.contentEnc,
-		qIno:           qi,
-		fileTableEntry: e,
-		fs:             fs,
-		File:           nodefs.NewDefaultFile(),
-	}, fuse.OK
-}
-
-// intFd - return the backing file descriptor as an integer.
-func (f *File) intFd() int {
-	return int(f.fd.Fd())
-}
-
-// readFileID loads the file header from disk and extracts the file ID.
-// Returns io.EOF if the file is empty.
-func (f *File) readFileID() ([]byte, error) {
-	// We read +1 byte to determine if the file has actual content
-	// and not only the header. A header-only file will be considered empty.
-	// This makes File ID poisoning more difficult.
-	readLen := contentenc.HeaderLen + 1
-	buf := make([]byte, readLen)
-	n, err := f.fd.ReadAt(buf, 0)
-	if err != nil {
-		if err == io.EOF && n != 0 {
-			tlog.Warn.Printf("readFileID %d: incomplete file, got %d instead of %d bytes",
-				f.qIno.Ino, n, readLen)
-			f.fs.reportMitigatedCorruption(fmt.Sprint(f.qIno.Ino))
-		}
-		return nil, err
-	}
-	buf = buf[:contentenc.HeaderLen]
-	h, err := contentenc.ParseHeader(buf)
-	if err != nil {
-		return nil, err
-	}
-	return h.ID, nil
-}
-
-// createHeader creates a new random header and writes it to disk.
-// Returns the new file ID.
-// The caller must hold fileIDLock.Lock().
-func (f *File) createHeader() (fileID []byte, err error) {
-	h := contentenc.RandomHeader()
-	buf := h.Pack()
-	// Prevent partially written (=corrupt) header by preallocating the space beforehand
-	if !f.fs.args.NoPrealloc {
-		err = syscallcompat.EnospcPrealloc(f.intFd(), 0, contentenc.HeaderLen)
-		if err != nil {
-			if !syscallcompat.IsENOSPC(err) {
-				tlog.Warn.Printf("ino%d: createHeader: prealloc failed: %s\n", f.qIno.Ino, err.Error())
-			}
-			return nil, err
-		}
-	}
-	// Actually write header
-	_, err = f.fd.WriteAt(buf, 0)
-	if err != nil {
-		return nil, err
-	}
-	return h.ID, err
-}
-
-// doRead - read "length" plaintext bytes from plaintext offset "off" and append
-// to "dst".
-// Arguments "length" and "off" do not have to be block-aligned.
-//
-// doRead reads the corresponding ciphertext blocks from disk, decrypts them and
-// returns the requested part of the plaintext.
-//
-// Called by Read() for normal reading,
-// by Write() and Truncate() via doWrite() for Read-Modify-Write.
-func (f *File) doRead(dst []byte, off uint64, length uint64) ([]byte, fuse.Status) {
-	// Get the file ID, either from the open file table, or from disk.
-	var fileID []byte
-	f.fileTableEntry.IDLock.Lock()
-	if f.fileTableEntry.ID != nil {
-		// Use the cached value in the file table
-		fileID = f.fileTableEntry.ID
-	} else {
-		// Not cached, we have to read it from disk.
-		var err error
-		fileID, err = f.readFileID()
-		if err != nil {
-			f.fileTableEntry.IDLock.Unlock()
-			if err == io.EOF {
-				// Empty file
-				return nil, fuse.OK
-			}
-			buf := make([]byte, 100)
-			n, _ := f.fd.ReadAt(buf, 0)
-			buf = buf[:n]
-			hexdump := hex.EncodeToString(buf)
-			tlog.Warn.Printf("doRead %d: corrupt header: %v\nFile hexdump (%d bytes): %s",
-				f.qIno.Ino, err, n, hexdump)
-			return nil, fuse.EIO
-		}
-		// Save into the file table
-		f.fileTableEntry.ID = fileID
-	}
-	f.fileTableEntry.IDLock.Unlock()
-	if fileID == nil {
-		log.Panicf("fileID=%v", fileID)
-	}
-	// Read the backing ciphertext in one go
-	blocks := f.contentEnc.ExplodePlainRange(off, length)
-	alignedOffset, alignedLength := blocks[0].JointCiphertextRange(blocks)
-	skip := blocks[0].Skip
-	tlog.Debug.Printf("doRead: off=%d len=%d -> off=%d len=%d skip=%d\n",
-		off, length, alignedOffset, alignedLength, skip)
-
-	ciphertext := f.fs.contentEnc.CReqPool.Get()
-	ciphertext = ciphertext[:int(alignedLength)]
-	n, err := f.fd.ReadAt(ciphertext, int64(alignedOffset))
-	if err != nil && err != io.EOF {
-		tlog.Warn.Printf("read: ReadAt: %s", err.Error())
-		return nil, fuse.ToStatus(err)
-	}
-	// The ReadAt came back empty. We can skip all the decryption and return early.
-	if n == 0 {
-		f.fs.contentEnc.CReqPool.Put(ciphertext)
-		return dst, fuse.OK
-	}
-	// Truncate ciphertext buffer down to actually read bytes
-	ciphertext = ciphertext[0:n]
-
-	firstBlockNo := blocks[0].BlockNo
-	tlog.Debug.Printf("ReadAt offset=%d bytes (%d blocks), want=%d, got=%d", alignedOffset, firstBlockNo, alignedLength, n)
-
-	// Decrypt it
-	plaintext, err := f.contentEnc.DecryptBlocks(ciphertext, firstBlockNo, fileID)
-	f.fs.contentEnc.CReqPool.Put(ciphertext)
-	if err != nil {
-		if f.fs.args.ForceDecode && err == stupidgcm.ErrAuth {
-			// We do not have the information which block was corrupt here anymore,
-			// but DecryptBlocks() has already logged it anyway.
-			tlog.Warn.Printf("doRead %d: off=%d len=%d: returning corrupt data due to forcedecode",
-				f.qIno.Ino, off, length)
-		} else {
-			curruptBlockNo := firstBlockNo + f.contentEnc.PlainOffToBlockNo(uint64(len(plaintext)))
-			tlog.Warn.Printf("doRead %d: corrupt block #%d: %v", f.qIno.Ino, curruptBlockNo, err)
-			return nil, fuse.EIO
-		}
-	}
-
-	// Crop down to the relevant part
-	var out []byte
-	lenHave := len(plaintext)
-	lenWant := int(skip + length)
-	if lenHave > lenWant {
-		out = plaintext[skip:lenWant]
-	} else if lenHave > int(skip) {
-		out = plaintext[skip:lenHave]
-	}
-	// else: out stays empty, file was smaller than the requested offset
-
-	out = append(dst, out...)
-	f.fs.contentEnc.PReqPool.Put(plaintext)
-
-	return out, fuse.OK
-}
-
-// Read - FUSE call
-func (f *File) Read(buf []byte, off int64) (resultData fuse.ReadResult, code fuse.Status) {
-	if len(buf) > fuse.MAX_KERNEL_WRITE {
-		// This would crash us due to our fixed-size buffer pool
-		tlog.Warn.Printf("Read: rejecting oversized request with EMSGSIZE, len=%d", len(buf))
-		return nil, fuse.Status(syscall.EMSGSIZE)
-	}
-	f.fdLock.RLock()
-	defer f.fdLock.RUnlock()
-
-	f.fileTableEntry.ContentLock.RLock()
-	defer f.fileTableEntry.ContentLock.RUnlock()
-
-	tlog.Debug.Printf("ino%d: FUSE Read: offset=%d length=%d", f.qIno.Ino, off, len(buf))
-	if f.fs.args.SerializeReads {
-		serialize_reads.Wait(off, len(buf))
-	}
-	out, status := f.doRead(buf[:0], uint64(off), uint64(len(buf)))
-	if f.fs.args.SerializeReads {
-		serialize_reads.Done()
-	}
-	if status != fuse.OK {
-		return nil, status
-	}
-	tlog.Debug.Printf("ino%d: Read: status %v, returning %d bytes", f.qIno.Ino, status, len(out))
-	return fuse.ReadResultData(out), status
-}
-
-// doWrite - encrypt "data" and write it to plaintext offset "off"
-//
-// Arguments do not have to be block-aligned, read-modify-write is
-// performed internally as necessary
-//
-// Called by Write() for normal writing,
-// and by Truncate() to rewrite the last file block.
-//
-// Empty writes do nothing and are allowed.
-func (f *File) doWrite(data []byte, off int64) (uint32, fuse.Status) {
-	fileWasEmpty := false
-	// Get the file ID, create a new one if it does not exist yet.
-	var fileID []byte
-	// The caller has exclusively locked ContentLock, which blocks all other
-	// readers and writers. No need to take IDLock.
-	if f.fileTableEntry.ID != nil {
-		fileID = f.fileTableEntry.ID
-	} else {
-		// If the file ID is not cached, read it from disk
-		var err error
-		fileID, err = f.readFileID()
-		// Write a new file header if the file is empty
-		if err == io.EOF {
-			fileID, err = f.createHeader()
-			fileWasEmpty = true
-		}
-		if err != nil {
-			return 0, fuse.ToStatus(err)
-		}
-		f.fileTableEntry.ID = fileID
-	}
-	// Handle payload data
-	dataBuf := bytes.NewBuffer(data)
-	blocks := f.contentEnc.ExplodePlainRange(uint64(off), uint64(len(data)))
-	toEncrypt := make([][]byte, len(blocks))
-	for i, b := range blocks {
-		blockData := dataBuf.Next(int(b.Length))
-		// Incomplete block -> Read-Modify-Write
-		if b.IsPartial() {
-			// Read
-			oldData, status := f.doRead(nil, b.BlockPlainOff(), f.contentEnc.PlainBS())
-			if status != fuse.OK {
-				tlog.Warn.Printf("ino%d fh%d: RMW read failed: %s", f.qIno.Ino, f.intFd(), status.String())
-				return 0, status
-			}
-			// Modify
-			blockData = f.contentEnc.MergeBlocks(oldData, blockData, int(b.Skip))
-			tlog.Debug.Printf("len(oldData)=%d len(blockData)=%d", len(oldData), len(blockData))
-		}
-		tlog.Debug.Printf("ino%d: Writing %d bytes to block #%d",
-			f.qIno.Ino, len(blockData), b.BlockNo)
-		// Write into the to-encrypt list
-		toEncrypt[i] = blockData
-	}
-	// Encrypt all blocks
-	ciphertext := f.contentEnc.EncryptBlocks(toEncrypt, blocks[0].BlockNo, f.fileTableEntry.ID)
-	// Preallocate so we cannot run out of space in the middle of the write.
-	// This prevents partially written (=corrupt) blocks.
-	var err error
-	cOff := int64(blocks[0].BlockCipherOff())
-	if !f.fs.args.NoPrealloc {
-		err = syscallcompat.EnospcPrealloc(f.intFd(), cOff, int64(len(ciphertext)))
-		if err != nil {
-			if !syscallcompat.IsENOSPC(err) {
-				tlog.Warn.Printf("ino%d fh%d: doWrite: prealloc failed: %v", f.qIno.Ino, f.intFd(), err)
-			}
-			if fileWasEmpty {
-				// Kill the file header again
-				f.fileTableEntry.ID = nil
-				err2 := syscall.Ftruncate(f.intFd(), 0)
-				if err2 != nil {
-					tlog.Warn.Printf("ino%d fh%d: doWrite: rollback failed: %v", f.qIno.Ino, f.intFd(), err2)
-				}
-			}
-			return 0, fuse.ToStatus(err)
-		}
-	}
-	// Write
-	_, err = f.fd.WriteAt(ciphertext, cOff)
-	// Return memory to CReqPool
-	f.fs.contentEnc.CReqPool.Put(ciphertext)
-	if err != nil {
-		tlog.Warn.Printf("ino%d fh%d: doWrite: WriteAt off=%d len=%d failed: %v",
-			f.qIno.Ino, f.intFd(), cOff, len(ciphertext), err)
-		return 0, fuse.ToStatus(err)
-	}
-	return uint32(len(data)), fuse.OK
-}
-
-// isConsecutiveWrite returns true if the current write
-// directly (in time and space) follows the last write.
-// This is an optimisation for streaming writes on NFS where a
-// Stat() call is very expensive.
-// The caller must "wlock.lock(f.devIno.ino)" otherwise this check would be racy.
-func (f *File) isConsecutiveWrite(off int64) bool {
-	opCount := openfiletable.WriteOpCount()
-	return opCount == f.lastOpCount+1 && off == f.lastWrittenOffset+1
-}
-
-// Write - FUSE call
-//
-// If the write creates a hole, pads the file to the next block boundary.
-func (f *File) Write(data []byte, off int64) (uint32, fuse.Status) {
-	if len(data) > fuse.MAX_KERNEL_WRITE {
-		// This would crash us due to our fixed-size buffer pool
-		tlog.Warn.Printf("Write: rejecting oversized request with EMSGSIZE, len=%d", len(data))
-		return 0, fuse.Status(syscall.EMSGSIZE)
-	}
-	f.fdLock.RLock()
-	defer f.fdLock.RUnlock()
-	if f.released {
-		// The file descriptor has been closed concurrently
-		tlog.Warn.Printf("ino%d fh%d: Write on released file", f.qIno.Ino, f.intFd())
-		return 0, fuse.EBADF
-	}
-	f.fileTableEntry.ContentLock.Lock()
-	defer f.fileTableEntry.ContentLock.Unlock()
-	tlog.Debug.Printf("ino%d: FUSE Write: offset=%d length=%d", f.qIno.Ino, off, len(data))
-	// If the write creates a file hole, we have to zero-pad the last block.
-	// But if the write directly follows an earlier write, it cannot create a
-	// hole, and we can save one Stat() call.
-	if !f.isConsecutiveWrite(off) {
-		status := f.writePadHole(off)
-		if !status.Ok() {
-			return 0, status
-		}
-	}
-	n, status := f.doWrite(data, off)
-	if status.Ok() {
-		f.lastOpCount = openfiletable.WriteOpCount()
-		f.lastWrittenOffset = off + int64(len(data)) - 1
-	}
-	return n, status
-}
-
-// Release - FUSE call, close file
-func (f *File) Release() {
-	f.fdLock.Lock()
-	if f.released {
-		log.Panicf("ino%d fh%d: double release", f.qIno.Ino, f.intFd())
-	}
-	f.released = true
-	openfiletable.Unregister(f.qIno)
-	f.fd.Close()
-	f.fdLock.Unlock()
-}
-
-// Flush - FUSE call
-func (f *File) Flush() fuse.Status {
-	f.fdLock.RLock()
-	defer f.fdLock.RUnlock()
-
-	// Since Flush() may be called for each dup'd fd, we don't
-	// want to really close the file, we just want to flush. This
-	// is achieved by closing a dup'd fd.
-	newFd, err := syscall.Dup(f.intFd())
-
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	err = syscall.Close(newFd)
-	return fuse.ToStatus(err)
-}
-
-// Fsync FUSE call
-func (f *File) Fsync(flags int) (code fuse.Status) {
-	f.fdLock.RLock()
-	defer f.fdLock.RUnlock()
-
-	return fuse.ToStatus(syscall.Fsync(f.intFd()))
-}
-
-// Chmod FUSE call
-func (f *File) Chmod(mode uint32) fuse.Status {
-	f.fdLock.RLock()
-	defer f.fdLock.RUnlock()
-
-	// os.File.Chmod goes through the "syscallMode" translation function that messes
-	// up the suid and sgid bits. So use syscall.Fchmod directly.
-	err := syscall.Fchmod(f.intFd(), mode)
-	return fuse.ToStatus(err)
-}
-
-// Chown FUSE call
-func (f *File) Chown(uid uint32, gid uint32) fuse.Status {
-	f.fdLock.RLock()
-	defer f.fdLock.RUnlock()
-
-	return fuse.ToStatus(f.fd.Chown(int(uid), int(gid)))
-}
-
-// GetAttr FUSE call (like stat)
-func (f *File) GetAttr(a *fuse.Attr) fuse.Status {
-	f.fdLock.RLock()
-	defer f.fdLock.RUnlock()
-
-	tlog.Debug.Printf("file.GetAttr()")
-	st := syscall.Stat_t{}
-	err := syscall.Fstat(f.intFd(), &st)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	f.fs.inoMap.TranslateStat(&st)
-	a.FromStat(&st)
-	a.Size = f.contentEnc.CipherSizeToPlainSize(a.Size)
-	if f.fs.args.ForceOwner != nil {
-		a.Owner = *f.fs.args.ForceOwner
-	}
-
-	return fuse.OK
-}
-
-// Utimens FUSE call
-func (f *File) Utimens(a *time.Time, m *time.Time) fuse.Status {
-	f.fdLock.RLock()
-	defer f.fdLock.RUnlock()
-	err := syscallcompat.FutimesNano(f.intFd(), a, m)
-	return fuse.ToStatus(err)
-}
diff --git a/internal/fusefrontend/file2_allocate_truncate.go b/internal/fusefrontend/file2_allocate_truncate.go
index b504c50..cdda974 100644
--- a/internal/fusefrontend/file2_allocate_truncate.go
+++ b/internal/fusefrontend/file2_allocate_truncate.go
@@ -6,6 +6,7 @@ package fusefrontend
 import (
 	"context"
 	"log"
+	"sync"
 	"syscall"
 
 	"github.com/hanwen/go-fuse/v2/fs"
@@ -14,6 +15,15 @@ import (
 	"github.com/rfjakob/gocryptfs/internal/tlog"
 )
 
+// FALLOC_DEFAULT is a "normal" fallocate operation
+const FALLOC_DEFAULT = 0x00
+
+// FALLOC_FL_KEEP_SIZE allocates disk space while not modifying the file size
+const FALLOC_FL_KEEP_SIZE = 0x01
+
+// Only warn once
+var allocateWarnOnce sync.Once
+
 // Allocate - FUSE call for fallocate(2)
 //
 // mode=FALLOC_FL_KEEP_SIZE is implemented directly.
diff --git a/internal/fusefrontend/file_allocate_truncate.go b/internal/fusefrontend/file_allocate_truncate.go
deleted file mode 100644
index b6e9150..0000000
--- a/internal/fusefrontend/file_allocate_truncate.go
+++ /dev/null
@@ -1,227 +0,0 @@
-package fusefrontend
-
-// FUSE operations Truncate and Allocate on file handles
-// i.e. ftruncate and fallocate
-
-import (
-	"log"
-	"sync"
-	"syscall"
-
-	"github.com/hanwen/go-fuse/v2/fuse"
-
-	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
-	"github.com/rfjakob/gocryptfs/internal/tlog"
-)
-
-// FALLOC_DEFAULT is a "normal" fallocate operation
-const FALLOC_DEFAULT = 0x00
-
-// FALLOC_FL_KEEP_SIZE allocates disk space while not modifying the file size
-const FALLOC_FL_KEEP_SIZE = 0x01
-
-// Only warn once
-var allocateWarnOnce sync.Once
-
-// Allocate - FUSE call for fallocate(2)
-//
-// mode=FALLOC_FL_KEEP_SIZE is implemented directly.
-//
-// mode=FALLOC_DEFAULT is implemented as a two-step process:
-//
-//   (1) Allocate the space using FALLOC_FL_KEEP_SIZE
-//   (2) Set the file size using ftruncate (via truncateGrowFile)
-//
-// This allows us to reuse the file grow mechanics from Truncate as they are
-// complicated and hard to get right.
-//
-// Other modes (hole punching, zeroing) are not supported.
-func (f *File) Allocate(off uint64, sz uint64, mode uint32) fuse.Status {
-	if mode != FALLOC_DEFAULT && mode != FALLOC_FL_KEEP_SIZE {
-		f := func() {
-			tlog.Info.Printf("fallocate: only mode 0 (default) and 1 (keep size) are supported")
-		}
-		allocateWarnOnce.Do(f)
-		return fuse.Status(syscall.EOPNOTSUPP)
-	}
-
-	f.fdLock.RLock()
-	defer f.fdLock.RUnlock()
-	if f.released {
-		return fuse.EBADF
-	}
-	f.fileTableEntry.ContentLock.Lock()
-	defer f.fileTableEntry.ContentLock.Unlock()
-
-	blocks := f.contentEnc.ExplodePlainRange(off, sz)
-	firstBlock := blocks[0]
-	lastBlock := blocks[len(blocks)-1]
-
-	// Step (1): Allocate the space the user wants using FALLOC_FL_KEEP_SIZE.
-	// This will fill file holes and/or allocate additional space past the end of
-	// the file.
-	cipherOff := firstBlock.BlockCipherOff()
-	cipherSz := lastBlock.BlockCipherOff() - cipherOff +
-		f.contentEnc.BlockOverhead() + lastBlock.Skip + lastBlock.Length
-	err := syscallcompat.Fallocate(f.intFd(), FALLOC_FL_KEEP_SIZE, int64(cipherOff), int64(cipherSz))
-	tlog.Debug.Printf("Allocate off=%d sz=%d mode=%x cipherOff=%d cipherSz=%d\n",
-		off, sz, mode, cipherOff, cipherSz)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	if mode == FALLOC_FL_KEEP_SIZE {
-		// The user did not want to change the apparent size. We are done.
-		return fuse.OK
-	}
-	// Step (2): Grow the apparent file size
-	// We need the old file size to determine if we are growing the file at all.
-	newPlainSz := off + sz
-	oldPlainSz, err := f.statPlainSize()
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	if newPlainSz <= oldPlainSz {
-		// The new size is smaller (or equal). Fallocate with mode = 0 never
-		// truncates a file, so we are done.
-		return fuse.OK
-	}
-	// The file grows. The space has already been allocated in (1), so what is
-	// left to do is to pad the first and last block and call truncate.
-	// truncateGrowFile does just that.
-	return f.truncateGrowFile(oldPlainSz, newPlainSz)
-}
-
-// Truncate - FUSE call
-func (f *File) Truncate(newSize uint64) fuse.Status {
-	f.fdLock.RLock()
-	defer f.fdLock.RUnlock()
-	if f.released {
-		// The file descriptor has been closed concurrently.
-		tlog.Warn.Printf("ino%d fh%d: Truncate on released file", f.qIno.Ino, f.intFd())
-		return fuse.EBADF
-	}
-	f.fileTableEntry.ContentLock.Lock()
-	defer f.fileTableEntry.ContentLock.Unlock()
-	var err error
-	// Common case first: Truncate to zero
-	if newSize == 0 {
-		err = syscall.Ftruncate(int(f.fd.Fd()), 0)
-		if err != nil {
-			tlog.Warn.Printf("ino%d fh%d: Ftruncate(fd, 0) returned error: %v", f.qIno.Ino, f.intFd(), err)
-			return fuse.ToStatus(err)
-		}
-		// Truncate to zero kills the file header
-		f.fileTableEntry.ID = nil
-		return fuse.OK
-	}
-	// We need the old file size to determine if we are growing or shrinking
-	// the file
-	oldSize, err := f.statPlainSize()
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-
-	oldB := float32(oldSize) / float32(f.contentEnc.PlainBS())
-	newB := float32(newSize) / float32(f.contentEnc.PlainBS())
-	tlog.Debug.Printf("ino%d: FUSE Truncate from %.2f to %.2f blocks (%d to %d bytes)", f.qIno.Ino, oldB, newB, oldSize, newSize)
-
-	// File size stays the same - nothing to do
-	if newSize == oldSize {
-		return fuse.OK
-	}
-	// File grows
-	if newSize > oldSize {
-		return f.truncateGrowFile(oldSize, newSize)
-	}
-
-	// File shrinks
-	blockNo := f.contentEnc.PlainOffToBlockNo(newSize)
-	cipherOff := f.contentEnc.BlockNoToCipherOff(blockNo)
-	plainOff := f.contentEnc.BlockNoToPlainOff(blockNo)
-	lastBlockLen := newSize - plainOff
-	var data []byte
-	if lastBlockLen > 0 {
-		var status fuse.Status
-		data, status = f.doRead(nil, plainOff, lastBlockLen)
-		if status != fuse.OK {
-			tlog.Warn.Printf("Truncate: shrink doRead returned error: %v", err)
-			return status
-		}
-	}
-	// Truncate down to the last complete block
-	err = syscall.Ftruncate(int(f.fd.Fd()), int64(cipherOff))
-	if err != nil {
-		tlog.Warn.Printf("Truncate: shrink Ftruncate returned error: %v", err)
-		return fuse.ToStatus(err)
-	}
-	// Append partial block
-	if lastBlockLen > 0 {
-		_, status := f.doWrite(data, int64(plainOff))
-		return status
-	}
-	return fuse.OK
-}
-
-// statPlainSize stats the file and returns the plaintext size
-func (f *File) statPlainSize() (uint64, error) {
-	fi, err := f.fd.Stat()
-	if err != nil {
-		tlog.Warn.Printf("ino%d fh%d: statPlainSize: %v", f.qIno.Ino, f.intFd(), err)
-		return 0, err
-	}
-	cipherSz := uint64(fi.Size())
-	plainSz := uint64(f.contentEnc.CipherSizeToPlainSize(cipherSz))
-	return plainSz, nil
-}
-
-// truncateGrowFile extends a file using seeking or ftruncate performing RMW on
-// the first and last block as necessary. New blocks in the middle become
-// file holes unless they have been fallocate()'d beforehand.
-func (f *File) truncateGrowFile(oldPlainSz uint64, newPlainSz uint64) fuse.Status {
-	if newPlainSz <= oldPlainSz {
-		log.Panicf("BUG: newSize=%d <= oldSize=%d", newPlainSz, oldPlainSz)
-	}
-	newEOFOffset := newPlainSz - 1
-	if oldPlainSz > 0 {
-		n1 := f.contentEnc.PlainOffToBlockNo(oldPlainSz - 1)
-		n2 := f.contentEnc.PlainOffToBlockNo(newEOFOffset)
-		// The file is grown within one block, no need to pad anything.
-		// Write a single zero to the last byte and let doWrite figure out the RMW.
-		if n1 == n2 {
-			buf := make([]byte, 1)
-			_, status := f.doWrite(buf, int64(newEOFOffset))
-			return status
-		}
-	}
-	// The truncate creates at least one new block.
-	//
-	// Make sure the old last block is padded to the block boundary. This call
-	// is a no-op if it is already block-aligned.
-	status := f.zeroPad(oldPlainSz)
-	if !status.Ok() {
-		return status
-	}
-	// The new size is block-aligned. In this case we can do everything ourselves
-	// and avoid the call to doWrite.
-	if newPlainSz%f.contentEnc.PlainBS() == 0 {
-		// The file was empty, so it did not have a header. Create one.
-		if oldPlainSz == 0 {
-			id, err := f.createHeader()
-			if err != nil {
-				return fuse.ToStatus(err)
-			}
-			f.fileTableEntry.ID = id
-		}
-		cSz := int64(f.contentEnc.PlainSizeToCipherSize(newPlainSz))
-		err := syscall.Ftruncate(f.intFd(), cSz)
-		if err != nil {
-			tlog.Warn.Printf("Truncate: grow Ftruncate returned error: %v", err)
-		}
-		return fuse.ToStatus(err)
-	}
-	// The new size is NOT aligned, so we need to write a partial block.
-	// Write a single zero to the last byte and let doWrite figure it out.
-	buf := make([]byte, 1)
-	_, status = f.doWrite(buf, int64(newEOFOffset))
-	return status
-}
diff --git a/internal/fusefrontend/file_holes.go b/internal/fusefrontend/file_holes.go
deleted file mode 100644
index 2b7564e..0000000
--- a/internal/fusefrontend/file_holes.go
+++ /dev/null
@@ -1,92 +0,0 @@
-package fusefrontend
-
-// Helper functions for sparse files (files with holes)
-
-import (
-	"runtime"
-	"syscall"
-
-	"github.com/hanwen/go-fuse/v2/fuse"
-
-	"github.com/rfjakob/gocryptfs/internal/tlog"
-)
-
-// Will a write to plaintext offset "targetOff" create a file hole in the
-// ciphertext? If yes, zero-pad the last ciphertext block.
-func (f *File) writePadHole(targetOff int64) fuse.Status {
-	// Get the current file size.
-	fi, err := f.fd.Stat()
-	if err != nil {
-		tlog.Warn.Printf("checkAndPadHole: Fstat failed: %v", err)
-		return fuse.ToStatus(err)
-	}
-	plainSize := f.contentEnc.CipherSizeToPlainSize(uint64(fi.Size()))
-	// Appending a single byte to the file (equivalent to writing to
-	// offset=plainSize) would write to "nextBlock".
-	nextBlock := f.contentEnc.PlainOffToBlockNo(plainSize)
-	// targetBlock is the block the user wants to write to.
-	targetBlock := f.contentEnc.PlainOffToBlockNo(uint64(targetOff))
-	// The write goes into an existing block or (if the last block was full)
-	// starts a new one directly after the last block. Nothing to do.
-	if targetBlock <= nextBlock {
-		return fuse.OK
-	}
-	// The write goes past the next block. nextBlock has
-	// to be zero-padded to the block boundary and (at least) nextBlock+1
-	// will contain a file hole in the ciphertext.
-	status := f.zeroPad(plainSize)
-	if status != fuse.OK {
-		return status
-	}
-	return fuse.OK
-}
-
-// Zero-pad the file of size plainSize to the next block boundary. This is a no-op
-// if the file is already block-aligned.
-func (f *File) zeroPad(plainSize uint64) fuse.Status {
-	lastBlockLen := plainSize % f.contentEnc.PlainBS()
-	if lastBlockLen == 0 {
-		// Already block-aligned
-		return fuse.OK
-	}
-	missing := f.contentEnc.PlainBS() - lastBlockLen
-	pad := make([]byte, missing)
-	tlog.Debug.Printf("zeroPad: Writing %d bytes\n", missing)
-	_, status := f.doWrite(pad, int64(plainSize))
-	return status
-}
-
-// SeekData calls the lseek syscall with SEEK_DATA. It returns the offset of the
-// next data bytes, skipping over file holes.
-func (f *File) SeekData(oldOffset int64) (int64, error) {
-	if runtime.GOOS != "linux" {
-		// Does MacOS support something like this?
-		return 0, syscall.EOPNOTSUPP
-	}
-	const SEEK_DATA = 3
-
-	// Convert plaintext offset to ciphertext offset and round down to the
-	// start of the current block. File holes smaller than a full block will
-	// be ignored.
-	blockNo := f.contentEnc.PlainOffToBlockNo(uint64(oldOffset))
-	oldCipherOff := int64(f.contentEnc.BlockNoToCipherOff(blockNo))
-
-	// Determine the next data offset. If the old offset points to (or beyond)
-	// the end of the file, the Seek syscall fails with syscall.ENXIO.
-	newCipherOff, err := syscall.Seek(f.intFd(), oldCipherOff, SEEK_DATA)
-	if err != nil {
-		return 0, err
-	}
-
-	// Convert ciphertext offset back to plaintext offset. At this point,
-	// newCipherOff should always be >= contentenc.HeaderLen. Round down,
-	// but ensure that the result is never smaller than the initial offset
-	// (to avoid endless loops).
-	blockNo = f.contentEnc.CipherOffToBlockNo(uint64(newCipherOff))
-	newOffset := int64(f.contentEnc.BlockNoToPlainOff(blockNo))
-	if newOffset < oldOffset {
-		newOffset = oldOffset
-	}
-
-	return newOffset, nil
-}
diff --git a/internal/fusefrontend/fs.go b/internal/fusefrontend/fs.go
deleted file mode 100644
index e8dae9f..0000000
--- a/internal/fusefrontend/fs.go
+++ /dev/null
@@ -1,692 +0,0 @@
-// Package fusefrontend interfaces directly with the go-fuse library.
-package fusefrontend
-
-// FUSE operations on paths
-
-import (
-	"os"
-	"sync"
-	"sync/atomic"
-	"syscall"
-	"time"
-
-	"golang.org/x/sys/unix"
-
-	"github.com/hanwen/go-fuse/v2/fuse"
-	"github.com/hanwen/go-fuse/v2/fuse/nodefs"
-	"github.com/hanwen/go-fuse/v2/fuse/pathfs"
-
-	"github.com/rfjakob/gocryptfs/internal/configfile"
-	"github.com/rfjakob/gocryptfs/internal/contentenc"
-	"github.com/rfjakob/gocryptfs/internal/inomap"
-	"github.com/rfjakob/gocryptfs/internal/nametransform"
-	"github.com/rfjakob/gocryptfs/internal/serialize_reads"
-	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
-	"github.com/rfjakob/gocryptfs/internal/tlog"
-)
-
-// FS implements the go-fuse virtual filesystem interface.
-type FS struct {
-	// Embed pathfs.defaultFileSystem to avoid compile failure when the
-	// pathfs.FileSystem interface gets new functions. defaultFileSystem
-	// provides a no-op implementation for all functions.
-	pathfs.FileSystem
-	args Args // Stores configuration arguments
-	// dirIVLock: Lock()ed if any "gocryptfs.diriv" file is modified
-	// Readers must RLock() it to prevent them from seeing intermediate
-	// states
-	dirIVLock sync.RWMutex
-	// Filename encryption helper
-	nameTransform nametransform.NameTransformer
-	// Content encryption helper
-	contentEnc *contentenc.ContentEnc
-	// This lock is used by openWriteOnlyFile() to block concurrent opens while
-	// it relaxes the permissions on a file.
-	openWriteOnlyLock sync.RWMutex
-	// MitigatedCorruptions is used to report data corruption that is internally
-	// mitigated by ignoring the corrupt item. For example, when OpenDir() finds
-	// a corrupt filename, we still return the other valid filenames.
-	// The corruption is logged to syslog to inform the user,	and in addition,
-	// the corrupt filename is logged to this channel via
-	// reportMitigatedCorruption().
-	// "gocryptfs -fsck" reads from the channel to also catch these transparently-
-	// mitigated corruptions.
-	MitigatedCorruptions chan string
-	// This flag is set to zero each time fs.isFiltered() is called
-	// (uint32 so that it can be reset with CompareAndSwapUint32).
-	// When -idle was used when mounting, idleMonitor() sets it to 1
-	// periodically.
-	IsIdle uint32
-	// dirCache caches directory fds
-	dirCache dirCacheStruct
-	// inoMap translates inode numbers from different devices to unique inode
-	// numbers.
-	inoMap *inomap.InoMap
-}
-
-//var _ pathfs.FileSystem = &FS{} // Verify that interface is implemented.
-
-// NewFS returns a new encrypted FUSE overlay filesystem.
-func NewFS(args Args, c *contentenc.ContentEnc, n nametransform.NameTransformer) *FS {
-	if args.SerializeReads {
-		serialize_reads.InitSerializer()
-	}
-	if len(args.Exclude) > 0 {
-		tlog.Warn.Printf("Forward mode does not support -exclude")
-	}
-	var st syscall.Stat_t
-	err := syscall.Stat(args.Cipherdir, &st)
-	if err != nil {
-		tlog.Warn.Printf("NewFS: could not stat cipherdir: %v", err)
-		st.Dev = 0
-	}
-	return &FS{
-		FileSystem:    pathfs.NewDefaultFileSystem(),
-		args:          args,
-		nameTransform: n,
-		contentEnc:    c,
-		inoMap:        inomap.New(),
-	}
-}
-
-// GetAttr implements pathfs.Filesystem.
-//
-// GetAttr is symlink-safe through use of openBackingDir() and Fstatat().
-func (fs *FS) GetAttr(relPath string, context *fuse.Context) (*fuse.Attr, fuse.Status) {
-	tlog.Debug.Printf("FS.GetAttr(%q)", relPath)
-	if fs.isFiltered(relPath) {
-		return nil, fuse.EPERM
-	}
-	dirfd, cName, err := fs.openBackingDir(relPath)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	var st unix.Stat_t
-	err = syscallcompat.Fstatat(dirfd, cName, &st, unix.AT_SYMLINK_NOFOLLOW)
-	syscall.Close(dirfd)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	a := &fuse.Attr{}
-	st2 := syscallcompat.Unix2syscall(st)
-	fs.inoMap.TranslateStat(&st2)
-	a.FromStat(&st2)
-	if a.IsRegular() {
-		a.Size = fs.contentEnc.CipherSizeToPlainSize(a.Size)
-	} else if a.IsSymlink() {
-		target, _ := fs.Readlink(relPath, context)
-		a.Size = uint64(len(target))
-	}
-	if fs.args.ForceOwner != nil {
-		a.Owner = *fs.args.ForceOwner
-	}
-	return a, fuse.OK
-}
-
-// mangleOpenFlags is used by Create() and Open() to convert the open flags the user
-// wants to the flags we internally use to open the backing file.
-// The returned flags always contain O_NOFOLLOW.
-func (fs *FS) mangleOpenFlags(flags uint32) (newFlags int) {
-	newFlags = int(flags)
-	// Convert WRONLY to RDWR. We always need read access to do read-modify-write cycles.
-	if (newFlags & syscall.O_ACCMODE) == syscall.O_WRONLY {
-		newFlags = newFlags ^ os.O_WRONLY | os.O_RDWR
-	}
-	// We also cannot open the file in append mode, we need to seek back for RMW
-	newFlags = newFlags &^ os.O_APPEND
-	// O_DIRECT accesses must be aligned in both offset and length. Due to our
-	// crypto header, alignment will be off, even if userspace makes aligned
-	// accesses. Running xfstests generic/013 on ext4 used to trigger lots of
-	// EINVAL errors due to missing alignment. Just fall back to buffered IO.
-	newFlags = newFlags &^ syscallcompat.O_DIRECT
-	// Create and Open are two separate FUSE operations, so O_CREAT should not
-	// be part of the open flags.
-	newFlags = newFlags &^ syscall.O_CREAT
-	// We always want O_NOFOLLOW to be safe against symlink races
-	newFlags |= syscall.O_NOFOLLOW
-	return newFlags
-}
-
-// Open - FUSE call. Open already-existing file.
-//
-// Symlink-safe through Openat().
-func (fs *FS) Open(path string, flags uint32, context *fuse.Context) (fuseFile nodefs.File, status fuse.Status) {
-	if fs.isFiltered(path) {
-		return nil, fuse.EPERM
-	}
-	newFlags := fs.mangleOpenFlags(flags)
-	// Taking this lock makes sure we don't race openWriteOnlyFile()
-	fs.openWriteOnlyLock.RLock()
-	defer fs.openWriteOnlyLock.RUnlock()
-	// Symlink-safe open
-	dirfd, cName, err := fs.openBackingDir(path)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-	fd, err := syscallcompat.Openat(dirfd, cName, newFlags, 0)
-	// Handle a few specific errors
-	if err != nil {
-		if err == syscall.EMFILE {
-			var lim syscall.Rlimit
-			syscall.Getrlimit(syscall.RLIMIT_NOFILE, &lim)
-			tlog.Warn.Printf("Open %q: too many open files. Current \"ulimit -n\": %d", cName, lim.Cur)
-		}
-		if err == syscall.EACCES && (int(flags)&syscall.O_ACCMODE) == syscall.O_WRONLY {
-			return fs.openWriteOnlyFile(dirfd, cName, newFlags)
-		}
-		return nil, fuse.ToStatus(err)
-	}
-	f := os.NewFile(uintptr(fd), cName)
-	return NewFile(f, fs)
-}
-
-// openBackingFile opens the ciphertext file that backs relative plaintext
-// path "relPath". Always adds O_NOFOLLOW to the flags.
-func (fs *FS) openBackingFile(relPath string, flags int) (fd int, err error) {
-	dirfd, cName, err := fs.openBackingDir(relPath)
-	if err != nil {
-		return -1, err
-	}
-	defer syscall.Close(dirfd)
-	return syscallcompat.Openat(dirfd, cName, flags|syscall.O_NOFOLLOW, 0)
-}
-
-// Due to RMW, we always need read permissions on the backing file. This is a
-// problem if the file permissions do not allow reading (i.e. 0200 permissions).
-// This function works around that problem by chmod'ing the file, obtaining a fd,
-// and chmod'ing it back.
-func (fs *FS) openWriteOnlyFile(dirfd int, cName string, newFlags int) (*File, fuse.Status) {
-	woFd, err := syscallcompat.Openat(dirfd, cName, syscall.O_WRONLY|syscall.O_NOFOLLOW, 0)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	defer syscall.Close(woFd)
-	var st syscall.Stat_t
-	err = syscall.Fstat(woFd, &st)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	// The cast to uint32 fixes a build failure on Darwin, where st.Mode is uint16.
-	perms := uint32(st.Mode)
-	// Verify that we don't have read permissions
-	if perms&0400 != 0 {
-		tlog.Warn.Printf("openWriteOnlyFile: unexpected permissions %#o, returning EPERM", perms)
-		return nil, fuse.ToStatus(syscall.EPERM)
-	}
-	// Upgrade the lock to block other Open()s and downgrade again on return
-	fs.openWriteOnlyLock.RUnlock()
-	fs.openWriteOnlyLock.Lock()
-	defer func() {
-		fs.openWriteOnlyLock.Unlock()
-		fs.openWriteOnlyLock.RLock()
-	}()
-	// Relax permissions and revert on return
-	err = syscall.Fchmod(woFd, perms|0400)
-	if err != nil {
-		tlog.Warn.Printf("openWriteOnlyFile: changing permissions failed: %v", err)
-		return nil, fuse.ToStatus(err)
-	}
-	defer func() {
-		err2 := syscall.Fchmod(woFd, perms)
-		if err2 != nil {
-			tlog.Warn.Printf("openWriteOnlyFile: reverting permissions failed: %v", err2)
-		}
-	}()
-	rwFd, err := syscallcompat.Openat(dirfd, cName, newFlags, 0)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	f := os.NewFile(uintptr(rwFd), cName)
-	return NewFile(f, fs)
-}
-
-// Create - FUSE call. Creates a new file.
-//
-// Symlink-safe through the use of Openat().
-func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Context) (nodefs.File, fuse.Status) {
-	if fs.isFiltered(path) {
-		return nil, fuse.EPERM
-	}
-	newFlags := fs.mangleOpenFlags(flags)
-	dirfd, cName, err := fs.openBackingDir(path)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-	fd := -1
-	// Make sure context is nil if we don't want to preserve the owner
-	if !fs.args.PreserveOwner {
-		context = nil
-	}
-	// Handle long file name
-	if !fs.args.PlaintextNames && nametransform.IsLongContent(cName) {
-		// Create ".name"
-		err = fs.nameTransform.WriteLongNameAt(dirfd, cName, path)
-		if err != nil {
-			return nil, fuse.ToStatus(err)
-		}
-		// Create content
-		fd, err = syscallcompat.OpenatUser(dirfd, cName, newFlags|syscall.O_CREAT|syscall.O_EXCL, mode, context)
-		if err != nil {
-			nametransform.DeleteLongNameAt(dirfd, cName)
-		}
-	} else {
-		// Create content, normal (short) file name
-		fd, err = syscallcompat.OpenatUser(dirfd, cName, newFlags|syscall.O_CREAT|syscall.O_EXCL, mode, context)
-	}
-	if err != nil {
-		// xfstests generic/488 triggers this
-		if err == syscall.EMFILE {
-			var lim syscall.Rlimit
-			syscall.Getrlimit(syscall.RLIMIT_NOFILE, &lim)
-			tlog.Warn.Printf("Create %q: too many open files. Current \"ulimit -n\": %d", cName, lim.Cur)
-		}
-		return nil, fuse.ToStatus(err)
-	}
-	f := os.NewFile(uintptr(fd), cName)
-	return NewFile(f, fs)
-}
-
-// Chmod - FUSE call. Change permissions on "path".
-//
-// Symlink-safe through use of Fchmodat().
-func (fs *FS) Chmod(path string, mode uint32, context *fuse.Context) (code fuse.Status) {
-	if fs.isFiltered(path) {
-		return fuse.EPERM
-	}
-	dirfd, cName, err := fs.openBackingDir(path)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-	// os.Chmod goes through the "syscallMode" translation function that messes
-	// up the suid and sgid bits. So use a syscall directly.
-	err = syscallcompat.FchmodatNofollow(dirfd, cName, mode)
-	return fuse.ToStatus(err)
-}
-
-// Chown - FUSE call. Change the owner of "path".
-//
-// Symlink-safe through use of Fchownat().
-func (fs *FS) Chown(path string, uid uint32, gid uint32, context *fuse.Context) (code fuse.Status) {
-	if fs.isFiltered(path) {
-		return fuse.EPERM
-	}
-	dirfd, cName, err := fs.openBackingDir(path)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-	err = syscallcompat.Fchownat(dirfd, cName, int(uid), int(gid), unix.AT_SYMLINK_NOFOLLOW)
-	return fuse.ToStatus(err)
-}
-
-// Mknod - FUSE call. Create a device file.
-//
-// Symlink-safe through use of Mknodat().
-func (fs *FS) Mknod(path string, mode uint32, dev uint32, context *fuse.Context) (code fuse.Status) {
-	if fs.isFiltered(path) {
-		return fuse.EPERM
-	}
-	dirfd, cName, err := fs.openBackingDir(path)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-	// Make sure context is nil if we don't want to preserve the owner
-	if !fs.args.PreserveOwner {
-		context = nil
-	}
-	// Create ".name" file to store long file name (except in PlaintextNames mode)
-	if !fs.args.PlaintextNames && nametransform.IsLongContent(cName) {
-		err = fs.nameTransform.WriteLongNameAt(dirfd, cName, path)
-		if err != nil {
-			return fuse.ToStatus(err)
-		}
-		// Create "gocryptfs.longfile." device node
-		err = syscallcompat.MknodatUser(dirfd, cName, mode, int(dev), context)
-		if err != nil {
-			nametransform.DeleteLongNameAt(dirfd, cName)
-		}
-	} else {
-		// Create regular device node
-		err = syscallcompat.MknodatUser(dirfd, cName, mode, int(dev), context)
-	}
-	return fuse.ToStatus(err)
-}
-
-// Truncate - FUSE call. Truncates a file.
-//
-// Support truncate(2) by opening the file and calling ftruncate(2)
-// While the glibc "truncate" wrapper seems to always use ftruncate, fsstress from
-// xfstests uses this a lot by calling "truncate64" directly.
-//
-// Symlink-safe by letting file.Truncate() do all the work.
-func (fs *FS) Truncate(path string, offset uint64, context *fuse.Context) (code fuse.Status) {
-	file, code := fs.Open(path, uint32(os.O_RDWR), context)
-	if code != fuse.OK {
-		return code
-	}
-	code = file.Truncate(offset)
-	file.Release()
-	return code
-}
-
-// Utimens - FUSE call. Set the timestamps on file "path".
-//
-// Symlink-safe through UtimesNanoAt.
-func (fs *FS) Utimens(path string, a *time.Time, m *time.Time, context *fuse.Context) (code fuse.Status) {
-	if fs.isFiltered(path) {
-		return fuse.EPERM
-	}
-	dirfd, cName, err := fs.openBackingDir(path)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-	err = syscallcompat.UtimesNanoAtNofollow(dirfd, cName, a, m)
-	return fuse.ToStatus(err)
-}
-
-// StatFs - FUSE call. Returns information about the filesystem.
-//
-// Symlink-safe because the passed path is ignored.
-func (fs *FS) StatFs(path string) *fuse.StatfsOut {
-	var st syscall.Statfs_t
-	err := syscall.Statfs(fs.args.Cipherdir, &st)
-	if err == nil {
-		var out fuse.StatfsOut
-		out.FromStatfsT(&st)
-		return &out
-	}
-	return nil
-}
-
-// decryptSymlinkTarget: "cData64" is base64-decoded and decrypted
-// like file contents (GCM).
-// The empty string decrypts to the empty string.
-//
-// This function does not do any I/O and is hence symlink-safe.
-func (fs *FS) decryptSymlinkTarget(cData64 string) (string, error) {
-	if cData64 == "" {
-		return "", nil
-	}
-	cData, err := fs.nameTransform.B64DecodeString(cData64)
-	if err != nil {
-		return "", err
-	}
-	data, err := fs.contentEnc.DecryptBlock([]byte(cData), 0, nil)
-	if err != nil {
-		return "", err
-	}
-	return string(data), nil
-}
-
-// Readlink - FUSE call.
-//
-// Symlink-safe through openBackingDir() + Readlinkat().
-func (fs *FS) Readlink(relPath string, context *fuse.Context) (out string, status fuse.Status) {
-	dirfd, cName, err := fs.openBackingDir(relPath)
-	if err != nil {
-		return "", fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-	cTarget, err := syscallcompat.Readlinkat(dirfd, cName)
-	if err != nil {
-		return "", fuse.ToStatus(err)
-	}
-	if fs.args.PlaintextNames {
-		return cTarget, fuse.OK
-	}
-	// Symlinks are encrypted like file contents (GCM) and base64-encoded
-	target, err := fs.decryptSymlinkTarget(cTarget)
-	if err != nil {
-		tlog.Warn.Printf("Readlink %q: decrypting target failed: %v", cName, err)
-		return "", fuse.EIO
-	}
-	return string(target), fuse.OK
-}
-
-// Unlink - FUSE call. Delete a file.
-//
-// Symlink-safe through use of Unlinkat().
-func (fs *FS) Unlink(path string, context *fuse.Context) (code fuse.Status) {
-	if fs.isFiltered(path) {
-		return fuse.EPERM
-	}
-	dirfd, cName, err := fs.openBackingDir(path)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-	// Delete content
-	err = syscallcompat.Unlinkat(dirfd, cName, 0)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	// Delete ".name" file
-	if !fs.args.PlaintextNames && nametransform.IsLongContent(cName) {
-		err = nametransform.DeleteLongNameAt(dirfd, cName)
-		if err != nil {
-			tlog.Warn.Printf("Unlink: could not delete .name file: %v", err)
-		}
-	}
-	return fuse.ToStatus(err)
-}
-
-// encryptSymlinkTarget: "data" is encrypted like file contents (GCM)
-// and base64-encoded.
-// The empty string encrypts to the empty string.
-//
-// Symlink-safe because it does not do any I/O.
-func (fs *FS) encryptSymlinkTarget(data string) (cData64 string) {
-	if data == "" {
-		return ""
-	}
-	cData := fs.contentEnc.EncryptBlock([]byte(data), 0, nil)
-	cData64 = fs.nameTransform.B64EncodeToString(cData)
-	return cData64
-}
-
-// Symlink - FUSE call. Create a symlink.
-//
-// Symlink-safe through use of Symlinkat.
-func (fs *FS) Symlink(target string, linkName string, context *fuse.Context) (code fuse.Status) {
-	tlog.Debug.Printf("Symlink(\"%s\", \"%s\")", target, linkName)
-	if fs.isFiltered(linkName) {
-		return fuse.EPERM
-	}
-	dirfd, cName, err := fs.openBackingDir(linkName)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-	// Make sure context is nil if we don't want to preserve the owner
-	if !fs.args.PreserveOwner {
-		context = nil
-	}
-	cTarget := target
-	if !fs.args.PlaintextNames {
-		// Symlinks are encrypted like file contents (GCM) and base64-encoded
-		cTarget = fs.encryptSymlinkTarget(target)
-	}
-	// Create ".name" file to store long file name (except in PlaintextNames mode)
-	if !fs.args.PlaintextNames && nametransform.IsLongContent(cName) {
-		err = fs.nameTransform.WriteLongNameAt(dirfd, cName, linkName)
-		if err != nil {
-			return fuse.ToStatus(err)
-		}
-		// Create "gocryptfs.longfile." symlink
-		err = syscallcompat.SymlinkatUser(cTarget, dirfd, cName, context)
-		if err != nil {
-			nametransform.DeleteLongNameAt(dirfd, cName)
-		}
-	} else {
-		// Create symlink
-		err = syscallcompat.SymlinkatUser(cTarget, dirfd, cName, context)
-	}
-	return fuse.ToStatus(err)
-}
-
-// Rename - FUSE call.
-//
-// Symlink-safe through Renameat().
-func (fs *FS) Rename(oldPath string, newPath string, context *fuse.Context) (code fuse.Status) {
-	defer fs.dirCache.Clear()
-	if fs.isFiltered(newPath) {
-		return fuse.EPERM
-	}
-	oldDirfd, oldCName, err := fs.openBackingDir(oldPath)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(oldDirfd)
-	newDirfd, newCName, err := fs.openBackingDir(newPath)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(newDirfd)
-	// Easy case.
-	if fs.args.PlaintextNames {
-		return fuse.ToStatus(syscallcompat.Renameat(oldDirfd, oldCName, newDirfd, newCName))
-	}
-	// Long destination file name: create .name file
-	nameFileAlreadyThere := false
-	if nametransform.IsLongContent(newCName) {
-		err = fs.nameTransform.WriteLongNameAt(newDirfd, newCName, newPath)
-		// Failure to write the .name file is expected when the target path already
-		// exists. Since hashes are pretty unique, there is no need to modify the
-		// .name file in this case, and we ignore the error.
-		if err == syscall.EEXIST {
-			nameFileAlreadyThere = true
-		} else if err != nil {
-			return fuse.ToStatus(err)
-		}
-	}
-	// Actual rename
-	tlog.Debug.Printf("Renameat %d/%s -> %d/%s\n", oldDirfd, oldCName, newDirfd, newCName)
-	err = syscallcompat.Renameat(oldDirfd, oldCName, newDirfd, newCName)
-	if err == syscall.ENOTEMPTY || err == syscall.EEXIST {
-		// If an empty directory is overwritten we will always get an error as
-		// the "empty" directory will still contain gocryptfs.diriv.
-		// Interestingly, ext4 returns ENOTEMPTY while xfs returns EEXIST.
-		// We handle that by trying to fs.Rmdir() the target directory and trying
-		// again.
-		tlog.Debug.Printf("Rename: Handling ENOTEMPTY")
-		if fs.Rmdir(newPath, context) == fuse.OK {
-			err = syscallcompat.Renameat(oldDirfd, oldCName, newDirfd, newCName)
-		}
-	}
-	if err != nil {
-		if nametransform.IsLongContent(newCName) && nameFileAlreadyThere == false {
-			// Roll back .name creation unless the .name file was already there
-			nametransform.DeleteLongNameAt(newDirfd, newCName)
-		}
-		return fuse.ToStatus(err)
-	}
-	if nametransform.IsLongContent(oldCName) {
-		nametransform.DeleteLongNameAt(oldDirfd, oldCName)
-	}
-	return fuse.OK
-}
-
-// Link - FUSE call. Creates a hard link at "newPath" pointing to file
-// "oldPath".
-//
-// Symlink-safe through use of Linkat().
-func (fs *FS) Link(oldPath string, newPath string, context *fuse.Context) (code fuse.Status) {
-	if fs.isFiltered(newPath) {
-		return fuse.EPERM
-	}
-	oldDirFd, cOldName, err := fs.openBackingDir(oldPath)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(oldDirFd)
-	newDirFd, cNewName, err := fs.openBackingDir(newPath)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(newDirFd)
-	// Handle long file name (except in PlaintextNames mode)
-	if !fs.args.PlaintextNames && nametransform.IsLongContent(cNewName) {
-		err = fs.nameTransform.WriteLongNameAt(newDirFd, cNewName, newPath)
-		if err != nil {
-			return fuse.ToStatus(err)
-		}
-		// Create "gocryptfs.longfile." link
-		err = syscallcompat.Linkat(oldDirFd, cOldName, newDirFd, cNewName, 0)
-		if err != nil {
-			nametransform.DeleteLongNameAt(newDirFd, cNewName)
-		}
-	} else {
-		// Create regular link
-		err = syscallcompat.Linkat(oldDirFd, cOldName, newDirFd, cNewName, 0)
-	}
-	return fuse.ToStatus(err)
-}
-
-// Access - FUSE call. Check if a file can be accessed in the specified mode(s)
-// (read, write, execute).
-//
-// From https://github.com/libfuse/libfuse/blob/master/include/fuse.h :
-//
-// > Check file access permissions
-// >
-// > If the 'default_permissions' mount option is given, this method is not
-// > called.
-//
-// We always enable default_permissions when -allow_other is passed, so there
-// is no need for this function to check the uid in fuse.Context.
-//
-// Symlink-safe through use of faccessat.
-func (fs *FS) Access(relPath string, mode uint32, context *fuse.Context) (code fuse.Status) {
-	if fs.isFiltered(relPath) {
-		return fuse.EPERM
-	}
-	dirfd, cName, err := fs.openBackingDir(relPath)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	err = syscallcompat.Faccessat(dirfd, cName, mode)
-	syscall.Close(dirfd)
-	return fuse.ToStatus(err)
-}
-
-// reportMitigatedCorruption is used to report a corruption that was transparently
-// mitigated and did not return an error to the user. Pass the name of the corrupt
-// item (filename for OpenDir(), xattr name for ListXAttr() etc).
-// See the MitigatedCorruptions channel for more info.
-func (fs *FS) reportMitigatedCorruption(item string) {
-	if fs.MitigatedCorruptions == nil {
-		return
-	}
-	select {
-	case fs.MitigatedCorruptions <- item:
-	case <-time.After(1 * time.Second):
-		tlog.Warn.Printf("BUG: reportCorruptItem: timeout")
-		//debug.PrintStack()
-		return
-	}
-}
-
-// isFiltered - check if plaintext "path" should be forbidden
-//
-// Prevents name clashes with internal files when file names are not encrypted
-func (fs *FS) isFiltered(path string) bool {
-	atomic.StoreUint32(&fs.IsIdle, 0)
-
-	if !fs.args.PlaintextNames {
-		return false
-	}
-	// gocryptfs.conf in the root directory is forbidden
-	if path == configfile.ConfDefaultName {
-		tlog.Info.Printf("The name /%s is reserved when -plaintextnames is used\n",
-			configfile.ConfDefaultName)
-		return true
-	}
-	// Note: gocryptfs.diriv is NOT forbidden because diriv and plaintextnames
-	// are exclusive
-	return false
-}
diff --git a/internal/fusefrontend/fs_dir.go b/internal/fusefrontend/fs_dir.go
deleted file mode 100644
index 0d8adae..0000000
--- a/internal/fusefrontend/fs_dir.go
+++ /dev/null
@@ -1,343 +0,0 @@
-package fusefrontend
-
-// Mkdir and Rmdir
-
-import (
-	"fmt"
-	"io"
-	"runtime"
-	"syscall"
-
-	"golang.org/x/sys/unix"
-
-	"github.com/hanwen/go-fuse/v2/fuse"
-
-	"github.com/rfjakob/gocryptfs/internal/configfile"
-	"github.com/rfjakob/gocryptfs/internal/cryptocore"
-	"github.com/rfjakob/gocryptfs/internal/nametransform"
-	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
-	"github.com/rfjakob/gocryptfs/internal/tlog"
-)
-
-const dsStoreName = ".DS_Store"
-
-// mkdirWithIv - create a new directory and corresponding diriv file. dirfd
-// should be a handle to the parent directory, cName is the name of the new
-// directory and mode specifies the access permissions to use.
-func (fs *FS) mkdirWithIv(dirfd int, cName string, mode uint32, context *fuse.Context) error {
-	// Between the creation of the directory and the creation of gocryptfs.diriv
-	// the directory is inconsistent. Take the lock to prevent other readers
-	// from seeing it.
-	fs.dirIVLock.Lock()
-	defer fs.dirIVLock.Unlock()
-	err := syscallcompat.MkdiratUser(dirfd, cName, mode, &context.Caller)
-	if err != nil {
-		return err
-	}
-	dirfd2, err := syscallcompat.Openat(dirfd, cName, syscall.O_DIRECTORY|syscall.O_NOFOLLOW|syscallcompat.O_PATH, 0)
-	if err == nil {
-		// Create gocryptfs.diriv
-		err = nametransform.WriteDirIVAt(dirfd2)
-		syscall.Close(dirfd2)
-	}
-	if err != nil {
-		// Delete inconsistent directory (missing gocryptfs.diriv!)
-		err2 := syscallcompat.Unlinkat(dirfd, cName, unix.AT_REMOVEDIR)
-		if err2 != nil {
-			tlog.Warn.Printf("mkdirWithIv: rollback failed: %v", err2)
-		}
-	}
-	return err
-}
-
-// Mkdir - FUSE call. Create a directory at "newPath" with permissions "mode".
-//
-// Symlink-safe through use of Mkdirat().
-func (fs *FS) Mkdir(newPath string, mode uint32, context *fuse.Context) (code fuse.Status) {
-	if fs.isFiltered(newPath) {
-		return fuse.EPERM
-	}
-	dirfd, cName, err := fs.openBackingDir(newPath)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-	// Make sure context is nil if we don't want to preserve the owner
-	if !fs.args.PreserveOwner {
-		context = nil
-	}
-	if fs.args.PlaintextNames {
-		err = syscallcompat.MkdiratUser(dirfd, cName, mode, &context.Caller)
-		return fuse.ToStatus(err)
-	}
-
-	// We need write and execute permissions to create gocryptfs.diriv.
-	// Also, we need read permissions to open the directory (to avoid
-	// race-conditions between getting and setting the mode).
-	origMode := mode
-	mode = mode | 0700
-
-	// Handle long file name
-	if nametransform.IsLongContent(cName) {
-		// Create ".name"
-		err = fs.nameTransform.WriteLongNameAt(dirfd, cName, newPath)
-		if err != nil {
-			return fuse.ToStatus(err)
-		}
-
-		// Create directory
-		err = fs.mkdirWithIv(dirfd, cName, mode, context)
-		if err != nil {
-			nametransform.DeleteLongNameAt(dirfd, cName)
-			return fuse.ToStatus(err)
-		}
-	} else {
-		err = fs.mkdirWithIv(dirfd, cName, mode, context)
-		if err != nil {
-			return fuse.ToStatus(err)
-		}
-	}
-	// Set mode
-	if origMode != mode {
-		dirfd2, err := syscallcompat.Openat(dirfd, cName,
-			syscall.O_RDONLY|syscall.O_DIRECTORY|syscall.O_NOFOLLOW, 0)
-		if err != nil {
-			tlog.Warn.Printf("Mkdir %q: Openat failed: %v", cName, err)
-			return fuse.ToStatus(err)
-		}
-		defer syscall.Close(dirfd2)
-
-		var st syscall.Stat_t
-		err = syscall.Fstat(dirfd2, &st)
-		if err != nil {
-			tlog.Warn.Printf("Mkdir %q: Fstat failed: %v", cName, err)
-			return fuse.ToStatus(err)
-		}
-
-		// Preserve SGID bit if it was set due to inheritance.
-		origMode = uint32(st.Mode&^0777) | origMode
-		err = syscall.Fchmod(dirfd2, origMode)
-		if err != nil {
-			tlog.Warn.Printf("Mkdir %q: Fchmod %#o -> %#o failed: %v", cName, mode, origMode, err)
-			return fuse.ToStatus(err)
-		}
-	}
-	return fuse.OK
-}
-
-// haveDsstore return true if one of the entries in "names" is ".DS_Store".
-func haveDsstore(entries []fuse.DirEntry) bool {
-	for _, e := range entries {
-		if e.Name == dsStoreName {
-			return true
-		}
-	}
-	return false
-}
-
-// Rmdir - FUSE call.
-//
-// Symlink-safe through Unlinkat() + AT_REMOVEDIR.
-func (fs *FS) Rmdir(relPath string, context *fuse.Context) (code fuse.Status) {
-	defer fs.dirCache.Clear()
-	parentDirFd, cName, err := fs.openBackingDir(relPath)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(parentDirFd)
-	if fs.args.PlaintextNames {
-		// Unlinkat with AT_REMOVEDIR is equivalent to Rmdir
-		err = unix.Unlinkat(parentDirFd, cName, unix.AT_REMOVEDIR)
-		return fuse.ToStatus(err)
-	}
-	// Unless we are running as root, we need read, write and execute permissions
-	// to handle gocryptfs.diriv.
-	permWorkaround := false
-	var origMode uint32
-	if !fs.args.PreserveOwner {
-		var st unix.Stat_t
-		err = syscallcompat.Fstatat(parentDirFd, cName, &st, unix.AT_SYMLINK_NOFOLLOW)
-		if err != nil {
-			return fuse.ToStatus(err)
-		}
-		if st.Mode&0700 != 0700 {
-			tlog.Debug.Printf("Rmdir: permWorkaround")
-			permWorkaround = true
-			// This cast is needed on Darwin, where st.Mode is uint16.
-			origMode = uint32(st.Mode)
-			err = syscallcompat.FchmodatNofollow(parentDirFd, cName, origMode|0700)
-			if err != nil {
-				tlog.Debug.Printf("Rmdir: permWorkaround: chmod failed: %v", err)
-				return fuse.ToStatus(err)
-			}
-		}
-	}
-	dirfd, err := syscallcompat.Openat(parentDirFd, cName,
-		syscall.O_RDONLY|syscall.O_DIRECTORY|syscall.O_NOFOLLOW, 0)
-	if err != nil {
-		tlog.Debug.Printf("Rmdir: Open: %v", err)
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-	// Undo the chmod if removing the directory failed. This must run before
-	// closing dirfd, so defer it after (defer is LIFO).
-	if permWorkaround {
-		defer func() {
-			if code != fuse.OK {
-				err = unix.Fchmod(dirfd, origMode)
-				if err != nil {
-					tlog.Warn.Printf("Rmdir: permWorkaround: rollback failed: %v", err)
-				}
-			}
-		}()
-	}
-retry:
-	// Check directory contents
-	children, err := syscallcompat.Getdents(dirfd)
-	if err == io.EOF {
-		// The directory is empty
-		tlog.Warn.Printf("Rmdir: %q: %s is missing", cName, nametransform.DirIVFilename)
-		err = unix.Unlinkat(parentDirFd, cName, unix.AT_REMOVEDIR)
-		return fuse.ToStatus(err)
-	}
-	if err != nil {
-		tlog.Warn.Printf("Rmdir: Readdirnames: %v", err)
-		return fuse.ToStatus(err)
-	}
-	// MacOS sprinkles .DS_Store files everywhere. This is hard to avoid for
-	// users, so handle it transparently here.
-	if runtime.GOOS == "darwin" && len(children) <= 2 && haveDsstore(children) {
-		err = unix.Unlinkat(dirfd, dsStoreName, 0)
-		if err != nil {
-			tlog.Warn.Printf("Rmdir: failed to delete blocking file %q: %v", dsStoreName, err)
-			return fuse.ToStatus(err)
-		}
-		tlog.Warn.Printf("Rmdir: had to delete blocking file %q", dsStoreName)
-		goto retry
-	}
-	// If the directory is not empty besides gocryptfs.diriv, do not even
-	// attempt the dance around gocryptfs.diriv.
-	if len(children) > 1 {
-		return fuse.ToStatus(syscall.ENOTEMPTY)
-	}
-	// Move "gocryptfs.diriv" to the parent dir as "gocryptfs.diriv.rmdir.XYZ"
-	tmpName := fmt.Sprintf("%s.rmdir.%d", nametransform.DirIVFilename, cryptocore.RandUint64())
-	tlog.Debug.Printf("Rmdir: Renaming %s to %s", nametransform.DirIVFilename, tmpName)
-	// The directory is in an inconsistent state between rename and rmdir.
-	// Protect against concurrent readers.
-	fs.dirIVLock.Lock()
-	defer fs.dirIVLock.Unlock()
-	err = syscallcompat.Renameat(dirfd, nametransform.DirIVFilename,
-		parentDirFd, tmpName)
-	if err != nil {
-		tlog.Warn.Printf("Rmdir: Renaming %s to %s failed: %v",
-			nametransform.DirIVFilename, tmpName, err)
-		return fuse.ToStatus(err)
-	}
-	// Actual Rmdir
-	err = syscallcompat.Unlinkat(parentDirFd, cName, unix.AT_REMOVEDIR)
-	if err != nil {
-		// This can happen if another file in the directory was created in the
-		// meantime, undo the rename
-		err2 := syscallcompat.Renameat(parentDirFd, tmpName,
-			dirfd, nametransform.DirIVFilename)
-		if err2 != nil {
-			tlog.Warn.Printf("Rmdir: Rename rollback failed: %v", err2)
-		}
-		return fuse.ToStatus(err)
-	}
-	// Delete "gocryptfs.diriv.rmdir.XYZ"
-	err = syscallcompat.Unlinkat(parentDirFd, tmpName, 0)
-	if err != nil {
-		tlog.Warn.Printf("Rmdir: Could not clean up %s: %v", tmpName, err)
-	}
-	// Delete .name file
-	if nametransform.IsLongContent(cName) {
-		nametransform.DeleteLongNameAt(parentDirFd, cName)
-	}
-	return fuse.OK
-}
-
-// OpenDir - FUSE call
-//
-// This function is symlink-safe through use of openBackingDir() and
-// ReadDirIVAt().
-func (fs *FS) OpenDir(dirName string, context *fuse.Context) ([]fuse.DirEntry, fuse.Status) {
-	tlog.Debug.Printf("OpenDir(%s)", dirName)
-	parentDirFd, cDirName, err := fs.openBackingDir(dirName)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	defer syscall.Close(parentDirFd)
-	// Read ciphertext directory
-	var cipherEntries []fuse.DirEntry
-	var status fuse.Status
-	fd, err := syscallcompat.Openat(parentDirFd, cDirName, syscall.O_RDONLY|syscall.O_DIRECTORY|syscall.O_NOFOLLOW, 0)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	defer syscall.Close(fd)
-	cipherEntries, err = syscallcompat.Getdents(fd)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	// Get DirIV (stays nil if PlaintextNames is used)
-	var cachedIV []byte
-	if !fs.args.PlaintextNames {
-		// Read the DirIV from disk
-		cachedIV, err = nametransform.ReadDirIVAt(fd)
-		if err != nil {
-			tlog.Warn.Printf("OpenDir %q: could not read %s: %v", cDirName, nametransform.DirIVFilename, err)
-			return nil, fuse.EIO
-		}
-	}
-	// Decrypted directory entries
-	var plain []fuse.DirEntry
-	// Filter and decrypt filenames
-	for i := range cipherEntries {
-		cName := cipherEntries[i].Name
-		if dirName == "" && cName == configfile.ConfDefaultName {
-			// silently ignore "gocryptfs.conf" in the top level dir
-			continue
-		}
-		if fs.args.PlaintextNames {
-			plain = append(plain, cipherEntries[i])
-			continue
-		}
-		if cName == nametransform.DirIVFilename {
-			// silently ignore "gocryptfs.diriv" everywhere if dirIV is enabled
-			continue
-		}
-		// Handle long file name
-		isLong := nametransform.LongNameNone
-		if fs.args.LongNames {
-			isLong = nametransform.NameType(cName)
-		}
-		if isLong == nametransform.LongNameContent {
-			cNameLong, err := nametransform.ReadLongNameAt(fd, cName)
-			if err != nil {
-				tlog.Warn.Printf("OpenDir %q: invalid entry %q: Could not read .name: %v",
-					cDirName, cName, err)
-				fs.reportMitigatedCorruption(cName)
-				continue
-			}
-			cName = cNameLong
-		} else if isLong == nametransform.LongNameFilename {
-			// ignore "gocryptfs.longname.*.name"
-			continue
-		}
-		name, err := fs.nameTransform.DecryptName(cName, cachedIV)
-		if err != nil {
-			tlog.Warn.Printf("OpenDir %q: invalid entry %q: %v",
-				cDirName, cName, err)
-			fs.reportMitigatedCorruption(cName)
-			continue
-		}
-		// Override the ciphertext name with the plaintext name but reuse the rest
-		// of the structure
-		cipherEntries[i].Name = name
-		plain = append(plain, cipherEntries[i])
-	}
-
-	return plain, status
-}
diff --git a/internal/fusefrontend/node_dir_ops.go b/internal/fusefrontend/node_dir_ops.go
index 066e791..a93271d 100644
--- a/internal/fusefrontend/node_dir_ops.go
+++ b/internal/fusefrontend/node_dir_ops.go
@@ -20,6 +20,18 @@ import (
 	"github.com/rfjakob/gocryptfs/internal/tlog"
 )
 
+const dsStoreName = ".DS_Store"
+
+// haveDsstore return true if one of the entries in "names" is ".DS_Store".
+func haveDsstore(entries []fuse.DirEntry) bool {
+	for _, e := range entries {
+		if e.Name == dsStoreName {
+			return true
+		}
+	}
+	return false
+}
+
 // mkdirWithIv - create a new directory and corresponding diriv file. dirfd
 // should be a handle to the parent directory, cName is the name of the new
 // directory and mode specifies the access permissions to use.
diff --git a/internal/fusefrontend/openbackingdir.go b/internal/fusefrontend/openbackingdir.go
deleted file mode 100644
index e9e10db..0000000
--- a/internal/fusefrontend/openbackingdir.go
+++ /dev/null
@@ -1,84 +0,0 @@
-package fusefrontend
-
-import (
-	"path/filepath"
-	"strings"
-	"syscall"
-
-	"github.com/rfjakob/gocryptfs/internal/nametransform"
-	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
-)
-
-// openBackingDir opens the parent ciphertext directory of plaintext path
-// "relPath". It returns the dirfd (opened with O_PATH) and the encrypted
-// basename.
-//
-// The caller should then use Openat(dirfd, cName, ...) and friends.
-// For convenience, if relPath is "", cName is going to be ".".
-//
-// openBackingDir is secure against symlink races by using Openat and
-// ReadDirIVAt.
-func (fs *FS) openBackingDir(relPath string) (dirfd int, cName string, err error) {
-	dirRelPath := nametransform.Dir(relPath)
-	// With PlaintextNames, we don't need to read DirIVs. Easy.
-	if fs.args.PlaintextNames {
-		dirfd, err = syscallcompat.OpenDirNofollow(fs.args.Cipherdir, dirRelPath)
-		if err != nil {
-			return -1, "", err
-		}
-		// If relPath is empty, cName is ".".
-		cName = filepath.Base(relPath)
-		return dirfd, cName, nil
-	}
-	// Cache lookup
-	dirfd, iv := fs.dirCache.Lookup(dirRelPath)
-	if dirfd > 0 {
-		// If relPath is empty, cName is ".".
-		if relPath == "" {
-			return dirfd, ".", nil
-		}
-		name := filepath.Base(relPath)
-		cName, err = fs.nameTransform.EncryptAndHashName(name, iv)
-		if err != nil {
-			syscall.Close(dirfd)
-			return -1, "", err
-		}
-		return dirfd, cName, nil
-	}
-	// Open cipherdir (following symlinks)
-	dirfd, err = syscall.Open(fs.args.Cipherdir, syscall.O_DIRECTORY|syscallcompat.O_PATH, 0)
-	if err != nil {
-		return -1, "", err
-	}
-	// If relPath is empty, cName is ".".
-	if relPath == "" {
-		return dirfd, ".", nil
-	}
-	// Walk the directory tree
-	parts := strings.Split(relPath, "/")
-	for i, name := range parts {
-		iv, err := nametransform.ReadDirIVAt(dirfd)
-		if err != nil {
-			syscall.Close(dirfd)
-			return -1, "", err
-		}
-		cName, err = fs.nameTransform.EncryptAndHashName(name, iv)
-		if err != nil {
-			syscall.Close(dirfd)
-			return -1, "", err
-		}
-		// Last part? We are done.
-		if i == len(parts)-1 {
-			fs.dirCache.Store(dirRelPath, dirfd, iv)
-			break
-		}
-		// Not the last part? Descend into next directory.
-		dirfd2, err := syscallcompat.Openat(dirfd, cName, syscall.O_NOFOLLOW|syscall.O_DIRECTORY|syscallcompat.O_PATH, 0)
-		syscall.Close(dirfd)
-		if err != nil {
-			return -1, "", err
-		}
-		dirfd = dirfd2
-	}
-	return dirfd, cName, nil
-}
diff --git a/internal/fusefrontend/xattr.go b/internal/fusefrontend/xattr.go
deleted file mode 100644
index 6638d83..0000000
--- a/internal/fusefrontend/xattr.go
+++ /dev/null
@@ -1,140 +0,0 @@
-// Package fusefrontend interfaces directly with the go-fuse library.
-package fusefrontend
-
-import (
-	"strings"
-	"syscall"
-
-	"github.com/hanwen/go-fuse/v2/fuse"
-
-	"github.com/rfjakob/gocryptfs/internal/tlog"
-)
-
-const _EOPNOTSUPP = fuse.Status(syscall.EOPNOTSUPP)
-
-// GetXAttr - FUSE call. Reads the value of extended attribute "attr".
-//
-// This function is symlink-safe through Fgetxattr.
-func (fs *FS) GetXAttr(relPath string, attr string, context *fuse.Context) ([]byte, fuse.Status) {
-	if fs.isFiltered(relPath) {
-		return nil, fuse.EPERM
-	}
-	cAttr := fs.encryptXattrName(attr)
-
-	cData, status := fs.getXAttr(relPath, cAttr, context)
-	if !status.Ok() {
-		return nil, status
-	}
-
-	data, err := fs.decryptXattrValue(cData)
-	if err != nil {
-		tlog.Warn.Printf("GetXAttr: %v", err)
-		return nil, fuse.EIO
-	}
-	return data, fuse.OK
-}
-
-// SetXAttr - FUSE call. Set extended attribute.
-//
-// This function is symlink-safe through Fsetxattr.
-func (fs *FS) SetXAttr(relPath string, attr string, data []byte, flags int, context *fuse.Context) fuse.Status {
-	if fs.isFiltered(relPath) {
-		return fuse.EPERM
-	}
-	flags = filterXattrSetFlags(flags)
-	cAttr := fs.encryptXattrName(attr)
-	cData := fs.encryptXattrValue(data)
-	return fs.setXAttr(relPath, cAttr, cData, flags, context)
-}
-
-// RemoveXAttr - FUSE call.
-//
-// This function is symlink-safe through Fremovexattr.
-func (fs *FS) RemoveXAttr(relPath string, attr string, context *fuse.Context) fuse.Status {
-	if fs.isFiltered(relPath) {
-		return fuse.EPERM
-	}
-	cAttr := fs.encryptXattrName(attr)
-	return fs.removeXAttr(relPath, cAttr, context)
-}
-
-// ListXAttr - FUSE call. Lists extended attributes on the file at "relPath".
-//
-// This function is symlink-safe through Flistxattr.
-func (fs *FS) ListXAttr(relPath string, context *fuse.Context) ([]string, fuse.Status) {
-	if fs.isFiltered(relPath) {
-		return nil, fuse.EPERM
-	}
-
-	cNames, status := fs.listXAttr(relPath, context)
-	if !status.Ok() {
-		return nil, status
-	}
-
-	names := make([]string, 0, len(cNames))
-	for _, curName := range cNames {
-		if !strings.HasPrefix(curName, xattrStorePrefix) {
-			continue
-		}
-		name, err := fs.decryptXattrName(curName)
-		if err != nil {
-			tlog.Warn.Printf("ListXAttr: invalid xattr name %q: %v", curName, err)
-			fs.reportMitigatedCorruption(curName)
-			continue
-		}
-		names = append(names, name)
-	}
-	return names, fuse.OK
-}
-
-// encryptXattrName transforms "user.foo" to "user.gocryptfs.a5sAd4XAa47f5as6dAf"
-func (fs *FS) encryptXattrName(attr string) (cAttr string) {
-	// xattr names are encrypted like file names, but with a fixed IV.
-	cAttr = xattrStorePrefix + fs.nameTransform.EncryptName(attr, xattrNameIV)
-	return cAttr
-}
-
-func (fs *FS) decryptXattrName(cAttr string) (attr string, err error) {
-	// Reject anything that does not start with "user.gocryptfs."
-	if !strings.HasPrefix(cAttr, xattrStorePrefix) {
-		return "", syscall.EINVAL
-	}
-	// Strip "user.gocryptfs." prefix
-	cAttr = cAttr[len(xattrStorePrefix):]
-	attr, err = fs.nameTransform.DecryptName(cAttr, xattrNameIV)
-	if err != nil {
-		return "", err
-	}
-	return attr, nil
-}
-
-// encryptXattrValue encrypts the xattr value "data".
-// The data is encrypted like a file content block, but without binding it to
-// a file location (block number and file id are set to zero).
-// Special case: an empty value is encrypted to an empty value.
-func (fs *FS) encryptXattrValue(data []byte) (cData []byte) {
-	if len(data) == 0 {
-		return []byte{}
-	}
-	return fs.contentEnc.EncryptBlock(data, 0, nil)
-}
-
-// decryptXattrValue decrypts the xattr value "cData".
-func (fs *FS) decryptXattrValue(cData []byte) (data []byte, err error) {
-	if len(cData) == 0 {
-		return []byte{}, nil
-	}
-	data, err1 := fs.contentEnc.DecryptBlock([]byte(cData), 0, nil)
-	if err1 == nil {
-		return data, nil
-	}
-	// This backward compatibility is needed to support old
-	// file systems having xattr values base64-encoded.
-	cData, err2 := fs.nameTransform.B64DecodeString(string(cData))
-	if err2 != nil {
-		// Looks like the value was not base64-encoded, but just corrupt.
-		// Return the original decryption error: err1
-		return nil, err1
-	}
-	return fs.contentEnc.DecryptBlock([]byte(cData), 0, nil)
-}
diff --git a/internal/fusefrontend/xattr_darwin.go b/internal/fusefrontend/xattr_darwin.go
deleted file mode 100644
index 1d4ffcd..0000000
--- a/internal/fusefrontend/xattr_darwin.go
+++ /dev/null
@@ -1,90 +0,0 @@
-// +build darwin
-
-// Package fusefrontend interfaces directly with the go-fuse library.
-package fusefrontend
-
-import (
-	"syscall"
-
-	"golang.org/x/sys/unix"
-
-	"github.com/hanwen/go-fuse/v2/fuse"
-
-	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
-)
-
-// On Darwin it is needed to unset XATTR_NOSECURITY 0x0008
-func filterXattrSetFlags(flags int) int {
-	// See https://opensource.apple.com/source/xnu/xnu-1504.15.3/bsd/sys/xattr.h.auto.html
-	const XATTR_NOSECURITY = 0x0008
-
-	return flags &^ XATTR_NOSECURITY
-}
-
-func (fs *FS) getXAttr(relPath string, cAttr string, context *fuse.Context) ([]byte, fuse.Status) {
-	// O_NONBLOCK to not block on FIFOs.
-	fd, err := fs.openBackingFile(relPath, syscall.O_RDONLY|syscall.O_NONBLOCK)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	defer syscall.Close(fd)
-
-	cData, err := syscallcompat.Fgetxattr(fd, cAttr)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-
-	return cData, fuse.OK
-}
-
-func (fs *FS) setXAttr(relPath string, cAttr string, cData []byte, flags int, context *fuse.Context) fuse.Status {
-	// O_NONBLOCK to not block on FIFOs.
-	fd, err := fs.openBackingFile(relPath, syscall.O_WRONLY|syscall.O_NONBLOCK)
-	// Directories cannot be opened read-write. Retry.
-	if err == syscall.EISDIR {
-		fd, err = fs.openBackingFile(relPath, syscall.O_RDONLY|syscall.O_DIRECTORY|syscall.O_NONBLOCK)
-	}
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(fd)
-
-	err = unix.Fsetxattr(fd, cAttr, cData, flags)
-	return fuse.ToStatus(err)
-}
-
-func (fs *FS) removeXAttr(relPath string, cAttr string, context *fuse.Context) fuse.Status {
-	// O_NONBLOCK to not block on FIFOs.
-	fd, err := fs.openBackingFile(relPath, syscall.O_WRONLY|syscall.O_NONBLOCK)
-	// Directories cannot be opened read-write. Retry.
-	if err == syscall.EISDIR {
-		fd, err = fs.openBackingFile(relPath, syscall.O_RDONLY|syscall.O_DIRECTORY|syscall.O_NONBLOCK)
-	}
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(fd)
-
-	err = unix.Fremovexattr(fd, cAttr)
-	return fuse.ToStatus(err)
-}
-
-func (fs *FS) listXAttr(relPath string, context *fuse.Context) ([]string, fuse.Status) {
-	// O_NONBLOCK to not block on FIFOs.
-	fd, err := fs.openBackingFile(relPath, syscall.O_RDONLY|syscall.O_NONBLOCK)
-	// On a symlink, openBackingFile fails with ELOOP. Let's pretend there
-	// can be no xattrs on symlinks, and always return an empty result.
-	if err == syscall.ELOOP {
-		return nil, fuse.OK
-	}
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	defer syscall.Close(fd)
-
-	cNames, err := syscallcompat.Flistxattr(fd)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	return cNames, fuse.OK
-}
diff --git a/internal/fusefrontend/xattr_linux.go b/internal/fusefrontend/xattr_linux.go
deleted file mode 100644
index 5df0617..0000000
--- a/internal/fusefrontend/xattr_linux.go
+++ /dev/null
@@ -1,69 +0,0 @@
-// +build linux
-
-// Package fusefrontend interfaces directly with the go-fuse library.
-package fusefrontend
-
-import (
-	"fmt"
-	"syscall"
-
-	"golang.org/x/sys/unix"
-
-	"github.com/hanwen/go-fuse/v2/fuse"
-
-	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
-)
-
-func (fs *FS) getXAttr(relPath string, cAttr string, context *fuse.Context) ([]byte, fuse.Status) {
-	dirfd, cName, err := fs.openBackingDir(relPath)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-
-	procPath := fmt.Sprintf("/proc/self/fd/%d/%s", dirfd, cName)
-	cData, err := syscallcompat.Lgetxattr(procPath, cAttr)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	return cData, fuse.OK
-}
-
-func (fs *FS) setXAttr(relPath string, cAttr string, cData []byte, flags int, context *fuse.Context) fuse.Status {
-	dirfd, cName, err := fs.openBackingDir(relPath)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-
-	procPath := fmt.Sprintf("/proc/self/fd/%d/%s", dirfd, cName)
-	err = unix.Lsetxattr(procPath, cAttr, cData, flags)
-	return fuse.ToStatus(err)
-}
-
-func (fs *FS) removeXAttr(relPath string, cAttr string, context *fuse.Context) fuse.Status {
-	dirfd, cName, err := fs.openBackingDir(relPath)
-	if err != nil {
-		return fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-
-	procPath := fmt.Sprintf("/proc/self/fd/%d/%s", dirfd, cName)
-	err = unix.Lremovexattr(procPath, cAttr)
-	return fuse.ToStatus(err)
-}
-
-func (fs *FS) listXAttr(relPath string, context *fuse.Context) ([]string, fuse.Status) {
-	dirfd, cName, err := fs.openBackingDir(relPath)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	defer syscall.Close(dirfd)
-
-	procPath := fmt.Sprintf("/proc/self/fd/%d/%s", dirfd, cName)
-	cNames, err := syscallcompat.Llistxattr(procPath)
-	if err != nil {
-		return nil, fuse.ToStatus(err)
-	}
-	return cNames, fuse.OK
-}