syscallcompat: check that we get NOFOLLOW wherever possible

...and fix the instances where the AT_SYMLINK_NOFOLLOW /
O_NOFOLLOW / O_EXCL flag was missing.

5 files changed, 25 insertions, 7 deletions

diff --git a/internal/fusefrontend/fs.go b/internal/fusefrontend/fs.go
index d6467f9..cc055c7 100644
--- a/internal/fusefrontend/fs.go
+++ b/internal/fusefrontend/fs.go
@@ -211,7 +211,7 @@ func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Conte
 
 		// Create content
 		var fdRaw int
-		fdRaw, err = syscallcompat.Openat(int(dirfd.Fd()), cName, newFlags|os.O_CREATE, mode)
+		fdRaw, err = syscallcompat.Openat(int(dirfd.Fd()), cName, newFlags|os.O_CREATE|os.O_EXCL, mode)
 		if err != nil {
 			nametransform.DeleteLongName(dirfd, cName)
 			return nil, fuse.ToStatus(err)
@@ -219,7 +219,7 @@ func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Conte
 		fd = os.NewFile(uintptr(fdRaw), cName)
 	} else {
 		// Normal (short) file name
-		fd, err = os.OpenFile(cPath, newFlags|os.O_CREATE, os.FileMode(mode))
+		fd, err = os.OpenFile(cPath, newFlags|os.O_CREATE|os.O_EXCL, os.FileMode(mode))
 		if err != nil {
 			return nil, fuse.ToStatus(err)
 		}
diff --git a/internal/fusefrontend/fs_dir.go b/internal/fusefrontend/fs_dir.go
index 4ffaaff..5cc269b 100644
--- a/internal/fusefrontend/fs_dir.go
+++ b/internal/fusefrontend/fs_dir.go
@@ -146,7 +146,7 @@ func (fs *FS) Rmdir(path string, context *fuse.Context) (code fuse.Status) {
 
 	cName := filepath.Base(cPath)
 	dirfdRaw, err := syscallcompat.Openat(int(parentDirFd.Fd()), cName,
-		syscall.O_RDONLY, 0)
+		syscall.O_RDONLY|syscall.O_NOFOLLOW, 0)
 	if err == syscall.EACCES {
 		// We need permission to read and modify the directory
 		tlog.Debug.Printf("Rmdir: handling EACCESS")
@@ -168,7 +168,7 @@ func (fs *FS) Rmdir(path string, context *fuse.Context) (code fuse.Status) {
 		var st syscall.Stat_t
 		syscall.Lstat(cPath, &st)
 		dirfdRaw, err = syscallcompat.Openat(int(parentDirFd.Fd()), cName,
-			syscall.O_RDONLY, 0)
+			syscall.O_RDONLY|syscall.O_NOFOLLOW, 0)
 		// Undo the chmod if removing the directory failed
 		defer func() {
 			if code != fuse.OK {
diff --git a/internal/nametransform/diriv.go b/internal/nametransform/diriv.go
index fe289c6..f980a04 100644
--- a/internal/nametransform/diriv.go
+++ b/internal/nametransform/diriv.go
@@ -36,7 +36,8 @@ func ReadDirIV(dir string) (iv []byte, err error) {
 // ReadDirIVAt reads "gocryptfs.diriv" from the directory that is opened as "dirfd".
 // Using the dirfd makes it immune to concurrent renames of the directory.
 func ReadDirIVAt(dirfd *os.File) (iv []byte, err error) {
-	fdRaw, err := syscallcompat.Openat(int(dirfd.Fd()), DirIVFilename, syscall.O_RDONLY, 0)
+	fdRaw, err := syscallcompat.Openat(int(dirfd.Fd()), DirIVFilename,
+		syscall.O_RDONLY|syscall.O_NOFOLLOW, 0)
 	if err != nil {
 		tlog.Warn.Printf("ReadDirIVAt: opening %q in dir %q failed: %v",
 			DirIVFilename, dirfd.Name(), err)
diff --git a/internal/syscallcompat/emulate.go b/internal/syscallcompat/emulate.go
index 59d0ea5..3af45f8 100644
--- a/internal/syscallcompat/emulate.go
+++ b/internal/syscallcompat/emulate.go
@@ -136,12 +136,12 @@ func emulateFchmodat(dirfd int, path string, mode uint32, flags int) (err error)
 	}
 	defer syscall.Fchdir(cwd)
 	// We also don't have Lchmod, so emulate it (poorly).
-	if flags&unix.AT_SYMLINK_NOFOLLOW > 0 {
+	if flags&unix.AT_SYMLINK_NOFOLLOW != 0 {
 		fi, err := os.Lstat(path)
 		if err != nil {
 			return err
 		}
-		if fi.Mode()&os.ModeSymlink > 0 {
+		if fi.Mode()&os.ModeSymlink != 0 {
 			return nil
 		}
 	}
diff --git a/internal/syscallcompat/sys_linux.go b/internal/syscallcompat/sys_linux.go
index 1ea56b5..e9ca7cb 100644
--- a/internal/syscallcompat/sys_linux.go
+++ b/internal/syscallcompat/sys_linux.go
@@ -6,6 +6,8 @@ import (
 	"syscall"
 	"unsafe"
 
+	"golang.org/x/sys/unix"
+
 	"github.com/rfjakob/gocryptfs/internal/tlog"
 )
 
@@ -46,6 +48,11 @@ func Fallocate(fd int, mode uint32, off int64, len int64) (err error) {
 
 // Openat wraps the Openat syscall.
 func Openat(dirfd int, path string, flags int, mode uint32) (fd int, err error) {
+	// Why would we ever want to call this without O_NOFOLLOW and O_EXCL?
+	if !(flags&syscall.O_CREAT != 0 && flags&syscall.O_EXCL != 0) && flags&syscall.O_NOFOLLOW == 0 {
+		tlog.Warn.Printf("Openat: adding missing O_NOFOLLOW flag")
+		flags |= syscall.O_NOFOLLOW
+	}
 	return syscall.Openat(dirfd, path, flags, mode)
 }
 
@@ -82,11 +89,21 @@ func Dup3(oldfd int, newfd int, flags int) (err error) {
 
 // Fchmodat syscall.
 func Fchmodat(dirfd int, path string, mode uint32, flags int) (err error) {
+	// Why would we ever want to call this without AT_SYMLINK_NOFOLLOW?
+	if flags&unix.AT_SYMLINK_NOFOLLOW == 0 {
+		tlog.Warn.Printf("Fchmodat: adding missing AT_SYMLINK_NOFOLLOW flag")
+		flags |= unix.AT_SYMLINK_NOFOLLOW
+	}
 	return syscall.Fchmodat(dirfd, path, mode, flags)
 }
 
 // Fchownat syscall.
 func Fchownat(dirfd int, path string, uid int, gid int, flags int) (err error) {
+	// Why would we ever want to call this without AT_SYMLINK_NOFOLLOW?
+	if flags&unix.AT_SYMLINK_NOFOLLOW == 0 {
+		tlog.Warn.Printf("Fchownat: adding missing AT_SYMLINK_NOFOLLOW flag")
+		flags |= unix.AT_SYMLINK_NOFOLLOW
+	}
 	return syscall.Fchownat(dirfd, path, uid, gid, flags)
 }