Merge branch 'master' into freebsd-support

11 files changed, 95 insertions, 44 deletions

diff --git a/internal/fusefrontend/node_open_create.go b/internal/fusefrontend/node_open_create.go
index 9598559..622d5dc 100644
--- a/internal/fusefrontend/node_open_create.go
+++ b/internal/fusefrontend/node_open_create.go
@@ -2,6 +2,7 @@ package fusefrontend
 
 import (
 	"context"
+	"os"
 	"syscall"
 
 	"github.com/hanwen/go-fuse/v2/fs"
@@ -12,6 +13,30 @@ import (
 	"github.com/rfjakob/gocryptfs/v2/internal/tlog"
 )
 
+// mangleOpenCreateFlags is used by Create() and Open() to convert the open flags the user
+// wants to the flags we internally use to open the backing file using Openat().
+// The returned flags always contain O_NOFOLLOW/O_SYMLINK.
+func mangleOpenCreateFlags(flags uint32) (newFlags int) {
+	newFlags = int(flags)
+	// Convert WRONLY to RDWR. We always need read access to do read-modify-write cycles.
+	if (newFlags & syscall.O_ACCMODE) == syscall.O_WRONLY {
+		newFlags = newFlags ^ os.O_WRONLY | os.O_RDWR
+	}
+	// We also cannot open the file in append mode, we need to seek back for RMW
+	newFlags = newFlags &^ os.O_APPEND
+	// O_DIRECT accesses must be aligned in both offset and length. Due to our
+	// crypto header, alignment will be off, even if userspace makes aligned
+	// accesses. Running xfstests generic/013 on ext4 used to trigger lots of
+	// EINVAL errors due to missing alignment. Just fall back to buffered IO.
+	newFlags = newFlags &^ syscallcompat.O_DIRECT
+	// Create and Open are two separate FUSE operations, so O_CREAT should usually not
+	// be part of the Open() flags. Create() will add O_CREAT back itself.
+	newFlags = newFlags &^ syscall.O_CREAT
+	// We always want O_NOFOLLOW/O_SYMLINK to be safe against symlink races
+	newFlags |= syscallcompat.OpenatFlagNofollowSymlink
+	return newFlags
+}
+
 // Open - FUSE call. Open already-existing file.
 //
 // Symlink-safe through Openat().
@@ -23,7 +48,7 @@ func (n *Node) Open(ctx context.Context, flags uint32) (fh fs.FileHandle, fuseFl
 	defer syscall.Close(dirfd)
 
 	rn := n.rootNode()
-	newFlags := rn.mangleOpenFlags(flags)
+	newFlags := mangleOpenCreateFlags(flags)
 	// Taking this lock makes sure we don't race openWriteOnlyFile()
 	rn.openWriteOnlyLock.RLock()
 	defer rn.openWriteOnlyLock.RUnlock()
@@ -71,7 +96,7 @@ func (n *Node) Create(ctx context.Context, name string, flags uint32, mode uint3
 	if !rn.args.PreserveOwner {
 		ctx = nil
 	}
-	newFlags := rn.mangleOpenFlags(flags)
+	newFlags := mangleOpenCreateFlags(flags)
 	// Handle long file name
 	ctx2 := toFuseCtx(ctx)
 	if !rn.args.PlaintextNames && nametransform.IsLongContent(cName) {
diff --git a/internal/fusefrontend/node_xattr_darwin.go b/internal/fusefrontend/node_xattr_darwin.go
index f8f224f..1d25f3d 100644
--- a/internal/fusefrontend/node_xattr_darwin.go
+++ b/internal/fusefrontend/node_xattr_darwin.go
@@ -29,8 +29,8 @@ func (n *Node) getXAttr(cAttr string) (out []byte, errno syscall.Errno) {
 	}
 	defer syscall.Close(dirfd)
 
-	// O_NONBLOCK to not block on FIFOs.
-	fd, err := syscallcompat.Openat(dirfd, cName, syscall.O_RDONLY|syscall.O_NONBLOCK|syscall.O_NOFOLLOW, 0)
+	// O_NONBLOCK to not block on FIFOs, O_SYMLINK to open the symlink itself (if it is one).
+	fd, err := syscallcompat.Openat(dirfd, cName, syscall.O_RDONLY|syscall.O_NONBLOCK|syscall.O_SYMLINK, 0)
 	if err != nil {
 		return nil, fs.ToErrno(err)
 	}
@@ -52,10 +52,10 @@ func (n *Node) setXAttr(context *fuse.Context, cAttr string, cData []byte, flags
 	defer syscall.Close(dirfd)
 
 	// O_NONBLOCK to not block on FIFOs.
-	fd, err := syscallcompat.Openat(dirfd, cName, syscall.O_WRONLY|syscall.O_NONBLOCK|syscall.O_NOFOLLOW, 0)
+	fd, err := syscallcompat.Openat(dirfd, cName, syscall.O_WRONLY|syscall.O_NONBLOCK|syscall.O_SYMLINK, 0)
 	// Directories cannot be opened read-write. Retry.
 	if err == syscall.EISDIR {
-		fd, err = syscallcompat.Openat(dirfd, cName, syscall.O_RDONLY|syscall.O_DIRECTORY|syscall.O_NONBLOCK|syscall.O_NOFOLLOW, 0)
+		fd, err = syscallcompat.Openat(dirfd, cName, syscall.O_RDONLY|syscall.O_DIRECTORY|syscall.O_NONBLOCK|syscall.O_SYMLINK, 0)
 	}
 	if err != nil {
 		fs.ToErrno(err)
@@ -74,10 +74,10 @@ func (n *Node) removeXAttr(cAttr string) (errno syscall.Errno) {
 	defer syscall.Close(dirfd)
 
 	// O_NONBLOCK to not block on FIFOs.
-	fd, err := syscallcompat.Openat(dirfd, cName, syscall.O_WRONLY|syscall.O_NONBLOCK|syscall.O_NOFOLLOW, 0)
+	fd, err := syscallcompat.Openat(dirfd, cName, syscall.O_WRONLY|syscall.O_NONBLOCK|syscall.O_SYMLINK, 0)
 	// Directories cannot be opened read-write. Retry.
 	if err == syscall.EISDIR {
-		fd, err = syscallcompat.Openat(dirfd, cName, syscall.O_RDONLY|syscall.O_DIRECTORY|syscall.O_NONBLOCK|syscall.O_NOFOLLOW, 0)
+		fd, err = syscallcompat.Openat(dirfd, cName, syscall.O_RDONLY|syscall.O_DIRECTORY|syscall.O_NONBLOCK|syscall.O_SYMLINK, 0)
 	}
 	if err != nil {
 		return fs.ToErrno(err)
@@ -96,7 +96,7 @@ func (n *Node) listXAttr() (out []string, errno syscall.Errno) {
 	defer syscall.Close(dirfd)
 
 	// O_NONBLOCK to not block on FIFOs.
-	fd, err := syscallcompat.Openat(dirfd, cName, syscall.O_RDONLY|syscall.O_NONBLOCK|syscall.O_NOFOLLOW, 0)
+	fd, err := syscallcompat.Openat(dirfd, cName, syscall.O_RDONLY|syscall.O_NONBLOCK|syscall.O_SYMLINK, 0)
 	if err != nil {
 		return nil, fs.ToErrno(err)
 	}
diff --git a/internal/fusefrontend/root_node.go b/internal/fusefrontend/root_node.go
index 489e3c6..38d070d 100644
--- a/internal/fusefrontend/root_node.go
+++ b/internal/fusefrontend/root_node.go
@@ -1,7 +1,6 @@
 package fusefrontend
 
 import (
-	"os"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -93,7 +92,9 @@ func NewRootNode(args Args, c *contentenc.ContentEnc, n *nametransform.NameTrans
 	}
 	// Suppress the message if the user has already specified -noprealloc
 	if rn.quirks&syscallcompat.QuirkBtrfsBrokenFalloc != 0 && !args.NoPrealloc {
-		syscallcompat.LogQuirk("Btrfs detected, forcing -noprealloc. See https://github.com/rfjakob/gocryptfs/issues/395 for why.")
+		syscallcompat.LogQuirk("Btrfs detected, forcing -noprealloc. " +
+			"Use \"chattr +C\" on the backing directory to enable NOCOW and allow preallocation. " +
+			"See https://github.com/rfjakob/gocryptfs/issues/395 for details.")
 	}
 	if statErr == nil {
 		rn.inoMap.TranslateStat(&st)
@@ -108,30 +109,6 @@ func (rn *RootNode) AfterUnmount() {
 	rn.dirCache.stats()
 }
 
-// mangleOpenFlags is used by Create() and Open() to convert the open flags the user
-// wants to the flags we internally use to open the backing file.
-// The returned flags always contain O_NOFOLLOW.
-func (rn *RootNode) mangleOpenFlags(flags uint32) (newFlags int) {
-	newFlags = int(flags)
-	// Convert WRONLY to RDWR. We always need read access to do read-modify-write cycles.
-	if (newFlags & syscall.O_ACCMODE) == syscall.O_WRONLY {
-		newFlags = newFlags ^ os.O_WRONLY | os.O_RDWR
-	}
-	// We also cannot open the file in append mode, we need to seek back for RMW
-	newFlags = newFlags &^ os.O_APPEND
-	// O_DIRECT accesses must be aligned in both offset and length. Due to our
-	// crypto header, alignment will be off, even if userspace makes aligned
-	// accesses. Running xfstests generic/013 on ext4 used to trigger lots of
-	// EINVAL errors due to missing alignment. Just fall back to buffered IO.
-	newFlags = newFlags &^ syscallcompat.O_DIRECT
-	// Create and Open are two separate FUSE operations, so O_CREAT should not
-	// be part of the open flags.
-	newFlags = newFlags &^ syscall.O_CREAT
-	// We always want O_NOFOLLOW to be safe against symlink races
-	newFlags |= syscall.O_NOFOLLOW
-	return newFlags
-}
-
 // reportMitigatedCorruption is used to report a corruption that was transparently
 // mitigated and did not return an error to the user. Pass the name of the corrupt
 // item (filename for OpenDir(), xattr name for ListXAttr() etc).
diff --git a/internal/fusefrontend_reverse/node_helpers.go b/internal/fusefrontend_reverse/node_helpers.go
index 3165db6..f733689 100644
--- a/internal/fusefrontend_reverse/node_helpers.go
+++ b/internal/fusefrontend_reverse/node_helpers.go
@@ -134,7 +134,7 @@ func (n *Node) lookupLongnameName(ctx context.Context, nameFile string, out *fus
 	if errno != 0 {
 		return
 	}
-	if rn.isExcludedPlain(filepath.Join(d.cPath, pName)) {
+	if rn.isExcludedPlain(filepath.Join(d.pPath, pName)) {
 		errno = syscall.EPERM
 		return
 	}
diff --git a/internal/fusefrontend_reverse/node_xattr.go b/internal/fusefrontend_reverse/node_xattr.go
index f22764a..b940339 100644
--- a/internal/fusefrontend_reverse/node_xattr.go
+++ b/internal/fusefrontend_reverse/node_xattr.go
@@ -40,7 +40,7 @@ func (n *Node) Getxattr(ctx context.Context, attr string, dest []byte) (uint32,
 	} else {
 		pAttr, err := rn.decryptXattrName(attr)
 		if err != nil {
-			return 0, syscall.EINVAL
+			return 0, noSuchAttributeError
 		}
 		pData, errno := n.getXAttr(pAttr)
 		if errno != 0 {
diff --git a/internal/fusefrontend_reverse/root_node.go b/internal/fusefrontend_reverse/root_node.go
index 420ed22..1a668af 100644
--- a/internal/fusefrontend_reverse/root_node.go
+++ b/internal/fusefrontend_reverse/root_node.go
@@ -13,6 +13,7 @@ import (
 	"github.com/hanwen/go-fuse/v2/fs"
 	"github.com/hanwen/go-fuse/v2/fuse"
 
+	"github.com/rfjakob/gocryptfs/v2/internal/configfile"
 	"github.com/rfjakob/gocryptfs/v2/internal/contentenc"
 	"github.com/rfjakob/gocryptfs/v2/internal/exitcodes"
 	"github.com/rfjakob/gocryptfs/v2/internal/fusefrontend"
@@ -136,7 +137,8 @@ func (rn *RootNode) findLongnameParent(fd int, diriv []byte, longname string) (p
 // excluded (used when -exclude is passed by the user).
 func (rn *RootNode) isExcludedPlain(pPath string) bool {
 	// root dir can't be excluded
-	if pPath == "" {
+	// Don't exclude gocryptfs.conf too
+	if pPath == "" || pPath == configfile.ConfReverseName {
 		return false
 	}
 	return rn.excluder != nil && rn.excluder.MatchesPath(pPath)
diff --git a/internal/syscallcompat/quirks_linux.go b/internal/syscallcompat/quirks_linux.go
index 87af03d..35f754d 100644
--- a/internal/syscallcompat/quirks_linux.go
+++ b/internal/syscallcompat/quirks_linux.go
@@ -1,11 +1,38 @@
 package syscallcompat
 
 import (
+	"syscall"
+
 	"golang.org/x/sys/unix"
 
 	"github.com/rfjakob/gocryptfs/v2/internal/tlog"
 )
 
+// FS_NOCOW_FL is the flag set by "chattr +C" to disable copy-on-write on
+// btrfs. Not exported by golang.org/x/sys/unix, value from linux/fs.h.
+const FS_NOCOW_FL = 0x00800000
+
+// dirHasNoCow checks whether the directory at the given path has the
+// NOCOW (No Copy-on-Write) attribute set (i.e. "chattr +C").
+// When a directory has this attribute, files created within it inherit
+// NOCOW, which makes fallocate work correctly on btrfs because writes
+// go in-place rather than through COW.
+func dirHasNoCow(path string) bool {
+	fd, err := syscall.Open(path, syscall.O_RDONLY|syscall.O_DIRECTORY, 0)
+	if err != nil {
+		tlog.Debug.Printf("dirHasNoCow: Open %q failed: %v", path, err)
+		return false
+	}
+	defer syscall.Close(fd)
+
+	flags, err := unix.IoctlGetInt(fd, unix.FS_IOC_GETFLAGS)
+	if err != nil {
+		tlog.Debug.Printf("dirHasNoCow: FS_IOC_GETFLAGS on %q failed: %v", path, err)
+		return false
+	}
+	return flags&FS_NOCOW_FL != 0
+}
+
 // DetectQuirks decides if there are known quirks on the backing filesystem
 // that need to be workarounded.
 //
@@ -21,10 +48,19 @@ func DetectQuirks(cipherdir string) (q uint64) {
 	// Preallocation on Btrfs is broken ( https://github.com/rfjakob/gocryptfs/issues/395 )
 	// and slow ( https://github.com/rfjakob/gocryptfs/issues/63 ).
 	//
+	// The root cause is that btrfs COW allocates new blocks on write even for
+	// preallocated extents, defeating the purpose of fallocate. However, if the
+	// backing directory has the NOCOW attribute (chattr +C), writes go in-place
+	// and fallocate works correctly.
+	//
 	// Cast to uint32 avoids compile error on arm: "constant 2435016766 overflows int32"
 	if uint32(st.Type) == unix.BTRFS_SUPER_MAGIC {
-		// LogQuirk is called in fusefrontend/root_node.go
-		q |= QuirkBtrfsBrokenFalloc
+		if dirHasNoCow(cipherdir) {
+			tlog.Debug.Printf("DetectQuirks: Btrfs detected but cipherdir has NOCOW attribute (chattr +C), fallocate should work correctly")
+		} else {
+			// LogQuirk is called in fusefrontend/root_node.go
+			q |= QuirkBtrfsBrokenFalloc
+		}
 	}
 
 	return q
diff --git a/internal/syscallcompat/sys_common.go b/internal/syscallcompat/sys_common.go
index e95373a..4f84d98 100644
--- a/internal/syscallcompat/sys_common.go
+++ b/internal/syscallcompat/sys_common.go
@@ -54,10 +54,10 @@ func Openat(dirfd int, path string, flags int, mode uint32) (fd int, err error)
 			flags |= syscall.O_EXCL
 		}
 	} else {
-		// If O_CREAT is not used, we should use O_NOFOLLOW
-		if flags&syscall.O_NOFOLLOW == 0 {
-			tlog.Warn.Printf("Openat: O_NOFOLLOW missing: flags = %#x", flags)
-			flags |= syscall.O_NOFOLLOW
+		// If O_CREAT is not used, we should use O_NOFOLLOW or O_SYMLINK
+		if flags&(unix.O_NOFOLLOW|OpenatFlagNofollowSymlink) == 0 {
+			tlog.Warn.Printf("Openat: O_NOFOLLOW/O_SYMLINK missing: flags = %#x", flags)
+			flags |= unix.O_NOFOLLOW
 		}
 	}
 
diff --git a/internal/syscallcompat/sys_darwin.go b/internal/syscallcompat/sys_darwin.go
index 248b5a2..52d4e0f 100644
--- a/internal/syscallcompat/sys_darwin.go
+++ b/internal/syscallcompat/sys_darwin.go
@@ -29,6 +29,10 @@ const (
 	// Only exists on Linux. Define here to fix build failure, even though
 	// we will never see this flag.
 	RENAME_WHITEOUT = 1 << 30
+
+	// On Darwin we use O_SYMLINK which allows opening a symlink itself.
+	// On Linux, we only have O_NOFOLLOW.
+	OpenatFlagNofollowSymlink = unix.O_SYMLINK
 )
 
 // Unfortunately fsetattrlist does not have a syscall wrapper yet.
diff --git a/internal/syscallcompat/sys_freebsd.go b/internal/syscallcompat/sys_freebsd.go
index ec2c402..874e920 100644
--- a/internal/syscallcompat/sys_freebsd.go
+++ b/internal/syscallcompat/sys_freebsd.go
@@ -26,6 +26,9 @@ const (
 
 	// ENODATA is only defined on Linux, but FreeBSD provides ENOATTR
 	ENODATA = unix.ENOATTR
+
+	// On FreeBSD, we only have O_NOFOLLOW.
+	OpenatFlagNofollowSymlink = unix.O_NOFOLLOW
 )
 
 // EnospcPrealloc is supposed to preallocate ciphertext space without
diff --git a/internal/syscallcompat/sys_linux.go b/internal/syscallcompat/sys_linux.go
index faa7ffc..4669d8a 100644
--- a/internal/syscallcompat/sys_linux.go
+++ b/internal/syscallcompat/sys_linux.go
@@ -31,6 +31,10 @@ const (
 
 	// Only defined on Linux
 	ENODATA = unix.ENODATA
+
+	// On Darwin we use O_SYMLINK which allows opening a symlink itself.
+	// On Linux, we only have O_NOFOLLOW.
+	OpenatFlagNofollowSymlink = unix.O_NOFOLLOW
 )
 
 var preallocWarn sync.Once