fusefrontend_reverse: secure OpenDir against symlink races

...by using the new OpenNofollow helper.

The benchmark shows a small but acceptable performance loss:

  $ ./benchmark-reverse.bash
  LS:  2.182
  CAT: 18.221

Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165

1 files changed, 9 insertions, 3 deletions

diff --git a/internal/fusefrontend_reverse/rfs.go b/internal/fusefrontend_reverse/rfs.go
index 18468ee..0329cc9 100644
--- a/internal/fusefrontend_reverse/rfs.go
+++ b/internal/fusefrontend_reverse/rfs.go
@@ -17,6 +17,7 @@ import (
 	"github.com/rfjakob/gocryptfs/internal/fusefrontend"
 	"github.com/rfjakob/gocryptfs/internal/nametransform"
 	"github.com/rfjakob/gocryptfs/internal/pathiv"
+	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
 	"github.com/rfjakob/gocryptfs/internal/tlog"
 )
 
@@ -253,9 +254,14 @@ func (rfs *ReverseFS) OpenDir(cipherPath string, context *fuse.Context) ([]fuse.
 		return nil, fuse.ToStatus(err)
 	}
 	// Read plaintext dir
-	entries, status := rfs.loopbackfs.OpenDir(relPath, context)
-	if entries == nil {
-		return nil, status
+	fd, err := syscallcompat.OpenNofollow(rfs.args.Cipherdir, relPath, syscall.O_RDONLY, 0)
+	if err != nil {
+		return nil, fuse.ToStatus(err)
+	}
+	defer syscall.Close(fd)
+	entries, err := syscallcompat.Getdents(fd)
+	if err != nil {
+		return nil, fuse.ToStatus(err)
 	}
 	if rfs.args.PlaintextNames {
 		return rfs.openDirPlaintextnames(cipherPath, entries)