diff options
-rw-r--r-- | cryptfs/filter.go | 14 | ||||
-rw-r--r-- | pathfs_frontend/fs.go | 68 |
2 files changed, 42 insertions, 40 deletions
diff --git a/cryptfs/filter.go b/cryptfs/filter.go new file mode 100644 index 0000000..079b64f --- /dev/null +++ b/cryptfs/filter.go @@ -0,0 +1,14 @@ +package cryptfs + +// IsFiltered - check if "path" should be forbidden +// +// Used to prevent name clashes with gocryptfs.conf +// when file names are not encrypted +func (be *CryptFS) IsFiltered(path string) bool { + // gocryptfs.conf in the root directory is forbidden + if be.plaintextNames == true && path == "gocryptfs.conf" { + Warn.Printf("The name \"/gocryptfs.conf\" is reserved when \"--plaintextnames\" is used\n") + return true + } + return false +} diff --git a/pathfs_frontend/fs.go b/pathfs_frontend/fs.go index 1ef19d2..bd97f9a 100644 --- a/pathfs_frontend/fs.go +++ b/pathfs_frontend/fs.go @@ -34,8 +34,8 @@ func (fs *FS) GetPath(relPath string) string { func (fs *FS) GetAttr(name string, context *fuse.Context) (*fuse.Attr, fuse.Status) { cryptfs.Debug.Printf("FS.GetAttr('%s')\n", name) - if name == cryptfs.ConfDefaultName { - return nil, fuse.EPERM // See comment in Open() + if fs.CryptFS.IsFiltered(name) { + return nil, fuse.EPERM } cName := fs.EncryptPath(name) a, status := fs.FileSystem.GetAttr(cName, context) @@ -60,7 +60,7 @@ func (fs *FS) OpenDir(dirName string, context *fuse.Context) ([]fuse.DirEntry, f for i := range cipherEntries { cName := cipherEntries[i].Name if dirName == "" && cName == cryptfs.ConfDefaultName { - // ignore "gocryptfs.conf" in the top level dir + // silently ignore "gocryptfs.conf" in the top level dir continue } name, err := fs.DecryptPath(cName) @@ -90,14 +90,9 @@ func (fs *FS) mangleOpenFlags(flags uint32) (newFlags int, writeOnly bool) { func (fs *FS) Open(path string, flags uint32, context *fuse.Context) (fuseFile nodefs.File, status fuse.Status) { cryptfs.Debug.Printf("Open(%s)\n", path) - - if path == cryptfs.ConfDefaultName { - // "gocryptfs.conf" in the top level dir is forbidden - // to protect the config file of this filesystem if - // "--plaintextnames" is enabled + if fs.CryptFS.IsFiltered(path){ return nil, fuse.EPERM } - iflags, writeOnly := fs.mangleOpenFlags(flags) f, err := os.OpenFile(fs.GetPath(path), iflags, 0666) if err != nil { @@ -108,10 +103,9 @@ func (fs *FS) Open(path string, flags uint32, context *fuse.Context) (fuseFile n } func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Context) (fuseFile nodefs.File, code fuse.Status) { - if path == cryptfs.ConfDefaultName { - return nil, fuse.EPERM // See comment in Open() + if fs.CryptFS.IsFiltered(path){ + return nil, fuse.EPERM } - iflags, writeOnly := fs.mangleOpenFlags(flags) f, err := os.OpenFile(fs.GetPath(path), iflags|os.O_CREATE, os.FileMode(mode)) if err != nil { @@ -121,26 +115,23 @@ func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Conte } func (fs *FS) Chmod(path string, mode uint32, context *fuse.Context) (code fuse.Status) { - if path == cryptfs.ConfDefaultName { - return fuse.EPERM // See comment in Open() + if fs.CryptFS.IsFiltered(path){ + return fuse.EPERM } - return fs.FileSystem.Chmod(fs.EncryptPath(path), mode, context) } func (fs *FS) Chown(path string, uid uint32, gid uint32, context *fuse.Context) (code fuse.Status) { - if path == cryptfs.ConfDefaultName { - return fuse.EPERM // See comment in Open() + if fs.CryptFS.IsFiltered(path){ + return fuse.EPERM } - return fs.FileSystem.Chown(fs.EncryptPath(path), uid, gid, context) } func (fs *FS) Mknod(name string, mode uint32, dev uint32, context *fuse.Context) (code fuse.Status) { - if name == cryptfs.ConfDefaultName { - return fuse.EPERM // See comment in Open() + if fs.CryptFS.IsFiltered(name){ + return fuse.EPERM } - return fs.FileSystem.Mknod(fs.EncryptPath(name), mode, dev, context) } @@ -150,10 +141,9 @@ func (fs *FS) Truncate(path string, offset uint64, context *fuse.Context) (code } func (fs *FS) Utimens(path string, Atime *time.Time, Mtime *time.Time, context *fuse.Context) (code fuse.Status) { - if path == cryptfs.ConfDefaultName { - return fuse.EPERM // See comment in Open() + if fs.CryptFS.IsFiltered(path){ + return fuse.EPERM } - return fs.FileSystem.Utimens(fs.EncryptPath(path), Atime, Mtime, context) } @@ -171,18 +161,16 @@ func (fs *FS) Readlink(name string, context *fuse.Context) (out string, status f } func (fs *FS) Mkdir(path string, mode uint32, context *fuse.Context) (code fuse.Status) { - if path == cryptfs.ConfDefaultName { - return fuse.EPERM // See comment in Open() + if fs.CryptFS.IsFiltered(path){ + return fuse.EPERM } - return fs.FileSystem.Mkdir(fs.EncryptPath(path), mode, context) } func (fs *FS) Unlink(name string, context *fuse.Context) (code fuse.Status) { - if name == cryptfs.ConfDefaultName { - return fuse.EPERM // See comment in Open() + if fs.CryptFS.IsFiltered(name){ + return fuse.EPERM } - cName := fs.EncryptPath(name) code = fs.FileSystem.Unlink(cName, context) if code != fuse.OK { @@ -196,32 +184,32 @@ func (fs *FS) Rmdir(name string, context *fuse.Context) (code fuse.Status) { } func (fs *FS) Symlink(pointedTo string, linkName string, context *fuse.Context) (code fuse.Status) { - if linkName == cryptfs.ConfDefaultName { - return fuse.EPERM // See comment in Open() + if fs.CryptFS.IsFiltered(linkName){ + return fuse.EPERM } - // TODO symlink encryption cryptfs.Debug.Printf("Symlink(\"%s\", \"%s\")\n", pointedTo, linkName) return fs.FileSystem.Symlink(fs.EncryptPath(pointedTo), fs.EncryptPath(linkName), context) } -func (fs *FS) Rename(oldPath string, newPath string, context *fuse.Context) (codee fuse.Status) { - if newPath == cryptfs.ConfDefaultName { - return fuse.EPERM // See comment in Open() +func (fs *FS) Rename(oldPath string, newPath string, context *fuse.Context) (code fuse.Status) { + if fs.CryptFS.IsFiltered(newPath){ + return fuse.EPERM } - return fs.FileSystem.Rename(fs.EncryptPath(oldPath), fs.EncryptPath(newPath), context) } func (fs *FS) Link(orig string, newName string, context *fuse.Context) (code fuse.Status) { - if newName == cryptfs.ConfDefaultName { - return fuse.EPERM // See comment in Open() + if fs.CryptFS.IsFiltered(newName){ + return fuse.EPERM } - return fs.FileSystem.Link(fs.EncryptPath(orig), fs.EncryptPath(newName), context) } func (fs *FS) Access(name string, mode uint32, context *fuse.Context) (code fuse.Status) { + if fs.CryptFS.IsFiltered(name){ + return fuse.EPERM + } return fs.FileSystem.Access(fs.EncryptPath(name), mode, context) } |