6 files changed, 90 insertions, 49 deletions
diff --git a/internal/syscallcompat/quirks.go b/internal/syscallcompat/quirks.go
index 858f16d..36bcb9f 100644
--- a/internal/syscallcompat/quirks.go
+++ b/internal/syscallcompat/quirks.go
@@ -5,18 +5,17 @@ import (
 )
 
 const (
-	// QuirkBrokenFalloc means the falloc is broken.
+	// QuirkBtrfsBrokenFalloc means the falloc is broken.
 	// Preallocation on Btrfs is broken ( https://github.com/rfjakob/gocryptfs/issues/395 )
 	// and slow ( https://github.com/rfjakob/gocryptfs/issues/63 ).
-	QuirkBrokenFalloc = uint64(1 << iota)
+	QuirkBtrfsBrokenFalloc = uint64(1 << iota)
 	// QuirkDuplicateIno1 means that we have duplicate inode numbers.
 	// On MacOS ExFAT, all empty files share inode number 1:
 	// https://github.com/rfjakob/gocryptfs/issues/585
 	QuirkDuplicateIno1
-	// QuirkNoUserXattr means that user.* xattrs are not supported
-	QuirkNoUserXattr
 )
 
-func logQuirk(s string) {
-	tlog.Info.Printf(tlog.ColorYellow + "DetectQuirks: " + s + tlog.ColorReset)
+// LogQuirk prints a yellow message about a detected quirk.
+func LogQuirk(s string) {
+	tlog.Info.Println(tlog.ColorYellow + "DetectQuirks: " + s + tlog.ColorReset)
 }
diff --git a/internal/syscallcompat/quirks_darwin.go b/internal/syscallcompat/quirks_darwin.go
index 4adeea1..c4d5006 100644
--- a/internal/syscallcompat/quirks_darwin.go
+++ b/internal/syscallcompat/quirks_darwin.go
@@ -33,7 +33,7 @@ func DetectQuirks(cipherdir string) (q uint64) {
 	// On MacOS ExFAT, all empty files share inode number 1:
 	// https://github.com/rfjakob/gocryptfs/issues/585
 	if fstypename == FstypenameExfat {
-		logQuirk("ExFAT detected, disabling hard links. See https://github.com/rfjakob/gocryptfs/issues/585 for why.")
+		LogQuirk("ExFAT detected, disabling hard links. See https://github.com/rfjakob/gocryptfs/issues/585 for why.")
 		q |= QuirkDuplicateIno1
 	}
 
diff --git a/internal/syscallcompat/quirks_linux.go b/internal/syscallcompat/quirks_linux.go
index 5ef2d8a..35f754d 100644
--- a/internal/syscallcompat/quirks_linux.go
+++ b/internal/syscallcompat/quirks_linux.go
@@ -1,11 +1,38 @@
 package syscallcompat
 
 import (
+	"syscall"
+
 	"golang.org/x/sys/unix"
 
 	"github.com/rfjakob/gocryptfs/v2/internal/tlog"
 )
 
+// FS_NOCOW_FL is the flag set by "chattr +C" to disable copy-on-write on
+// btrfs. Not exported by golang.org/x/sys/unix, value from linux/fs.h.
+const FS_NOCOW_FL = 0x00800000
+
+// dirHasNoCow checks whether the directory at the given path has the
+// NOCOW (No Copy-on-Write) attribute set (i.e. "chattr +C").
+// When a directory has this attribute, files created within it inherit
+// NOCOW, which makes fallocate work correctly on btrfs because writes
+// go in-place rather than through COW.
+func dirHasNoCow(path string) bool {
+	fd, err := syscall.Open(path, syscall.O_RDONLY|syscall.O_DIRECTORY, 0)
+	if err != nil {
+		tlog.Debug.Printf("dirHasNoCow: Open %q failed: %v", path, err)
+		return false
+	}
+	defer syscall.Close(fd)
+
+	flags, err := unix.IoctlGetInt(fd, unix.FS_IOC_GETFLAGS)
+	if err != nil {
+		tlog.Debug.Printf("dirHasNoCow: FS_IOC_GETFLAGS on %q failed: %v", path, err)
+		return false
+	}
+	return flags&FS_NOCOW_FL != 0
+}
+
 // DetectQuirks decides if there are known quirks on the backing filesystem
 // that need to be workarounded.
 //
@@ -21,14 +48,19 @@ func DetectQuirks(cipherdir string) (q uint64) {
 	// Preallocation on Btrfs is broken ( https://github.com/rfjakob/gocryptfs/issues/395 )
 	// and slow ( https://github.com/rfjakob/gocryptfs/issues/63 ).
 	//
+	// The root cause is that btrfs COW allocates new blocks on write even for
+	// preallocated extents, defeating the purpose of fallocate. However, if the
+	// backing directory has the NOCOW attribute (chattr +C), writes go in-place
+	// and fallocate works correctly.
+	//
 	// Cast to uint32 avoids compile error on arm: "constant 2435016766 overflows int32"
 	if uint32(st.Type) == unix.BTRFS_SUPER_MAGIC {
-		logQuirk("Btrfs detected, forcing -noprealloc. See https://github.com/rfjakob/gocryptfs/issues/395 for why.")
-		q |= QuirkBrokenFalloc
-	}
-
-	if uint32(st.Type) == unix.TMPFS_MAGIC {
-		logQuirk("tmpfs detected, no extended attributes except acls will work.")
+		if dirHasNoCow(cipherdir) {
+			tlog.Debug.Printf("DetectQuirks: Btrfs detected but cipherdir has NOCOW attribute (chattr +C), fallocate should work correctly")
+		} else {
+			// LogQuirk is called in fusefrontend/root_node.go
+			q |= QuirkBtrfsBrokenFalloc
+		}
 	}
 
 	return q
diff --git a/internal/syscallcompat/sys_common.go b/internal/syscallcompat/sys_common.go
index 1aa6a6e..3cb9ffa 100644
--- a/internal/syscallcompat/sys_common.go
+++ b/internal/syscallcompat/sys_common.go
@@ -54,10 +54,10 @@ func Openat(dirfd int, path string, flags int, mode uint32) (fd int, err error)
 			flags |= syscall.O_EXCL
 		}
 	} else {
-		// If O_CREAT is not used, we should use O_NOFOLLOW
-		if flags&syscall.O_NOFOLLOW == 0 {
-			tlog.Warn.Printf("Openat: O_NOFOLLOW missing: flags = %#x", flags)
-			flags |= syscall.O_NOFOLLOW
+		// If O_CREAT is not used, we should use O_NOFOLLOW or O_SYMLINK
+		if flags&(unix.O_NOFOLLOW|OpenatFlagNofollowSymlink) == 0 {
+			tlog.Warn.Printf("Openat: O_NOFOLLOW/O_SYMLINK missing: flags = %#x", flags)
+			flags |= unix.O_NOFOLLOW
 		}
 	}
 
@@ -112,10 +112,10 @@ const XATTR_SIZE_MAX = 65536
 
 // Make the buffer 1kB bigger so we can detect overflows. Unfortunately,
 // slices larger than 64kB are always allocated on the heap.
-const XATTR_BUFSZ = XATTR_SIZE_MAX + 1024
+const GETXATTR_BUFSZ_BIG = XATTR_SIZE_MAX + 1024
 
 // We try with a small buffer first - this one can be allocated on the stack.
-const XATTR_BUFSZ_SMALL = 500
+const GETXATTR_BUFSZ_SMALL = 500
 
 // Fgetxattr is a wrapper around unix.Fgetxattr that handles the buffer sizing.
 func Fgetxattr(fd int, attr string) (val []byte, err error) {
@@ -135,7 +135,7 @@ func Lgetxattr(path string, attr string) (val []byte, err error) {
 
 func getxattrSmartBuf(fn func(buf []byte) (int, error)) ([]byte, error) {
 	// Fastpaths. Important for security.capabilities, which gets queried a lot.
-	buf := make([]byte, XATTR_BUFSZ_SMALL)
+	buf := make([]byte, GETXATTR_BUFSZ_SMALL)
 	sz, err := fn(buf)
 	// Non-existing xattr
 	if err == unix.ENODATA {
@@ -159,7 +159,7 @@ func getxattrSmartBuf(fn func(buf []byte) (int, error)) ([]byte, error) {
 	// We choose the simple approach of buffer that is bigger than the limit on
 	// Linux, and return an error for everything that is bigger (which can
 	// only happen on MacOS).
-	buf = make([]byte, XATTR_BUFSZ)
+	buf = make([]byte, GETXATTR_BUFSZ_BIG)
 	sz, err = fn(buf)
 	if err == syscall.ERANGE {
 		// Do NOT return ERANGE - the user might retry ad inifinitum!
@@ -182,42 +182,44 @@ out:
 // Flistxattr is a wrapper for unix.Flistxattr that handles buffer sizing and
 // parsing the returned blob to a string slice.
 func Flistxattr(fd int) (attrs []string, err error) {
-	// See the buffer sizing comments in getxattrSmartBuf.
-	// TODO: smarter buffer sizing?
-	buf := make([]byte, XATTR_BUFSZ)
-	sz, err := unix.Flistxattr(fd, buf)
-	if err == syscall.ERANGE {
-		// Do NOT return ERANGE - the user might retry ad inifinitum!
-		return nil, syscall.EOVERFLOW
+	listxattrSyscall := func(buf []byte) (int, error) {
+		return unix.Flistxattr(fd, buf)
 	}
-	if err != nil {
-		return nil, err
-	}
-	if sz >= XATTR_SIZE_MAX {
-		return nil, syscall.EOVERFLOW
-	}
-	attrs = parseListxattrBlob(buf[:sz])
-	return attrs, nil
+	return listxattrSmartBuf(listxattrSyscall)
 }
 
 // Llistxattr is a wrapper for unix.Llistxattr that handles buffer sizing and
 // parsing the returned blob to a string slice.
 func Llistxattr(path string) (attrs []string, err error) {
-	// TODO: smarter buffer sizing?
-	buf := make([]byte, XATTR_BUFSZ)
-	sz, err := unix.Llistxattr(path, buf)
-	if err == syscall.ERANGE {
-		// Do NOT return ERANGE - the user might retry ad inifinitum!
-		return nil, syscall.EOVERFLOW
+	listxattrSyscall := func(buf []byte) (int, error) {
+		return unix.Llistxattr(path, buf)
 	}
-	if err != nil {
-		return nil, err
-	}
-	if sz >= XATTR_SIZE_MAX {
-		return nil, syscall.EOVERFLOW
+	return listxattrSmartBuf(listxattrSyscall)
+}
+
+// listxattrSmartBuf handles smart buffer sizing for Flistxattr and Llistxattr
+func listxattrSmartBuf(listxattrSyscall func([]byte) (int, error)) ([]string, error) {
+	const LISTXATTR_BUFSZ_SMALL = 100
+
+	// Blindly try with the small buffer first
+	buf := make([]byte, LISTXATTR_BUFSZ_SMALL)
+	sz, err := listxattrSyscall(buf)
+	if err == syscall.ERANGE {
+		// Did not fit. Find the actual size
+		sz, err = listxattrSyscall(nil)
+		if err != nil {
+			return nil, err
+		}
+		// ...and allocate the buffer to fit
+		buf = make([]byte, sz)
+		sz, err = listxattrSyscall(buf)
+		if err != nil {
+			// When an xattr got added between the size probe and here,
+			// we could fail with ERANGE. This is ok as the caller will retry.
+			return nil, err
+		}
 	}
-	attrs = parseListxattrBlob(buf[:sz])
-	return attrs, nil
+	return parseListxattrBlob(buf[:sz]), nil
 }
 
 func parseListxattrBlob(buf []byte) (attrs []string) {
diff --git a/internal/syscallcompat/sys_darwin.go b/internal/syscallcompat/sys_darwin.go
index 0ebdd3b..ef19f24 100644
--- a/internal/syscallcompat/sys_darwin.go
+++ b/internal/syscallcompat/sys_darwin.go
@@ -27,6 +27,10 @@ const (
 	// Only exists on Linux. Define here to fix build failure, even though
 	// we will never see this flag.
 	RENAME_WHITEOUT = 1 << 30
+
+	// On Darwin we use O_SYMLINK which allows opening a symlink itself.
+	// On Linux, we only have O_NOFOLLOW.
+	OpenatFlagNofollowSymlink = unix.O_SYMLINK
 )
 
 // Unfortunately fsetattrlist does not have a syscall wrapper yet.
diff --git a/internal/syscallcompat/sys_linux.go b/internal/syscallcompat/sys_linux.go
index 19d2c56..71478af 100644
--- a/internal/syscallcompat/sys_linux.go
+++ b/internal/syscallcompat/sys_linux.go
@@ -28,6 +28,10 @@ const (
 	RENAME_NOREPLACE = unix.RENAME_NOREPLACE
 	RENAME_WHITEOUT  = unix.RENAME_WHITEOUT
 	RENAME_EXCHANGE  = unix.RENAME_EXCHANGE
+
+	// On Darwin we use O_SYMLINK which allows opening a symlink itself.
+	// On Linux, we only have O_NOFOLLOW.
+	OpenatFlagNofollowSymlink = unix.O_NOFOLLOW
 )
 
 var preallocWarn sync.Once