aboutsummaryrefslogtreecommitdiff
path: root/internal/fusefrontend/fs.go
AgeCommit message (Collapse)Author
2019-01-12fusefrontend: Preserve SUID/SGID/sticky-bits in openWriteOnlyFile and Rmdir.Sebastian Lackner
Fixes https://github.com/rfjakob/gocryptfs/issues/336 and https://github.com/rfjakob/gocryptfs/issues/337.
2019-01-12fusefrontend: -allow_other: Use SymlinkatUser in Symlink FUSE call.Sebastian Lackner
Instead of manually adjusting the user after creating the symlink, adjust effective permissions and let the kernel deal with it. Related to https://github.com/rfjakob/gocryptfs/issues/338.
2019-01-12fusefrontend: -allow_other: Use MknodatUser in Mknod FUSE call.Sebastian Lackner
Instead of manually adjusting the user and mode after creating the device file, adjust effective permissions and let the kernel deal with it. Related to https://github.com/rfjakob/gocryptfs/issues/338.
2019-01-12fusefrontend: -allow_other: Use OpenatUser in Create FUSE call.Sebastian Lackner
Revert commit b22cc03c7516b2003880db8375d26c76d6dff093. Instead of manually adjusting the user and mode after creating the file, adjust effective permissions and let the kernel deal with it. Related to https://github.com/rfjakob/gocryptfs/issues/338.
2019-01-12fusefrontend: Don't chown gocryptfs.diriv files.Sebastian Lackner
The current code has a risk of race-conditions, since we pass a path containing "/" to Fchownat. We could fix this by opening a file descriptor, however, this does not seem worth the effort. We also don't chown *.name files.
2019-01-08fusefrontend: -allow_other: set file mode *after* chown in Create()Jakob Unterwurzacher
Reported by @slackner at https://github.com/rfjakob/gocryptfs/issues/327 : Possible race-conditions between file creation and Fchownat * Assume a system contains a gocryptfs mount as root user with -allow_other * As a regular user create a new file with mode containing the SUID flag and write access for other users * Before gocryptfs executes the Fchownat call, try to open the file again, write some exploit code to it, and try to run it. For a short time, the file is owned by root and has the SUID flag, so this is pretty dangerous.
2019-01-07fusefrontend: Clarify access mode check related to O_WRONLY handling.Sebastian Lackner
Use O_ACCMODE mask in openWriteOnlyFile for improved readability.
2019-01-07fusefrontend: Filter O_CREAT in mangleOpenFlags.Sebastian Lackner
2019-01-06fusefrontend: Check result of Fchmod syscall.Sebastian Lackner
Fixes https://github.com/rfjakob/gocryptfs/issues/328
2019-01-04fusefrontend: print warning when Create() runs out of file descriptorsJakob Unterwurzacher
We alread have this warning in Open(), but xfstests generic/488 causes "too many open files" via Create. Add the same message so the user sees what is going on.
2019-01-04A few more spelling fixes.Sebastian Lackner
Found with the 'codespell' utility.
2019-01-03fusefrontend: add dirCacheJakob Unterwurzacher
2019-01-02fusefrontend: move openBackingDir into its own fileJakob Unterwurzacher
This function is in all fastpaths, will get a cache, and needs its own file. renamed: internal/fusefrontend/names.go -> internal/fusefrontend/openbackingdir.go renamed: internal/fusefrontend/names_test.go -> internal/fusefrontend/openbackingdir_test.go
2019-01-02fusefrontend: xattr: fix operations on files without read permissionsJakob Unterwurzacher
* listxattr is fixed via the /proc/self/fd trick * setxattr,removexattr are fixed by opening the file O_WRONLY Fixes https://github.com/rfjakob/gocryptfs/issues/308
2019-01-02fusefrontend: don't downgrade type needlesslyJakob Unterwurzacher
2019-01-01fusefrontend: fix fd leak in Access()Jakob Unterwurzacher
Thanks @slackner! Fixes https://github.com/rfjakob/gocryptfs/issues/306
2019-01-01fusefrontend: make Utimens symlink-safeJakob Unterwurzacher
unix.UtimesNanoAt now also exists on Darwin, yay!
2019-01-01fusefrontend: mark Truncate, Unlink, Symlink symlink-safeJakob Unterwurzacher
No changes needed.
2019-01-01fusefrontend: make Rmdir symlink-safeJakob Unterwurzacher
Now uses Unlinkat.
2019-01-01nametransform: rename WriteLongName() -> WriteLongNameAt()Jakob Unterwurzacher
And also rename DeleteLongName() -> DeleteLongNameAt(). The naming follow the names open the openat() etc syscalls.
2019-01-01fusefrontend: make Readlink() symlink-safeJakob Unterwurzacher
Now symlink-safe through Readlinkat().
2019-01-01fusefrontend: make GetAttr() symlink-safeJakob Unterwurzacher
Use openBackingDir() and Fstatat(). High performance impact, though part of it should be mitigated by adding DirIV caching to the new code paths. $ ./benchmark.bash Testing gocryptfs at /tmp/benchmark.bash.Eou: gocryptfs v1.6-37-ge3914b3-dirty; go-fuse v20170619-66-g6df8ddc; 2018-10-14 go1.11 WRITE: 262144000 bytes (262 MB, 250 MiB) copied, 1.2289 s, 213 MB/s READ: 262144000 bytes (262 MB, 250 MiB) copied, 1.02616 s, 255 MB/s UNTAR: 24.490 MD5: 13.120 LS: 3.368 RM: 9.232
2019-01-01fusefrontend: mark symlink-safe FUSE callsJakob Unterwurzacher
Document which FUSE calls are already symlink-safe in the function comment.
2019-01-01fusefrontend: make Access() symlink-safe.Jakob Unterwurzacher
Make Access() symlink-safe through use of faccessat.
2018-10-11Add option for autounmountJesse Dunietz
Even though filesystem notifications aren't implemented for FUSE, I decided to try my hand at implementing the autounmount feature (#128). I based it on the EncFS autounmount code, which records filesystem accesses and checks every X seconds whether it's idled long enough to unmount. I've tested the feature locally, but I haven't added any tests for this flag. I also haven't worked with Go before. So please let me know if there's anything that should be done differently. One particular concern: I worked from the assumption that the open files table is unique per-filesystem. If that's not true, I'll need to add an open file count and associated lock to the Filesystem type instead. https://github.com/rfjakob/gocryptfs/pull/265
2018-09-23fusefrontend: Fix uint16 build failure on DarwinJakob Unterwurzacher
Error was: # github.com/rfjakob/gocryptfs/internal/fusefrontend internal/fusefrontend/fs.go:179: cannot use perms | 256 (type uint16) as type uint32 in argument to syscall.Fchmod internal/fusefrontend/fs.go:185: cannot use perms (type uint16) as type uint32 in argument to syscall.Fchmod
2018-09-23fusefrontend: make Rename() symlink-safeJakob Unterwurzacher
Use Openat() and the openBackingDir() helper so we never follow symlinks.
2018-09-23fusefrontend: make Create() symlink-safeJakob Unterwurzacher
Use Openat() and the openBackingDir() helper so we never follow symlinks.
2018-09-23fusefrontend: Open(): fix dirfd leakJakob Unterwurzacher
Close was missing.
2018-09-23fusefrontend: get rid of os.File* wrappingJakob Unterwurzacher
Directly use int file descriptors for the dirfd and get rid of one level of indirection.
2018-09-23fusefrontent: make Open() symlink-safeJakob Unterwurzacher
2018-09-08fusefrontend: use OpenDirNofollow in openBackingDirJakob Unterwurzacher
Rename openBackingPath to openBackingDir and use OpenDirNofollow to be safe against symlink races. Note that openBackingDir is not used in several important code paths like Create(). But it is used in Unlink, and the performance impact in the RM benchmark to be acceptable: Before $ ./benchmark.bash Testing gocryptfs at /tmp/benchmark.bash.bYO: gocryptfs v1.6-12-g930c37e-dirty; go-fuse v20170619-49-gb11e293; 2018-09-08 go1.10.3 WRITE: 262144000 bytes (262 MB, 250 MiB) copied, 1.07979 s, 243 MB/s READ: 262144000 bytes (262 MB, 250 MiB) copied, 0.882413 s, 297 MB/s UNTAR: 16.703 MD5: 7.606 LS: 1.349 RM: 3.237 After $ ./benchmark.bash Testing gocryptfs at /tmp/benchmark.bash.jK3: gocryptfs v1.6-13-g84d6faf-dirty; go-fuse v20170619-49-gb11e293; 2018-09-08 go1.10.3 WRITE: 262144000 bytes (262 MB, 250 MiB) copied, 1.06261 s, 247 MB/s READ: 262144000 bytes (262 MB, 250 MiB) copied, 0.947228 s, 277 MB/s UNTAR: 17.197 MD5: 7.540 LS: 1.364 RM: 3.410
2018-08-11reverse mode: add --exclude optionJakob Unterwurzacher
https://github.com/rfjakob/gocryptfs/issues/235
2018-07-04macos: fix O_DIRECT build failureJakob Unterwurzacher
O_DIRECT has no direct equivalent on MacOS (check out https://github.com/libuv/libuv/issues/1600 for details). Just define it to zero there.
2018-07-02fusefrontend: disallow O_DIRECT and fall back to buffered IOJakob Unterwurzacher
O_DIRECT accesses must be aligned in both offset and length. Due to our crypto header, alignment will be off, even if userspace makes aligned accesses. Running xfstests generic/013 on ext4 used to trigger lots of EINVAL errors due to missing alignment. Just fall back to buffered IO.
2018-07-01fsck: rename "CorruptItems" channel to "MitigatedCorruptions"Jakob Unterwurzacher
Make it clear that this channel is only used to report corruptions that are transparently mitigated and do not return an error to the user.
2018-06-19Fix three golint warningsJakob Unterwurzacher
We are clean again. Warnings were: internal/fusefrontend/fs.go:443:14: should omit type string from declaration of var cTarget; it will be inferred from the right-hand side internal/fusefrontend/xattr.go:26:1: comment on exported method FS.GetXAttr should be of the form "GetXAttr ..." internal/syscallcompat/sys_common.go:9:7: exported const PATH_MAX should have comment or be unexported
2018-04-03fsck: report skipped corrupt filesJakob Unterwurzacher
OpenDir and ListXAttr skip over corrupt entries, readFileID treats files the are too small as empty. This improves usability in the face of corruption, but hides the problem in a log message instead of putting it in the return code. Create a channel to report these corruptions to fsck so it can report them to the user. Also update the manpage and the changelog with the -fsck option. Closes https://github.com/rfjakob/gocryptfs/issues/191
2018-04-02fsck: clean up log outputJakob Unterwurzacher
Make sure we get only 1 warning output per problem. Also, add new corruption types to broken_fs_v1.4.
2018-03-25fusefrontend: handle empty xattrs efficientlyJakob Unterwurzacher
We handle empty files by storing an actual empty file on disk. Handle xattrs similarily and encrypt the empty value to the empty value.
2018-03-25fusefrontend: add xattr supportJakob Unterwurzacher
At the moment, only for reverse mode. https://github.com/rfjakob/gocryptfs/issues/217
2018-03-24fusefrontend: create helpers for symlink encryptionJakob Unterwurzacher
These will be reused by the upcoming xattr support.
2018-02-18fusefrontend[_reverse]: move crypto init up to callerJakob Unterwurzacher
Both fusefrontend and fusefrontend_reverse were doing essentially the same thing, move it into main's initFuseFrontend. A side-effect is that we have a reference to cryptocore in main, which will help with wiping the keys on exit (https://github.com/rfjakob/gocryptfs/issues/211).
2018-01-17fusefronted: add PlaintextNames special-cases for Create & RenameJakob Unterwurzacher
gocryptfs.longname.XXX files were considered magic in PlaintextNames mode, which was wrong. Fix that and add tests. Fixes https://github.com/rfjakob/gocryptfs/issues/174
2017-12-25fusefrontend: Use Linkat syscall to implement LinkSebastian Lackner
2017-12-25fusefrontend: Handle PlaintextNames mode in LinkSebastian Lackner
In PlaintextNames mode the "gocryptfs.longname." prefix does not have any special meaning. https://github.com/rfjakob/gocryptfs/issues/174
2017-11-30syscallcompat: check that we get NOFOLLOW wherever possibleJakob Unterwurzacher
...and fix the instances where the AT_SYMLINK_NOFOLLOW / O_NOFOLLOW / O_EXCL flag was missing.
2017-11-29fusefrontend: Use Fchownat to implement ChownSebastian Lackner
2017-11-29fusefrontend: Use Fchmodat to implement ChmodSebastian Lackner
2017-11-29syscallcompat: Introduce unlinkat syscall with flags argumentSebastian Lackner