summaryrefslogtreecommitdiff
path: root/internal/fusefrontend/fs.go
AgeCommit message (Collapse)Author
2018-06-19Fix three golint warningsJakob Unterwurzacher
We are clean again. Warnings were: internal/fusefrontend/fs.go:443:14: should omit type string from declaration of var cTarget; it will be inferred from the right-hand side internal/fusefrontend/xattr.go:26:1: comment on exported method FS.GetXAttr should be of the form "GetXAttr ..." internal/syscallcompat/sys_common.go:9:7: exported const PATH_MAX should have comment or be unexported
2018-04-03fsck: report skipped corrupt filesJakob Unterwurzacher
OpenDir and ListXAttr skip over corrupt entries, readFileID treats files the are too small as empty. This improves usability in the face of corruption, but hides the problem in a log message instead of putting it in the return code. Create a channel to report these corruptions to fsck so it can report them to the user. Also update the manpage and the changelog with the -fsck option. Closes https://github.com/rfjakob/gocryptfs/issues/191
2018-04-02fsck: clean up log outputJakob Unterwurzacher
Make sure we get only 1 warning output per problem. Also, add new corruption types to broken_fs_v1.4.
2018-03-25fusefrontend: handle empty xattrs efficientlyJakob Unterwurzacher
We handle empty files by storing an actual empty file on disk. Handle xattrs similarily and encrypt the empty value to the empty value.
2018-03-25fusefrontend: add xattr supportJakob Unterwurzacher
At the moment, only for reverse mode. https://github.com/rfjakob/gocryptfs/issues/217
2018-03-24fusefrontend: create helpers for symlink encryptionJakob Unterwurzacher
These will be reused by the upcoming xattr support.
2018-02-18fusefrontend[_reverse]: move crypto init up to callerJakob Unterwurzacher
Both fusefrontend and fusefrontend_reverse were doing essentially the same thing, move it into main's initFuseFrontend. A side-effect is that we have a reference to cryptocore in main, which will help with wiping the keys on exit (https://github.com/rfjakob/gocryptfs/issues/211).
2018-01-17fusefronted: add PlaintextNames special-cases for Create & RenameJakob Unterwurzacher
gocryptfs.longname.XXX files were considered magic in PlaintextNames mode, which was wrong. Fix that and add tests. Fixes https://github.com/rfjakob/gocryptfs/issues/174
2017-12-25fusefrontend: Use Linkat syscall to implement LinkSebastian Lackner
2017-12-25fusefrontend: Handle PlaintextNames mode in LinkSebastian Lackner
In PlaintextNames mode the "gocryptfs.longname." prefix does not have any special meaning. https://github.com/rfjakob/gocryptfs/issues/174
2017-11-30syscallcompat: check that we get NOFOLLOW wherever possibleJakob Unterwurzacher
...and fix the instances where the AT_SYMLINK_NOFOLLOW / O_NOFOLLOW / O_EXCL flag was missing.
2017-11-29fusefrontend: Use Fchownat to implement ChownSebastian Lackner
2017-11-29fusefrontend: Use Fchmodat to implement ChmodSebastian Lackner
2017-11-29syscallcompat: Introduce unlinkat syscall with flags argumentSebastian Lackner
2017-11-28fusefrontend: Use openBackingPath in Unlink and simplify codeSebastian Lackner
2017-11-28fusefrontend: Handle PlaintextNames mode in UnlinkSebastian Lackner
In PlaintextNames mode the "gocryptfs.longname." prefix does not have any special meaning. We should not attempt to delete any .name files. Partially fixes https://github.com/rfjakob/gocryptfs/issues/174
2017-11-28fusefrontend: Introduce a openBackingPath helper and use it to simplify ↵Sebastian Lackner
Mknod and Symlink
2017-11-28fusefrontend: allow_other: close race between symlink and chownSebastian Lackner
Fixes the same problem as described in 72b975867a3b9bdf53fc2da62e2ba4a328d7e4ab, except for symlinks instead of device nodes.
2017-11-28fusefrontend: Use the Symlinkat syscall for longname handlingSebastian Lackner
2017-11-28fusefrontend: Set owner after symlink creation in PlaintextNames modeSebastian Lackner
This is already done in regular mode, but was missing when PlaintextNames mode is enabled. As a result, symlinks created by non-root users were still owned by root afterwards. Fixes https://github.com/rfjakob/gocryptfs/issues/176
2017-11-28fusefrontend: Handle PlaintextNames mode in MknodSebastian Lackner
In PlaintextNames mode the "gocryptfs.longname." prefix does not have any special meaning. We should not attempt to read the directory IV or to create special .name files. Partially fixes https://github.com/rfjakob/gocryptfs/issues/174
2017-11-27fusefronted: allow_other: close race between mknod and chownJakob Unterwurzacher
If the user manages to replace the directory with a symlink at just the right time, we could be tricked into chown'ing the wrong file. This change fixes the race by using fchownat, which unfortunately is not available on darwin, hence a compat wrapper is added. Scenario, as described by @slackner at https://github.com/rfjakob/gocryptfs/issues/177 : 1. Create a forward mount point with `plaintextnames` enabled 2. Mount as root user with `allow_other` 3. For testing purposes create a file `/tmp/file_owned_by_root` which is owned by the root user 4. As a regular user run inside of the GoCryptFS mount: ``` mkdir tempdir mknod tempdir/file_owned_by_root p & mv tempdir tempdir2 ln -s /tmp tempdir ``` When the steps are done fast enough and in the right order (run in a loop!), the device file will be created in `tempdir`, but the `lchown` will be executed by following the symlink. As a result, the ownership of the file located at `/tmp/file_owned_by_root` will be changed.
2017-11-25fusefrontend: Fix longname handling for renames with existing targetSebastian Lackner
Fixes https://github.com/rfjakob/gocryptfs/issues/170 Steps to reproduce the problem: * Create a regular forward mount point * Create a file with a shortname and one with a long filename * Try to run 'mv <shortname> <longname>' This should actually work and replace the existing file, but instead it fails with: mv: cannot move '<shortname>' to '<longname>': File exists The problem is the creation of the .name file. If the target already exists we can safely ignore the EEXIST error and just keep the existing .name file.
2017-08-11main: purge masterkey from memory as soon as possibleJakob Unterwurzacher
Remove the "Masterkey" field from fusefrontend.Args because it should not be stored longer than neccessary. Instead pass the masterkey as a separate argument to the filesystem initializers. Then overwrite it with zeros immediately so we don't have to wait for garbage collection. Note that the crypto implementation still stores at least a masterkey-derived value, so this change makes it harder, but not impossible, to extract the encryption keys from memory. Suggested at https://github.com/rfjakob/gocryptfs/issues/137
2017-07-11fusefronted: enable writing to write-only filesJakob Unterwurzacher
Due to RMW, we always need read permissions on the backing file. This is a problem if the file permissions do not allow reading (i.e. 0200 permissions). This patch works around that problem by chmod'ing the file, obtaining a fd, and chmod'ing it back. Test included. Issue reported at: https://github.com/rfjakob/gocryptfs/issues/125
2017-06-01Implement force_owner option to display ownership as a specific user.Charles Duffy
2017-05-03fusefrontend: log "too many open files" errorsJakob Unterwurzacher
This usually indicates that the open file limit for gocryptfs is too low. We should report this to the user.
2017-05-01fusefrontend: drop writeOnly flagJakob Unterwurzacher
We do not have to track the writeOnly status because the kernel will not forward read requests on a write-only FD to us anyway. I have verified this behavoir manually on a 4.10.8 kernel and also added a testcase.
2017-04-29fix golint complaintsJakob Unterwurzacher
2017-04-23Add -forcedecodedanim7
Force decode of encrypted files even if the integrity check fails, instead of failing with an IO error. Warning messages are still printed to syslog if corrupted files are encountered. It can be useful to recover files from disks with bad sectors or other corrupted media. Closes https://github.com/rfjakob/gocryptfs/pull/102 .
2017-03-18serialize_reads: add read serialization logicJakob Unterwurzacher
Due to kernel readahead, we usually get multiple read requests at the same time. These get submitted to the backing storage in random order, which is a problem if seeking is very expensive. Details: https://github.com/rfjakob/gocryptfs/issues/92
2017-03-05nametransform: fix Raw64 not affecting symlink targetsJakob Unterwurzacher
The symlink functions incorrectly hardcoded the padded base64 variant.
2017-03-05full stack: implement HKDF supportJakob Unterwurzacher
...but keep it disabled by default for new filesystems. We are still missing an example filesystem and CLI arguments to explicitely enable and disable it.
2017-03-05cryptocore: use eme v1.1 interfaceJakob Unterwurzacher
Version 1.1 of the EME package (github.com/rfjakob/eme) added a more convenient interface. Use it. Note that you have to upgrade your EME package (go get -u)!
2017-03-02fusefrontend: when chown'ing a directory, also chown its dirivJakob Unterwurzacher
When filename encryption is active, every directory contains a "gocryptfs.diriv" file. This file should also change the owner. Fixes https://github.com/rfjakob/gocryptfs/issues/86
2017-01-26fusefrontend: fix hard-linking with long nameJakob Unterwurzacher
This used to incorrectly try to link twice and return EEXIST.
2016-11-28fusefrontend: preserve owner for symlinksJakob Unterwurzacher
https://github.com/rfjakob/gocryptfs/issues/64
2016-11-28fusefronted: preserve owner for device nodes and socketsJakob Unterwurzacher
https://github.com/rfjakob/gocryptfs/issues/64
2016-11-28fusefrontend: use Lchown when preserving ownerJakob Unterwurzacher
This prevents (unlikely) symlink race attacks
2016-11-25main, fusefrontend: add "-noprealloc" optionJakob Unterwurzacher
Preallocation is very slow on hdds that run btrfs. Give the user the option to disable it. This greatly speeds up small file operations but reduces the robustness against out-of-space errors. Also add the option to the man page. More info: https://github.com/rfjakob/gocryptfs/issues/63
2016-11-01Add support for unpadded base64 filenames, "-raw64"Jakob Unterwurzacher
Through base64.RawURLEncoding. New command-line parameter "-raw64".
2016-10-10fusefrontend: Also preserve the owner in MkdirJakob Unterwurzacher
This already worked for files but was missing for dirs.
2016-10-04lint fixesValient Gough
2016-09-29reverse: use per-purpose nonce generationJakob Unterwurzacher
Also pull all the deterministic nonce code into fusefrontend_reverse to greatly simplify the normal code path.
2016-09-25contentenc: rename constant "IVBitLen" to "DefaultIVBits" and clarify commentJakob Unterwurzacher
128-bit IVs are NOT used everywhere.
2016-09-25contentenc: add "ExternalNonce" modeJakob Unterwurzacher
This will be used for strong symlink encryption in reverse mode.
2016-09-25fusefrontend: handle Readlink directlyJakob Unterwurzacher
Calling into go-fuse's loopbackFileSystem does not add any value here.
2016-09-25contentenc: add GCM-SIV supportJakob Unterwurzacher
Also add ReverseDummyNonce nonce generation.
2016-09-25cryptocore: add support for GCM-SIVJakob Unterwurzacher
2016-09-25fusefrontend: relay Utimens to go-fuseJakob Unterwurzacher
Commit af5441dcd9033e81da43ab77887a7b5aac693ab6 has caused a regression ( https://github.com/rfjakob/gocryptfs/issues/35 ) that is fixed by this commit. The go-fuse library by now has all the syscall wrappers in place to correctly handle Utimens, also for symlinks. Instead of duplicating the effort here just call into go-fuse. Closes #35