summaryrefslogtreecommitdiff
path: root/internal/fusefrontend_reverse/rfs.go
AgeCommit message (Collapse)Author
2019-03-26reverse mode: support wildcard exclude (--exclude-wildcard)Eduardo M KALINOWSKI
This adds support for gitignore-like wildcards and exclude patters in reverse mode. It (somewhat) fixes #273: no regexp support, but the syntax should be powerful enough to satisfy most needs. Also, since adding a lot of --exclude options can be tedious, it adds the --exclude-from option to read patterns from a file (or files).
2019-01-20Revert "syscallcompat: drop Faccessat AT_SYMLINK_NOFOLLOW helper"Jakob Unterwurzacher
Breaks mounting on MacOS: unix.Faccessat on Darwin does NOT (yet) support AT_SYMLINK_NOFOLLOW. See d44fe89ba4f3252c5bd00c4f7730197732f2a26a . This reverts commit 0805a63df1b5f915b228727f6074c2506922d0ad.
2019-01-20syscallcompat: drop Faccessat AT_SYMLINK_NOFOLLOW helperJakob Unterwurzacher
unix.Faccessat has added support for AT_SYMLINK_NOFOLLOW in July 2018, https://github.com/golang/sys/commit/bd9dbc187b6e1dacfdd2722a87e83093c2d7bd6e#diff-341484dbbe3180cd7a31ef2ad2d679b6 which means we no longer need our own helper. Closes https://github.com/rfjakob/gocryptfs/issues/347
2019-01-15fusefrontend_reverse: Delete leftover debug statement.Sebastian Lackner
2019-01-04fusefrontend_reverse: Fix redeclaration of 'entries' variable.Sebastian Lackner
Go version go1.10.7 linux/amd64 complains with: internal/fusefrontend_reverse/rfs.go:333: declaration of "entries" shadows declaration at internal/fusefrontend_reverse/rfs.go:327
2019-01-04reverse mode: -exclude: filter out excluded .name filesJakob Unterwurzacher
Fixes https://github.com/rfjakob/gocryptfs/issues/286 : While the actual file is properly excluded, the * .name file is still leaked in the directory listing: ``` drwxr-xr-x 2 sebastian sebastian 4,0K Dez 17 14:58 . drwxr-xr-x 7 sebastian sebastian 4,0K Dez 17 14:45 .. -r-------- 1 sebastian sebastian 408 Dez 17 14:56 gocryptfs.conf -r--r--r-- 1 sebastian sebastian 16 Dez 17 14:58 gocryptfs.diriv -r--r--r-- 1 sebastian sebastian 320 Dez 17 14:58 gocryptfs.longname.3vZ_r3eDPb1_fL3j5VA4rd_bcKWLKT9eaxOVIGK5HFA.name ```
2019-01-04reverse mode: fix "-exclude" in "-plaintextnames" dir listingsJakob Unterwurzacher
Excluded files showed up in directory listing like this: drwxr-xr-x 2 sebastian sebastian 4,0K Dez 17 14:48 . drwxr-xr-x 7 sebastian sebastian 4,0K Dez 17 14:45 .. -????????? ? ? ? ? ? abcd -r-------- 1 sebastian sebastian 366 Dez 17 14:45 gocryptfs.conf Fixes https://github.com/rfjakob/gocryptfs/issues/285
2018-09-08syscallcompat: use O_PATH in OpenDirNofollowJakob Unterwurzacher
This fixes the "0100 directory" problem in reverse mode, and should be slightly faster.
2018-09-08syscallcompat: untangle OpenNofollow and rename to OpenDirNofollowJakob Unterwurzacher
The function used to do two things: 1) Walk the directory tree in a manner safe from symlink attacks 2) Open the final component in the mode requested by the caller This change drops (2), which was only used once, and lets the caller handle it. This simplifies the function and makes it fit for reuse in forward mode in openBackingPath(), and for using O_PATH on Linux.
2018-08-15fusefrontend_reverse: reject excludes for the root directory ""Jakob Unterwurzacher
This is most likely a mistake by the user. Reject it.
2018-08-11reverse mode: add --exclude optionJakob Unterwurzacher
https://github.com/rfjakob/gocryptfs/issues/235
2018-06-08darwin does not have PATH_MAXJakob Unterwurzacher
Define our own, with the value from Linux.
2018-02-18fusefrontend[_reverse]: move crypto init up to callerJakob Unterwurzacher
Both fusefrontend and fusefrontend_reverse were doing essentially the same thing, move it into main's initFuseFrontend. A side-effect is that we have a reference to cryptocore in main, which will help with wiping the keys on exit (https://github.com/rfjakob/gocryptfs/issues/211).
2018-02-01gccgo: replace syscall.NAME_MAX with unix.NAME_MAXJakob Unterwurzacher
For some reason the syscall.NAME_MAX constant does not exist on gccgo, and it does not hurt us to use unix.NAME_MAX instead. https://github.com/rfjakob/gocryptfs/issues/201
2017-12-11fusefrontend_reverse: Use O_DIRECTORY in OpenDir implementationSebastian Lackner
Also get rid of the defer - it is not really necessary here.
2017-12-07fusefrontend_reverse: Use openBackingDir in GetAttrSebastian Lackner
Also fixes 48bd59f38843e5ebd4e4c9f666f1aea1c9990803 - the directory FD should also be closed in case of an error.
2017-12-07fusefrontend_reverse: Use openBackingDir in ReadlinkSebastian Lackner
2017-12-07fusefrontend_reverse: fix fd leak in GetAttrJakob Unterwurzacher
Fixes https://github.com/rfjakob/gocryptfs/issues/184
2017-12-07fusefrontend_reverse: secure Access against symlink races (somewhat)Jakob Unterwurzacher
Unfortunately, faccessat in Linux ignores AT_SYMLINK_NOFOLLOW, so this is not completely atomic. Given that the information you get from access is not very interesting, it seems good enough. https://github.com/rfjakob/gocryptfs/issues/165
2017-12-06fusefrontend_reverse: secure Readlink against symlink racesJakob Unterwurzacher
...by using Readlinkat. Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165
2017-12-06fusefrontend_reverse: secure GetAttr against symlink racesJakob Unterwurzacher
...by using the OpenNofollow helper & Fstatat. Also introduce a helper to convert from unix.Stat_t to syscall.Stat_t. Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165
2017-12-05fusefrontend_reverse: secure OpenDir against symlink racesJakob Unterwurzacher
...by using the new OpenNofollow helper. The benchmark shows a small but acceptable performance loss: $ ./benchmark-reverse.bash LS: 2.182 CAT: 18.221 Tracking ticket: https://github.com/rfjakob/gocryptfs/issues/165
2017-12-02fusefrontend_reverse: secure StatFs agains symlink racesJakob Unterwurzacher
...by ignoring the path that was passed in. https://github.com/rfjakob/gocryptfs/issues/165
2017-12-02fusefrontend_reverse: secure Open against symlink racesJakob Unterwurzacher
...using the new syscallcompat.OpenNofollow helper. This change secures Open() against symlink race attacks as described in https://github.com/rfjakob/gocryptfs/issues/165
2017-11-26reverse: reject too-long symlink target reads with ENAMETOOLONGJakob Unterwurzacher
If the symlink target gets too long due to base64 encoding, we should return ENAMETOOLONG instead of having the kernel reject the data and returning an I/O error to the user. Fixes https://github.com/rfjakob/gocryptfs/issues/167
2017-08-11main: purge masterkey from memory as soon as possibleJakob Unterwurzacher
Remove the "Masterkey" field from fusefrontend.Args because it should not be stored longer than neccessary. Instead pass the masterkey as a separate argument to the filesystem initializers. Then overwrite it with zeros immediately so we don't have to wait for garbage collection. Note that the crypto implementation still stores at least a masterkey-derived value, so this change makes it harder, but not impossible, to extract the encryption keys from memory. Suggested at https://github.com/rfjakob/gocryptfs/issues/137
2017-07-29fusefronted_reverse: fix ino collision between .name and .diriv filesJakob Unterwurzacher
A directory with a long name has two associated virtual files: the .name file and the .diriv files. These used to get the same inode number: $ ls -di1 * */* 33313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw 1000000000033313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw/gocryptfs.diriv 1000000000033313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw.name With this change we use another prefix (2 instead of 1) for .name files. $ ls -di1 * */* 33313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw 1000000000033313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw/gocryptfs.diriv 2000000000033313535 gocryptfs.longname.2togDFouca9mrTwtfF1RNW5DZRAQY8alaR7wO_Xd5Zw.name
2017-06-01Implement force_owner option to display ownership as a specific user.Charles Duffy
2017-05-30fusefrontend_reverse: move pathiv to its own packageJakob Unterwurzacher
We will also need it in forward mode.
2017-04-29fix golint complaintsJakob Unterwurzacher
2017-04-23Add -forcedecodedanim7
Force decode of encrypted files even if the integrity check fails, instead of failing with an IO error. Warning messages are still printed to syslog if corrupted files are encountered. It can be useful to recover files from disks with bad sectors or other corrupted media. Closes https://github.com/rfjakob/gocryptfs/pull/102 .
2017-04-01fusefrontend_reverse: switch to stable inode numbersJakob Unterwurzacher
The volatile inode numbers that we used before cause "find" to complain and error out. Virtual inode numbers are derived from their parent file inode number by adding 10^19, which is hopefully large enough no never cause problems in practice. If the backing directory contains inode numbers higher than that, stat() on these files will return EOVERFLOW. Example directory lising after this change: $ ls -i 926473 gocryptfs.conf 1000000000000926466 gocryptfs.diriv 944878 gocryptfs.longname.hmZojMqC6ns47eyVxLlH2ailKjN9bxfosi3C-FR8mjA 1000000000000944878 gocryptfs.longname.hmZojMqC6ns47eyVxLlH2ailKjN9bxfosi3C-FR8mjA.name 934408 Tdfbf02CKsTaGVYnAsSypA
2017-04-01fusefrontend_reverse: drop unused dirIVAttr functionJakob Unterwurzacher
This has long been replaced by virtualFile.GetAttr().
2017-04-01fusefrontend_reverse: convert fmt.Printf calls to tlogJakob Unterwurzacher
The fmt.Printfs output would end up in the paniclog.
2017-03-28fusefrontend_reverse: consistent file owners for .diriv, .name filesdanim7
This PR addresses the Issue #95, about "Confusing file owner for longname files in reverse mode". It affects only the reverse mode, and introduces two modifications: 1) The "gocryptfs.longname.XXXX.name" files are assigned the owner and group of the underlying plaintext file. Therefore it is consistent with the file "gocryptfs.longname.XXXX" that has the encrypted contents of the plaintext file. 2) The two virtual files mentioned above are given -r--r--r-- permissions. This is consistent with the behavior described in function Access in internal/fusefrontend_reverse/rfs.go where all virtual files are always readable. Behavior also observed in point c) in #95 . Issue #95 URL: https://github.com/rfjakob/gocryptfs/issues/95 Pull request URL: https://github.com/rfjakob/gocryptfs/pull/97
2017-03-07Report correct symbolic link dentry sizesM. Vefa Bicakci
Prior to this commit, gocryptfs's reverse mode did not report correct directory entry sizes for symbolic links, where the dentry size needs to be the same as the length of a string containing the target path. This commit corrects this issue and adds a test case to verify the correctness of the implementation. This issue was discovered during the use of a strict file copying program on a reverse-mounted gocryptfs file system.
2017-03-05nametransform: fix Raw64 not affecting symlink targetsJakob Unterwurzacher
The symlink functions incorrectly hardcoded the padded base64 variant.
2017-03-05nametransform: fix Raw64 not affecting longnamesJakob Unterwurzacher
HashLongName() incorrectly hardcoded the call to base64.URLEncoding.
2017-03-05full stack: implement HKDF supportJakob Unterwurzacher
...but keep it disabled by default for new filesystems. We are still missing an example filesystem and CLI arguments to explicitely enable and disable it.
2017-03-05cryptocore: use eme v1.1 interfaceJakob Unterwurzacher
Version 1.1 of the EME package (github.com/rfjakob/eme) added a more convenient interface. Use it. Note that you have to upgrade your EME package (go get -u)!
2017-02-16fusefrontend_reverse: handle .name files in Access()Jakob Unterwurzacher
These were currently passed to decryptPath() were it caused a warning.
2016-12-10Replace all calls to naked panic() with log.Panic()Jakob Unterwurzacher
We want all panics to show up in the syslog.
2016-11-17fusefrontend: upgrade wlockMap to use device AND inode numberJakob Unterwurzacher
If there are multiple filesystems backing the gocryptfs filesystems inode numbers are not guaranteed to be unique.
2016-11-10Fix golint warningsJakob Unterwurzacher
$ golint ./... | grep -v underscore | grep -v ALL_CAPS internal/fusefrontend_reverse/rfs.go:52:36: exported func NewFS returns unexported type *fusefrontend_reverse.reverseFS, which can be annoying to use internal/nametransform/raw64_go1.5.go:10:2: exported const HaveRaw64 should have comment (or a comment on this block) or be unexported
2016-11-10ctlsock: add initial limited implementationJakob Unterwurzacher
At the moment, in forward mode you can only encrypt paths and in reverse mode you can only decrypt paths.
2016-11-01Add support for unpadded base64 filenames, "-raw64"Jakob Unterwurzacher
Through base64.RawURLEncoding. New command-line parameter "-raw64".
2016-10-09reverse: add panics against API abuseJakob Unterwurzacher
These should help prevent later programming errors.
2016-10-08reverse: gocryptfs.conf was missing from the directory listingsJakob Unterwurzacher
Fix the test for that and add checks in example_filesystems_test.
2016-10-08reverse: merge config translation check into isTranslatedConfigJakob Unterwurzacher
Also get rid of useless isFiltered function.
2016-10-08reverse: make gocryptfs.conf mapping plaintextnames-awareJakob Unterwurzacher
Only in plaintextnames-mode AND with the config file at the default location it will be mapped into the mountpoint. Also adds a test for that.