From e97c23e08383666117523cf3145f1213b41c2489 Mon Sep 17 00:00:00 2001 From: Jakob Unterwurzacher Date: Thu, 30 Nov 2017 19:40:53 +0100 Subject: syscallcompat: check that we get NOFOLLOW wherever possible ...and fix the instances where the AT_SYMLINK_NOFOLLOW / O_NOFOLLOW / O_EXCL flag was missing. --- internal/fusefrontend/fs.go | 4 ++-- internal/fusefrontend/fs_dir.go | 4 ++-- internal/nametransform/diriv.go | 3 ++- internal/syscallcompat/emulate.go | 4 ++-- internal/syscallcompat/sys_linux.go | 17 +++++++++++++++++ 5 files changed, 25 insertions(+), 7 deletions(-) diff --git a/internal/fusefrontend/fs.go b/internal/fusefrontend/fs.go index d6467f9..cc055c7 100644 --- a/internal/fusefrontend/fs.go +++ b/internal/fusefrontend/fs.go @@ -211,7 +211,7 @@ func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Conte // Create content var fdRaw int - fdRaw, err = syscallcompat.Openat(int(dirfd.Fd()), cName, newFlags|os.O_CREATE, mode) + fdRaw, err = syscallcompat.Openat(int(dirfd.Fd()), cName, newFlags|os.O_CREATE|os.O_EXCL, mode) if err != nil { nametransform.DeleteLongName(dirfd, cName) return nil, fuse.ToStatus(err) @@ -219,7 +219,7 @@ func (fs *FS) Create(path string, flags uint32, mode uint32, context *fuse.Conte fd = os.NewFile(uintptr(fdRaw), cName) } else { // Normal (short) file name - fd, err = os.OpenFile(cPath, newFlags|os.O_CREATE, os.FileMode(mode)) + fd, err = os.OpenFile(cPath, newFlags|os.O_CREATE|os.O_EXCL, os.FileMode(mode)) if err != nil { return nil, fuse.ToStatus(err) } diff --git a/internal/fusefrontend/fs_dir.go b/internal/fusefrontend/fs_dir.go index 4ffaaff..5cc269b 100644 --- a/internal/fusefrontend/fs_dir.go +++ b/internal/fusefrontend/fs_dir.go @@ -146,7 +146,7 @@ func (fs *FS) Rmdir(path string, context *fuse.Context) (code fuse.Status) { cName := filepath.Base(cPath) dirfdRaw, err := syscallcompat.Openat(int(parentDirFd.Fd()), cName, - syscall.O_RDONLY, 0) + syscall.O_RDONLY|syscall.O_NOFOLLOW, 0) if err == syscall.EACCES { // We need permission to read and modify the directory tlog.Debug.Printf("Rmdir: handling EACCESS") @@ -168,7 +168,7 @@ func (fs *FS) Rmdir(path string, context *fuse.Context) (code fuse.Status) { var st syscall.Stat_t syscall.Lstat(cPath, &st) dirfdRaw, err = syscallcompat.Openat(int(parentDirFd.Fd()), cName, - syscall.O_RDONLY, 0) + syscall.O_RDONLY|syscall.O_NOFOLLOW, 0) // Undo the chmod if removing the directory failed defer func() { if code != fuse.OK { diff --git a/internal/nametransform/diriv.go b/internal/nametransform/diriv.go index fe289c6..f980a04 100644 --- a/internal/nametransform/diriv.go +++ b/internal/nametransform/diriv.go @@ -36,7 +36,8 @@ func ReadDirIV(dir string) (iv []byte, err error) { // ReadDirIVAt reads "gocryptfs.diriv" from the directory that is opened as "dirfd". // Using the dirfd makes it immune to concurrent renames of the directory. func ReadDirIVAt(dirfd *os.File) (iv []byte, err error) { - fdRaw, err := syscallcompat.Openat(int(dirfd.Fd()), DirIVFilename, syscall.O_RDONLY, 0) + fdRaw, err := syscallcompat.Openat(int(dirfd.Fd()), DirIVFilename, + syscall.O_RDONLY|syscall.O_NOFOLLOW, 0) if err != nil { tlog.Warn.Printf("ReadDirIVAt: opening %q in dir %q failed: %v", DirIVFilename, dirfd.Name(), err) diff --git a/internal/syscallcompat/emulate.go b/internal/syscallcompat/emulate.go index 59d0ea5..3af45f8 100644 --- a/internal/syscallcompat/emulate.go +++ b/internal/syscallcompat/emulate.go @@ -136,12 +136,12 @@ func emulateFchmodat(dirfd int, path string, mode uint32, flags int) (err error) } defer syscall.Fchdir(cwd) // We also don't have Lchmod, so emulate it (poorly). - if flags&unix.AT_SYMLINK_NOFOLLOW > 0 { + if flags&unix.AT_SYMLINK_NOFOLLOW != 0 { fi, err := os.Lstat(path) if err != nil { return err } - if fi.Mode()&os.ModeSymlink > 0 { + if fi.Mode()&os.ModeSymlink != 0 { return nil } } diff --git a/internal/syscallcompat/sys_linux.go b/internal/syscallcompat/sys_linux.go index 1ea56b5..e9ca7cb 100644 --- a/internal/syscallcompat/sys_linux.go +++ b/internal/syscallcompat/sys_linux.go @@ -6,6 +6,8 @@ import ( "syscall" "unsafe" + "golang.org/x/sys/unix" + "github.com/rfjakob/gocryptfs/internal/tlog" ) @@ -46,6 +48,11 @@ func Fallocate(fd int, mode uint32, off int64, len int64) (err error) { // Openat wraps the Openat syscall. func Openat(dirfd int, path string, flags int, mode uint32) (fd int, err error) { + // Why would we ever want to call this without O_NOFOLLOW and O_EXCL? + if !(flags&syscall.O_CREAT != 0 && flags&syscall.O_EXCL != 0) && flags&syscall.O_NOFOLLOW == 0 { + tlog.Warn.Printf("Openat: adding missing O_NOFOLLOW flag") + flags |= syscall.O_NOFOLLOW + } return syscall.Openat(dirfd, path, flags, mode) } @@ -82,11 +89,21 @@ func Dup3(oldfd int, newfd int, flags int) (err error) { // Fchmodat syscall. func Fchmodat(dirfd int, path string, mode uint32, flags int) (err error) { + // Why would we ever want to call this without AT_SYMLINK_NOFOLLOW? + if flags&unix.AT_SYMLINK_NOFOLLOW == 0 { + tlog.Warn.Printf("Fchmodat: adding missing AT_SYMLINK_NOFOLLOW flag") + flags |= unix.AT_SYMLINK_NOFOLLOW + } return syscall.Fchmodat(dirfd, path, mode, flags) } // Fchownat syscall. func Fchownat(dirfd int, path string, uid int, gid int, flags int) (err error) { + // Why would we ever want to call this without AT_SYMLINK_NOFOLLOW? + if flags&unix.AT_SYMLINK_NOFOLLOW == 0 { + tlog.Warn.Printf("Fchownat: adding missing AT_SYMLINK_NOFOLLOW flag") + flags |= unix.AT_SYMLINK_NOFOLLOW + } return syscall.Fchownat(dirfd, path, uid, gid, flags) } -- cgit v1.2.3