1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
// Package fusefrontend interfaces directly with the go-fuse library.
package fusefrontend
// FUSE operations on paths
import (
"strings"
"syscall"
"github.com/hanwen/go-fuse/fuse"
"github.com/pkg/xattr"
"github.com/rfjakob/gocryptfs/internal/tlog"
)
const _EOPNOTSUPP = fuse.Status(syscall.EOPNOTSUPP)
// xattr names are encrypted like file names, but with a fixed IV.
// Padded with "_xx" for length 16.
var xattrNameIV = []byte("xattr_name_iv_xx")
// We store encrypted xattrs under this prefix plus the base64-encoded
// encrypted original name.
var xattrStorePrefix = "user.gocryptfs."
// GetXAttr - FUSE call. Reads the value of extended attribute "attr".
//
// This function is symlink-safe on Linux.
// Darwin does not have fgetxattr(2) nor /proc. How to implement this on Darwin
// in a symlink-safe way?
func (fs *FS) GetXAttr(relPath string, attr string, context *fuse.Context) ([]byte, fuse.Status) {
if fs.isFiltered(relPath) {
return nil, fuse.EPERM
}
if disallowedXAttrName(attr) {
return nil, _EOPNOTSUPP
}
cAttr := fs.encryptXattrName(attr)
cData, status := fs.getXattr(relPath, cAttr, context)
if !status.Ok() {
return nil, status
}
data, err := fs.decryptXattrValue(cData)
if err != nil {
tlog.Warn.Printf("GetXAttr: %v", err)
return nil, fuse.EIO
}
return data, fuse.OK
}
// SetXAttr - FUSE call.
//
// TODO: Make symlink-safe. Currently blocked because the xattr package does
// not provide fsetxattr.
func (fs *FS) SetXAttr(path string, attr string, data []byte, flags int, context *fuse.Context) fuse.Status {
if fs.isFiltered(path) {
return fuse.EPERM
}
if disallowedXAttrName(attr) {
return _EOPNOTSUPP
}
flags = filterXattrSetFlags(flags)
cPath, err := fs.getBackingPath(path)
if err != nil {
return fuse.ToStatus(err)
}
cAttr := fs.encryptXattrName(attr)
cData := fs.encryptXattrValue(data)
return unpackXattrErr(xattr.LSetWithFlags(cPath, cAttr, cData, flags))
}
// RemoveXAttr - FUSE call.
//
// TODO: Make symlink-safe. Blocker: package xattr does not provide
// fremovexattr(2).
func (fs *FS) RemoveXAttr(path string, attr string, context *fuse.Context) fuse.Status {
if fs.isFiltered(path) {
return fuse.EPERM
}
if disallowedXAttrName(attr) {
return _EOPNOTSUPP
}
cPath, err := fs.getBackingPath(path)
if err != nil {
return fuse.ToStatus(err)
}
cAttr := fs.encryptXattrName(attr)
return unpackXattrErr(xattr.LRemove(cPath, cAttr))
}
// ListXAttr - FUSE call. Lists extended attributes on the file at "path".
//
// TODO: Make symlink-safe. Blocker: package xattr does not provide
// flistxattr(2).
func (fs *FS) ListXAttr(path string, context *fuse.Context) ([]string, fuse.Status) {
if fs.isFiltered(path) {
return nil, fuse.EPERM
}
cPath, err := fs.getBackingPath(path)
if err != nil {
return nil, fuse.ToStatus(err)
}
cNames, err := xattr.LList(cPath)
if err != nil {
return nil, unpackXattrErr(err)
}
names := make([]string, 0, len(cNames))
for _, curName := range cNames {
if !strings.HasPrefix(curName, xattrStorePrefix) {
continue
}
name, err := fs.decryptXattrName(curName)
if err != nil {
tlog.Warn.Printf("ListXAttr: invalid xattr name %q: %v", curName, err)
fs.reportMitigatedCorruption(curName)
continue
}
names = append(names, name)
}
return names, fuse.OK
}
// encryptXattrName transforms "user.foo" to "user.gocryptfs.a5sAd4XAa47f5as6dAf"
func (fs *FS) encryptXattrName(attr string) (cAttr string) {
// xattr names are encrypted like file names, but with a fixed IV.
cAttr = xattrStorePrefix + fs.nameTransform.EncryptName(attr, xattrNameIV)
return cAttr
}
func (fs *FS) decryptXattrName(cAttr string) (attr string, err error) {
// Reject anything that does not start with "user.gocryptfs."
if !strings.HasPrefix(cAttr, xattrStorePrefix) {
return "", syscall.EINVAL
}
// Strip "user.gocryptfs." prefix
cAttr = cAttr[len(xattrStorePrefix):]
attr, err = fs.nameTransform.DecryptName(cAttr, xattrNameIV)
if err != nil {
return "", err
}
return attr, nil
}
// encryptXattrValue encrypts the xattr value "data".
// The data is encrypted like a file content block, but without binding it to
// a file location (block number and file id are set to zero).
// Special case: an empty value is encrypted to an empty value.
func (fs *FS) encryptXattrValue(data []byte) (cData []byte) {
if len(data) == 0 {
return []byte{}
}
return fs.contentEnc.EncryptBlock(data, 0, nil)
}
// decryptXattrValue decrypts the xattr value "cData".
func (fs *FS) decryptXattrValue(cData []byte) (data []byte, err error) {
if len(cData) == 0 {
return []byte{}, nil
}
data, err1 := fs.contentEnc.DecryptBlock([]byte(cData), 0, nil)
if err1 == nil {
return data, nil
}
// This backward compatibility is needed to support old
// file systems having xattr values base64-encoded.
cData, err2 := fs.nameTransform.B64.DecodeString(string(cData))
if err2 != nil {
// Looks like the value was not base64-encoded, but just corrupt.
// Return the original decryption error: err1
return nil, err1
}
return fs.contentEnc.DecryptBlock([]byte(cData), 0, nil)
}
// unpackXattrErr unpacks an error value that we got from xattr.LGet/LSet/etc
// and converts it to a fuse status.
func unpackXattrErr(err error) fuse.Status {
if err == nil {
return fuse.OK
}
err2, ok := err.(*xattr.Error)
if !ok {
tlog.Warn.Printf("unpackXattrErr: cannot unpack err=%v", err)
return fuse.EIO
}
return fuse.ToStatus(err2.Err)
}
|