fusefrontend_reverse: secure OpenDir against symlink races

...by using the new OpenNofollow helper. The benchmark shows a small but acceptable performance loss: $ ./benchmark-reverse.bash LS: 2.182 CAT: 18.221 Tracking ticket: #165
rfjakob · Dec 5, 2017 · 926cb93 · 926cb93
1 parent e604ce6
commit 926cb93
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/internal/fusefrontend_reverse/rfs.go b/internal/fusefrontend_reverse/rfs.go
@@ -17,6 +17,7 @@ import (
 	"github.com/rfjakob/gocryptfs/internal/fusefrontend"
 	"github.com/rfjakob/gocryptfs/internal/nametransform"
 	"github.com/rfjakob/gocryptfs/internal/pathiv"
+	"github.com/rfjakob/gocryptfs/internal/syscallcompat"
 	"github.com/rfjakob/gocryptfs/internal/tlog"
 )
 
@@ -253,9 +254,14 @@ func (rfs *ReverseFS) OpenDir(cipherPath string, context *fuse.Context) ([]fuse.
 		return nil, fuse.ToStatus(err)
 	}
 	// Read plaintext dir
-	entries, status := rfs.loopbackfs.OpenDir(relPath, context)
-	if entries == nil {
-		return nil, status
+	fd, err := syscallcompat.OpenNofollow(rfs.args.Cipherdir, relPath, syscall.O_RDONLY, 0)
+	if err != nil {
+		return nil, fuse.ToStatus(err)
+	}
+	defer syscall.Close(fd)
+	entries, err := syscallcompat.Getdents(fd)
+	if err != nil {
+		return nil, fuse.ToStatus(err)
 	}
 	if rfs.args.PlaintextNames {
 		return rfs.openDirPlaintextnames(cipherPath, entries)