Reverse mount with exclude-wildcard gives errors accessing .conf and .name virtual files

[m4rc0d1]

I'm setting up an encrypted backup using gocryptfs in reverse mode using rsync on a remote system. Since I need to backup just some of the directory in the backup area, I use the exclude wildcard option, but I get several error from rsync and I find myself with a non-working/non-forward mountable copy of my original data.

With several tests I tracked down the issue to be related to the initial '*' excluding pattern acting also on the .conf and .name files that gocryptfs generates in the encrypted filesystem. An explicit inclusion of the unencrypted version of the missing files is a possible workaround. This is quite easy for the gocryptfs.conf file (just force inclusion of '/.gocryptfs.reverse.conf'), but is not a viable solution for the long named files, since they don't have a specific name pattern to match.

Steps to reproduce

Test setup:

~/gocryptfs# ./gocryptfs -version
gocryptfs v2.3 without_openssl; go-fuse v2.1.1-0.20211219085202-934a183ed914; 2022-08-28 go1.19 linux/amd64

~/gocryptfs# tree test-plain
test-plain
├── dir1
│   ├── dir11
│   │   └── file11
│   ├── file1
│   └── verylongfilename01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789
└── file

2 directories, 4 files

Create the reverse config:

~/gocryptfs# ./gocryptfs -init -reverse -deterministic-names test-plain
Choose a password for protecting your files.
Password:
Repeat:
[...]
The gocryptfs-reverse filesystem has been created successfully.
You can now mount it using: gocryptfs -reverse test-plain MOUNTPOINT

~/gocryptfs# cat test-plain/.gocryptfs.reverse.conf
{
        "Creator": "gocryptfs v2.3",
        "EncryptedKey": "...",
        "ScryptObject": {
                "Salt": "...",
                "N": 65536,
                "R": 8,
                "P": 1,
                "KeyLen": 32
        },
        "Version": 2,
        "FeatureFlags": [
                "HKDF",
                "GCMIV128",
                "EMENames",
                "LongNames",
                "Raw64",
                "AESSIV"
        ]
}

Mount and check the encrypted view:

~/gocryptfs# ./gocryptfs -reverse test-plain test-enc
Password:
Decrypting master key
Filesystem mounted and ready.

~/gocryptfs# tree test-enc
test-enc
├── gocryptfs.conf
├── sVjuCC08FJ0SchCYko6X6w
│   ├── 6nHXRbN15Cv32xD5Hn4xcA
│   │   └── xX9ByX2IV_Bo52Ze-PeRiA
│   ├── gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg
│   ├── gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name
│   └── kK9v-XKfJhf4y1gIWz2QlA
└── wUiJGXoKI4fX5xmeIXr3QQ

2 directories, 6 files

So far so good. Now I want to view only the 'dir1' directory, so I mount with the exclude-wildcard option:

~/gocryptfs# fusermount -u test-enc
~/gocryptfs# ./gocryptfs -reverse -ew '*' -ew '!/dir1' test-plain test-enc
Password:
Decrypting master key
Filesystem mounted and ready.

And things start going weird:

~/gocryptfs# tree test-enc
test-enc
└── sVjuCC08FJ0SchCYko6X6w
    ├── 6nHXRbN15Cv32xD5Hn4xcA
    │   └── xX9ByX2IV_Bo52Ze-PeRiA
    ├── gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg
    └── kK9v-XKfJhf4y1gIWz2QlA

2 directories, 3 files

The gocryptfs.conf file is missing in the directory listing but it is actually there:

~/gocryptfs# ls -la test-enc
total 4
drwxr-xr-x 3 root root 4096 Sep  1 02:47 sVjuCC08FJ0SchCYko6X6w

~/gocryptfs# stat test-enc/gocryptfs.conf
  File: test-enc/gocryptfs.conf
  Size: 385             Blocks: 8          IO Block: 4096   regular file
Device: 2bh/43d Inode: 787182      Links: 1
Access: (0400/-r--------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2022-09-01 02:18:36.320950194 +0200
Modify: 2022-09-01 02:18:36.320950194 +0200
Change: 2022-09-01 02:18:36.320950194 +0200
 Birth: -

~/gocryptfs# cat test-enc/gocryptfs.conf
{
        "Creator": "gocryptfs v2.3",
        [...]
}

The .name files associated with long filenames are present in the dir listing but not accessible:

~/gocryptfs# ls -la test-enc/sVjuCC08FJ0SchCYko6X6w
ls: cannot access 'test-enc/sVjuCC08FJ0SchCYko6X6w/gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name': Operation not permitted
total 12
drwxr-xr-x 2 root root 4096 Aug 24 12:07 6nHXRbN15Cv32xD5Hn4xcA
-rw-r--r-- 1 root root   76 Sep  1 02:45 gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg
-????????? ? ?    ?       ?            ? gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name
-rw-r--r-- 1 root root   56 Aug 24 12:06 kK9v-XKfJhf4y1gIWz2QlA

~/gocryptfs# cat test-enc/sVjuCC08FJ0SchCYko6X6w/gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name
cat: test-enc/sVjuCC08FJ0SchCYko6X6w/gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name: Operation not permitted

Explicitly adding exclusion for the conf and the long named file works as a workaround:

~/gocryptfs# fusermount -u test-enc

~/gocryptfs# ./gocryptfs -reverse -ew '*' -ew '!/dir1' -ew '!/.gocryptfs.reverse.conf' -ew '!verylong*' test-plain test-enc
Password:
Decrypting master key
Filesystem mounted and ready.

Now everything seems as expected:

~/gocryptfs# tree test-enc
test-enc
├── gocryptfs.conf
└── sVjuCC08FJ0SchCYko6X6w
    ├── 6nHXRbN15Cv32xD5Hn4xcA
    │   └── xX9ByX2IV_Bo52Ze-PeRiA
    ├── gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg
    ├── gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name
    └── kK9v-XKfJhf4y1gIWz2QlA

2 directories, 5 files

~/gocryptfs# ls -la test-enc
total 8
-r-------- 1 root root  385 Sep  1 02:18 gocryptfs.conf
drwxr-xr-x 3 root root 4096 Sep  1 02:47 sVjuCC08FJ0SchCYko6X6w

~/gocryptfs# cat test-enc/sVjuCC08FJ0SchCYko6X6w/gocryptfs.longname.rRG_aah_pGZaOxb73sCZWh_YmtUIK8jjtpGCJXDi7Mg.name
j4i_LytAOc8i3MFfzpPz4XcJBgfM4SG0nTeR7f9mvf4uxlhRS2nW4tlBz3fW4zNGu4jRYBWePJKwNAyCBguM6K2qSRGGfUB5N98CRxiYyZGil8iqzQwCA0LObcHC3Ee-lqwuwG6PWmTxtWiMn4bhC0RSu5e5RqhLtxxzvrw7DuhTfplVFlTtlm2B1LWHMjLnRc9V13aBDf3BUFmL0S_09ybgHO97yY2hiNJzM1hvLULypWitcuY22pnd4b-yditw

[Itay2805]

Is there any update on this issue? I have ran to a similar problem while creating a backup and sadly just ignoring long file names isn't something I can easily do...