| 1 | /* SPDX-License-Identifier: GPL-2.0-or-later */ |
|---|
| 2 | /* |
|---|
| 3 | * usnjrnl.h - Defines for NTFS kernel transaction log ($UsnJrnl) handling. |
|---|
| 4 | * Part of the Linux-NTFS project. |
|---|
| 5 | * |
|---|
| 6 | * Copyright (c) 2005 Anton Altaparmakov |
|---|
| 7 | */ |
|---|
| 8 | |
|---|
| 9 | #ifndef _LINUX_NTFS_USNJRNL_H |
|---|
| 10 | #define _LINUX_NTFS_USNJRNL_H |
|---|
| 11 | |
|---|
| 12 | #ifdef NTFS_RW |
|---|
| 13 | |
|---|
| 14 | #include "types.h" |
|---|
| 15 | #include "endian.h" |
|---|
| 16 | #include "layout.h" |
|---|
| 17 | #include "volume.h" |
|---|
| 18 | |
|---|
| 19 | /* |
|---|
| 20 | * Transaction log ($UsnJrnl) organization: |
|---|
| 21 | * |
|---|
| 22 | * The transaction log records whenever a file is modified in any way. So for |
|---|
| 23 | * example it will record that file "blah" was written to at a particular time |
|---|
| 24 | * but not what was written. If will record that a file was deleted or |
|---|
| 25 | * created, that a file was truncated, etc. See below for all the reason |
|---|
| 26 | * codes used. |
|---|
| 27 | * |
|---|
| 28 | * The transaction log is in the $Extend directory which is in the root |
|---|
| 29 | * directory of each volume. If it is not present it means transaction |
|---|
| 30 | * logging is disabled. If it is present it means transaction logging is |
|---|
| 31 | * either enabled or in the process of being disabled in which case we can |
|---|
| 32 | * ignore it as it will go away as soon as Windows gets its hands on it. |
|---|
| 33 | * |
|---|
| 34 | * To determine whether the transaction logging is enabled or in the process |
|---|
| 35 | * of being disabled, need to check the volume flags in the |
|---|
| 36 | * $VOLUME_INFORMATION attribute in the $Volume system file (which is present |
|---|
| 37 | * in the root directory and has a fixed mft record number, see layout.h). |
|---|
| 38 | * If the flag VOLUME_DELETE_USN_UNDERWAY is set it means the transaction log |
|---|
| 39 | * is in the process of being disabled and if this flag is clear it means the |
|---|
| 40 | * transaction log is enabled. |
|---|
| 41 | * |
|---|
| 42 | * The transaction log consists of two parts; the $DATA/$Max attribute as well |
|---|
| 43 | * as the $DATA/$J attribute. $Max is a header describing the transaction |
|---|
| 44 | * log whilst $J is the transaction log data itself as a sequence of variable |
|---|
| 45 | * sized USN_RECORDs (see below for all the structures). |
|---|
| 46 | * |
|---|
| 47 | * We do not care about transaction logging at this point in time but we still |
|---|
| 48 | * need to let windows know that the transaction log is out of date. To do |
|---|
| 49 | * this we need to stamp the transaction log. This involves setting the |
|---|
| 50 | * lowest_valid_usn field in the $DATA/$Max attribute to the usn to be used |
|---|
| 51 | * for the next added USN_RECORD to the $DATA/$J attribute as well as |
|---|
| 52 | * generating a new journal_id in $DATA/$Max. |
|---|
| 53 | * |
|---|
| 54 | * The journal_id is as of the current version (2.0) of the transaction log |
|---|
| 55 | * simply the 64-bit timestamp of when the journal was either created or last |
|---|
| 56 | * stamped. |
|---|
| 57 | * |
|---|
| 58 | * To determine the next usn there are two ways. The first is to parse |
|---|
| 59 | * $DATA/$J and to find the last USN_RECORD in it and to add its record_length |
|---|
| 60 | * to its usn (which is the byte offset in the $DATA/$J attribute). The |
|---|
| 61 | * second is simply to take the data size of the attribute. Since the usns |
|---|
| 62 | * are simply byte offsets into $DATA/$J, this is exactly the next usn. For |
|---|
| 63 | * obvious reasons we use the second method as it is much simpler and faster. |
|---|
| 64 | * |
|---|
| 65 | * As an aside, note that to actually disable the transaction log, one would |
|---|
| 66 | * need to set the VOLUME_DELETE_USN_UNDERWAY flag (see above), then go |
|---|
| 67 | * through all the mft records on the volume and set the usn field in their |
|---|
| 68 | * $STANDARD_INFORMATION attribute to zero. Once that is done, one would need |
|---|
| 69 | * to delete the transaction log file, i.e. \$Extent\$UsnJrnl, and finally, |
|---|
| 70 | * one would need to clear the VOLUME_DELETE_USN_UNDERWAY flag. |
|---|
| 71 | * |
|---|
| 72 | * Note that if a volume is unmounted whilst the transaction log is being |
|---|
| 73 | * disabled, the process will continue the next time the volume is mounted. |
|---|
| 74 | * This is why we can safely mount read-write when we see a transaction log |
|---|
| 75 | * in the process of being deleted. |
|---|
| 76 | */ |
|---|
| 77 | |
|---|
| 78 | /* Some $UsnJrnl related constants. */ |
|---|
| 79 | #define UsnJrnlMajorVer 2 |
|---|
| 80 | #define UsnJrnlMinorVer 0 |
|---|
| 81 | |
|---|
| 82 | /* |
|---|
| 83 | * $DATA/$Max attribute. This is (always?) resident and has a fixed size of |
|---|
| 84 | * 32 bytes. It contains the header describing the transaction log. |
|---|
| 85 | */ |
|---|
| 86 | typedef struct { |
|---|
| 87 | /*Ofs*/ |
|---|
| 88 | /* 0*/sle64 maximum_size; /* The maximum on-disk size of the $DATA/$J |
|---|
| 89 | attribute. */ |
|---|
| 90 | /* 8*/sle64 allocation_delta; /* Number of bytes by which to increase the |
|---|
| 91 | size of the $DATA/$J attribute. */ |
|---|
| 92 | /*0x10*/sle64 journal_id; /* Current id of the transaction log. */ |
|---|
| 93 | /*0x18*/leUSN lowest_valid_usn; /* Lowest valid usn in $DATA/$J for the |
|---|
| 94 | current journal_id. */ |
|---|
| 95 | /* sizeof() = 32 (0x20) bytes */ |
|---|
| 96 | } __attribute__ ((__packed__)) USN_HEADER; |
|---|
| 97 | |
|---|
| 98 | /* |
|---|
| 99 | * Reason flags (32-bit). Cumulative flags describing the change(s) to the |
|---|
| 100 | * file since it was last opened. I think the names speak for themselves but |
|---|
| 101 | * if you disagree check out the descriptions in the Linux NTFS project NTFS |
|---|
| 102 | * documentation: http://www.linux-ntfs.org/ |
|---|
| 103 | */ |
|---|
| 104 | enum { |
|---|
| 105 | USN_REASON_DATA_OVERWRITE = cpu_to_le32(0x00000001), |
|---|
| 106 | USN_REASON_DATA_EXTEND = cpu_to_le32(0x00000002), |
|---|
| 107 | USN_REASON_DATA_TRUNCATION = cpu_to_le32(0x00000004), |
|---|
| 108 | USN_REASON_NAMED_DATA_OVERWRITE = cpu_to_le32(0x00000010), |
|---|
| 109 | USN_REASON_NAMED_DATA_EXTEND = cpu_to_le32(0x00000020), |
|---|
| 110 | USN_REASON_NAMED_DATA_TRUNCATION= cpu_to_le32(0x00000040), |
|---|
| 111 | USN_REASON_FILE_CREATE = cpu_to_le32(0x00000100), |
|---|
| 112 | USN_REASON_FILE_DELETE = cpu_to_le32(0x00000200), |
|---|
| 113 | USN_REASON_EA_CHANGE = cpu_to_le32(0x00000400), |
|---|
| 114 | USN_REASON_SECURITY_CHANGE = cpu_to_le32(0x00000800), |
|---|
| 115 | USN_REASON_RENAME_OLD_NAME = cpu_to_le32(0x00001000), |
|---|
| 116 | USN_REASON_RENAME_NEW_NAME = cpu_to_le32(0x00002000), |
|---|
| 117 | USN_REASON_INDEXABLE_CHANGE = cpu_to_le32(0x00004000), |
|---|
| 118 | USN_REASON_BASIC_INFO_CHANGE = cpu_to_le32(0x00008000), |
|---|
| 119 | USN_REASON_HARD_LINK_CHANGE = cpu_to_le32(0x00010000), |
|---|
| 120 | USN_REASON_COMPRESSION_CHANGE = cpu_to_le32(0x00020000), |
|---|
| 121 | USN_REASON_ENCRYPTION_CHANGE = cpu_to_le32(0x00040000), |
|---|
| 122 | USN_REASON_OBJECT_ID_CHANGE = cpu_to_le32(0x00080000), |
|---|
| 123 | USN_REASON_REPARSE_POINT_CHANGE = cpu_to_le32(0x00100000), |
|---|
| 124 | USN_REASON_STREAM_CHANGE = cpu_to_le32(0x00200000), |
|---|
| 125 | USN_REASON_CLOSE = cpu_to_le32(0x80000000), |
|---|
| 126 | }; |
|---|
| 127 | |
|---|
| 128 | typedef le32 USN_REASON_FLAGS; |
|---|
| 129 | |
|---|
| 130 | /* |
|---|
| 131 | * Source info flags (32-bit). Information about the source of the change(s) |
|---|
| 132 | * to the file. For detailed descriptions of what these mean, see the Linux |
|---|
| 133 | * NTFS project NTFS documentation: |
|---|
| 134 | * http://www.linux-ntfs.org/ |
|---|
| 135 | */ |
|---|
| 136 | enum { |
|---|
| 137 | USN_SOURCE_DATA_MANAGEMENT = cpu_to_le32(0x00000001), |
|---|
| 138 | USN_SOURCE_AUXILIARY_DATA = cpu_to_le32(0x00000002), |
|---|
| 139 | USN_SOURCE_REPLICATION_MANAGEMENT = cpu_to_le32(0x00000004), |
|---|
| 140 | }; |
|---|
| 141 | |
|---|
| 142 | typedef le32 USN_SOURCE_INFO_FLAGS; |
|---|
| 143 | |
|---|
| 144 | /* |
|---|
| 145 | * $DATA/$J attribute. This is always non-resident, is marked as sparse, and |
|---|
| 146 | * is of variabled size. It consists of a sequence of variable size |
|---|
| 147 | * USN_RECORDS. The minimum allocated_size is allocation_delta as |
|---|
| 148 | * specified in $DATA/$Max. When the maximum_size specified in $DATA/$Max is |
|---|
| 149 | * exceeded by more than allocation_delta bytes, allocation_delta bytes are |
|---|
| 150 | * allocated and appended to the $DATA/$J attribute and an equal number of |
|---|
| 151 | * bytes at the beginning of the attribute are freed and made sparse. Note the |
|---|
| 152 | * making sparse only happens at volume checkpoints and hence the actual |
|---|
| 153 | * $DATA/$J size can exceed maximum_size + allocation_delta temporarily. |
|---|
| 154 | */ |
|---|
| 155 | typedef struct { |
|---|
| 156 | /*Ofs*/ |
|---|
| 157 | /* 0*/le32 length; /* Byte size of this record (8-byte |
|---|
| 158 | aligned). */ |
|---|
| 159 | /* 4*/le16 major_ver; /* Major version of the transaction log used |
|---|
| 160 | for this record. */ |
|---|
| 161 | /* 6*/le16 minor_ver; /* Minor version of the transaction log used |
|---|
| 162 | for this record. */ |
|---|
| 163 | /* 8*/leMFT_REF mft_reference;/* The mft reference of the file (or |
|---|
| 164 | directory) described by this record. */ |
|---|
| 165 | /*0x10*/leMFT_REF parent_directory;/* The mft reference of the parent |
|---|
| 166 | directory of the file described by this |
|---|
| 167 | record. */ |
|---|
| 168 | /*0x18*/leUSN usn; /* The usn of this record. Equals the offset |
|---|
| 169 | within the $DATA/$J attribute. */ |
|---|
| 170 | /*0x20*/sle64 time; /* Time when this record was created. */ |
|---|
| 171 | /*0x28*/USN_REASON_FLAGS reason;/* Reason flags (see above). */ |
|---|
| 172 | /*0x2c*/USN_SOURCE_INFO_FLAGS source_info;/* Source info flags (see above). */ |
|---|
| 173 | /*0x30*/le32 security_id; /* File security_id copied from |
|---|
| 174 | $STANDARD_INFORMATION. */ |
|---|
| 175 | /*0x34*/FILE_ATTR_FLAGS file_attributes; /* File attributes copied from |
|---|
| 176 | $STANDARD_INFORMATION or $FILE_NAME (not |
|---|
| 177 | sure which). */ |
|---|
| 178 | /*0x38*/le16 file_name_size; /* Size of the file name in bytes. */ |
|---|
| 179 | /*0x3a*/le16 file_name_offset; /* Offset to the file name in bytes from the |
|---|
| 180 | start of this record. */ |
|---|
| 181 | /*0x3c*/ntfschar file_name[0]; /* Use when creating only. When reading use |
|---|
| 182 | file_name_offset to determine the location |
|---|
| 183 | of the name. */ |
|---|
| 184 | /* sizeof() = 60 (0x3c) bytes */ |
|---|
| 185 | } __attribute__ ((__packed__)) USN_RECORD; |
|---|
| 186 | |
|---|
| 187 | extern bool ntfs_stamp_usnjrnl(ntfs_volume *vol); |
|---|
| 188 | |
|---|
| 189 | #endif /* NTFS_RW */ |
|---|
| 190 | |
|---|
| 191 | #endif /* _LINUX_NTFS_USNJRNL_H */ |
|---|
| 192 | |
|---|
