• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * usnjrnl.h - Defines for NTFS kernel transaction log ($UsnJrnl) handling.
3  *	       Part of the Linux-NTFS project.
4  *
5  * Copyright (c) 2005 Anton Altaparmakov
6  *
7  * This program/include file is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License as published
9  * by the Free Software Foundation; either version 2 of the License, or
10  * (at your option) any later version.
11  *
12  * This program/include file is distributed in the hope that it will be
13  * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
14  * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15  * GNU General Public License for more details.
16  *
17  * You should have received a copy of the GNU General Public License
18  * along with this program (in the main directory of the Linux-NTFS
19  * distribution in the file COPYING); if not, write to the Free Software
20  * Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
21  */
22 
23 #ifndef _LINUX_NTFS_USNJRNL_H
24 #define _LINUX_NTFS_USNJRNL_H
25 
26 #ifdef NTFS_RW
27 
28 #include "types.h"
29 #include "endian.h"
30 #include "layout.h"
31 #include "volume.h"
32 
33 /*
34  * Transaction log ($UsnJrnl) organization:
35  *
36  * The transaction log records whenever a file is modified in any way.  So for
37  * example it will record that file "blah" was written to at a particular time
38  * but not what was written.  If will record that a file was deleted or
39  * created, that a file was truncated, etc.  See below for all the reason
40  * codes used.
41  *
42  * The transaction log is in the $Extend directory which is in the root
43  * directory of each volume.  If it is not present it means transaction
44  * logging is disabled.  If it is present it means transaction logging is
45  * either enabled or in the process of being disabled in which case we can
46  * ignore it as it will go away as soon as Windows gets its hands on it.
47  *
48  * To determine whether the transaction logging is enabled or in the process
49  * of being disabled, need to check the volume flags in the
50  * $VOLUME_INFORMATION attribute in the $Volume system file (which is present
51  * in the root directory and has a fixed mft record number, see layout.h).
52  * If the flag VOLUME_DELETE_USN_UNDERWAY is set it means the transaction log
53  * is in the process of being disabled and if this flag is clear it means the
54  * transaction log is enabled.
55  *
56  * The transaction log consists of two parts; the $DATA/$Max attribute as well
57  * as the $DATA/$J attribute.  $Max is a header describing the transaction
58  * log whilst $J is the transaction log data itself as a sequence of variable
59  * sized USN_RECORDs (see below for all the structures).
60  *
61  * We do not care about transaction logging at this point in time but we still
62  * need to let windows know that the transaction log is out of date.  To do
63  * this we need to stamp the transaction log.  This involves setting the
64  * lowest_valid_usn field in the $DATA/$Max attribute to the usn to be used
65  * for the next added USN_RECORD to the $DATA/$J attribute as well as
66  * generating a new journal_id in $DATA/$Max.
67  *
68  * The journal_id is as of the current version (2.0) of the transaction log
69  * simply the 64-bit timestamp of when the journal was either created or last
70  * stamped.
71  *
72  * To determine the next usn there are two ways.  The first is to parse
73  * $DATA/$J and to find the last USN_RECORD in it and to add its record_length
74  * to its usn (which is the byte offset in the $DATA/$J attribute).  The
75  * second is simply to take the data size of the attribute.  Since the usns
76  * are simply byte offsets into $DATA/$J, this is exactly the next usn.  For
77  * obvious reasons we use the second method as it is much simpler and faster.
78  *
79  * As an aside, note that to actually disable the transaction log, one would
80  * need to set the VOLUME_DELETE_USN_UNDERWAY flag (see above), then go
81  * through all the mft records on the volume and set the usn field in their
82  * $STANDARD_INFORMATION attribute to zero.  Once that is done, one would need
83  * to delete the transaction log file, i.e. \$Extent\$UsnJrnl, and finally,
84  * one would need to clear the VOLUME_DELETE_USN_UNDERWAY flag.
85  *
86  * Note that if a volume is unmounted whilst the transaction log is being
87  * disabled, the process will continue the next time the volume is mounted.
88  * This is why we can safely mount read-write when we see a transaction log
89  * in the process of being deleted.
90  */
91 
92 /* Some $UsnJrnl related constants. */
93 #define UsnJrnlMajorVer		2
94 #define UsnJrnlMinorVer		0
95 
96 /*
97  * $DATA/$Max attribute.  This is (always?) resident and has a fixed size of
98  * 32 bytes.  It contains the header describing the transaction log.
99  */
100 typedef struct {
101 /*Ofs*/
102 /*   0*/sle64 maximum_size;	/* The maximum on-disk size of the $DATA/$J
103 				   attribute. */
104 /*   8*/sle64 allocation_delta;	/* Number of bytes by which to increase the
105 				   size of the $DATA/$J attribute. */
106 /*0x10*/sle64 journal_id;	/* Current id of the transaction log. */
107 /*0x18*/leUSN lowest_valid_usn;	/* Lowest valid usn in $DATA/$J for the
108 				   current journal_id. */
109 /* sizeof() = 32 (0x20) bytes */
110 } __attribute__ ((__packed__)) USN_HEADER;
111 
112 /*
113  * Reason flags (32-bit).  Cumulative flags describing the change(s) to the
114  * file since it was last opened.  I think the names speak for themselves but
115  * if you disagree check out the descriptions in the Linux NTFS project NTFS
116  * documentation: http://www.linux-ntfs.org/
117  */
118 enum {
119 	USN_REASON_DATA_OVERWRITE	= const_cpu_to_le32(0x00000001),
120 	USN_REASON_DATA_EXTEND		= const_cpu_to_le32(0x00000002),
121 	USN_REASON_DATA_TRUNCATION	= const_cpu_to_le32(0x00000004),
122 	USN_REASON_NAMED_DATA_OVERWRITE	= const_cpu_to_le32(0x00000010),
123 	USN_REASON_NAMED_DATA_EXTEND	= const_cpu_to_le32(0x00000020),
124 	USN_REASON_NAMED_DATA_TRUNCATION= const_cpu_to_le32(0x00000040),
125 	USN_REASON_FILE_CREATE		= const_cpu_to_le32(0x00000100),
126 	USN_REASON_FILE_DELETE		= const_cpu_to_le32(0x00000200),
127 	USN_REASON_EA_CHANGE		= const_cpu_to_le32(0x00000400),
128 	USN_REASON_SECURITY_CHANGE	= const_cpu_to_le32(0x00000800),
129 	USN_REASON_RENAME_OLD_NAME	= const_cpu_to_le32(0x00001000),
130 	USN_REASON_RENAME_NEW_NAME	= const_cpu_to_le32(0x00002000),
131 	USN_REASON_INDEXABLE_CHANGE	= const_cpu_to_le32(0x00004000),
132 	USN_REASON_BASIC_INFO_CHANGE	= const_cpu_to_le32(0x00008000),
133 	USN_REASON_HARD_LINK_CHANGE	= const_cpu_to_le32(0x00010000),
134 	USN_REASON_COMPRESSION_CHANGE	= const_cpu_to_le32(0x00020000),
135 	USN_REASON_ENCRYPTION_CHANGE	= const_cpu_to_le32(0x00040000),
136 	USN_REASON_OBJECT_ID_CHANGE	= const_cpu_to_le32(0x00080000),
137 	USN_REASON_REPARSE_POINT_CHANGE	= const_cpu_to_le32(0x00100000),
138 	USN_REASON_STREAM_CHANGE	= const_cpu_to_le32(0x00200000),
139 	USN_REASON_CLOSE		= const_cpu_to_le32(0x80000000),
140 };
141 
142 typedef le32 USN_REASON_FLAGS;
143 
144 /*
145  * Source info flags (32-bit).  Information about the source of the change(s)
146  * to the file.  For detailed descriptions of what these mean, see the Linux
147  * NTFS project NTFS documentation:
148  *	http://www.linux-ntfs.org/
149  */
150 enum {
151 	USN_SOURCE_DATA_MANAGEMENT	  = const_cpu_to_le32(0x00000001),
152 	USN_SOURCE_AUXILIARY_DATA	  = const_cpu_to_le32(0x00000002),
153 	USN_SOURCE_REPLICATION_MANAGEMENT = const_cpu_to_le32(0x00000004),
154 };
155 
156 typedef le32 USN_SOURCE_INFO_FLAGS;
157 
158 /*
159  * $DATA/$J attribute.  This is always non-resident, is marked as sparse, and
160  * is of variabled size.  It consists of a sequence of variable size
161  * USN_RECORDS.  The minimum allocated_size is allocation_delta as
162  * specified in $DATA/$Max.  When the maximum_size specified in $DATA/$Max is
163  * exceeded by more than allocation_delta bytes, allocation_delta bytes are
164  * allocated and appended to the $DATA/$J attribute and an equal number of
165  * bytes at the beginning of the attribute are freed and made sparse.  Note the
166  * making sparse only happens at volume checkpoints and hence the actual
167  * $DATA/$J size can exceed maximum_size + allocation_delta temporarily.
168  */
169 typedef struct {
170 /*Ofs*/
171 /*   0*/le32 length;		/* Byte size of this record (8-byte
172 				   aligned). */
173 /*   4*/le16 major_ver;		/* Major version of the transaction log used
174 				   for this record. */
175 /*   6*/le16 minor_ver;		/* Minor version of the transaction log used
176 				   for this record. */
177 /*   8*/leMFT_REF mft_reference;/* The mft reference of the file (or
178 				   directory) described by this record. */
179 /*0x10*/leMFT_REF parent_directory;/* The mft reference of the parent
180 				   directory of the file described by this
181 				   record. */
182 /*0x18*/leUSN usn;		/* The usn of this record.  Equals the offset
183 				   within the $DATA/$J attribute. */
184 /*0x20*/sle64 time;		/* Time when this record was created. */
185 /*0x28*/USN_REASON_FLAGS reason;/* Reason flags (see above). */
186 /*0x2c*/USN_SOURCE_INFO_FLAGS source_info;/* Source info flags (see above). */
187 /*0x30*/le32 security_id;	/* File security_id copied from
188 				   $STANDARD_INFORMATION. */
189 /*0x34*/FILE_ATTR_FLAGS file_attributes;	/* File attributes copied from
190 				   $STANDARD_INFORMATION or $FILE_NAME (not
191 				   sure which). */
192 /*0x38*/le16 file_name_size;	/* Size of the file name in bytes. */
193 /*0x3a*/le16 file_name_offset;	/* Offset to the file name in bytes from the
194 				   start of this record. */
195 /*0x3c*/ntfschar file_name[0];	/* Use when creating only.  When reading use
196 				   file_name_offset to determine the location
197 				   of the name. */
198 /* sizeof() = 60 (0x3c) bytes */
199 } __attribute__ ((__packed__)) USN_RECORD;
200 
201 extern bool ntfs_stamp_usnjrnl(ntfs_volume *vol);
202 
203 #endif /* NTFS_RW */
204 
205 #endif /* _LINUX_NTFS_USNJRNL_H */
206