1 /* 2 * usnjrnl.h - Defines for NTFS kernel transaction log ($UsnJrnl) handling. 3 * Part of the Linux-NTFS project. 4 * 5 * Copyright (c) 2005 Anton Altaparmakov 6 * 7 * This program/include file is free software; you can redistribute it and/or 8 * modify it under the terms of the GNU General Public License as published 9 * by the Free Software Foundation; either version 2 of the License, or 10 * (at your option) any later version. 11 * 12 * This program/include file is distributed in the hope that it will be 13 * useful, but WITHOUT ANY WARRANTY; without even the implied warranty 14 * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 * GNU General Public License for more details. 16 * 17 * You should have received a copy of the GNU General Public License 18 * along with this program (in the main directory of the Linux-NTFS 19 * distribution in the file COPYING); if not, write to the Free Software 20 * Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 */ 22 23 #ifndef _LINUX_NTFS_USNJRNL_H 24 #define _LINUX_NTFS_USNJRNL_H 25 26 #ifdef NTFS_RW 27 28 #include "types.h" 29 #include "endian.h" 30 #include "layout.h" 31 #include "volume.h" 32 33 /* 34 * Transaction log ($UsnJrnl) organization: 35 * 36 * The transaction log records whenever a file is modified in any way. So for 37 * example it will record that file "blah" was written to at a particular time 38 * but not what was written. If will record that a file was deleted or 39 * created, that a file was truncated, etc. See below for all the reason 40 * codes used. 41 * 42 * The transaction log is in the $Extend directory which is in the root 43 * directory of each volume. If it is not present it means transaction 44 * logging is disabled. If it is present it means transaction logging is 45 * either enabled or in the process of being disabled in which case we can 46 * ignore it as it will go away as soon as Windows gets its hands on it. 47 * 48 * To determine whether the transaction logging is enabled or in the process 49 * of being disabled, need to check the volume flags in the 50 * $VOLUME_INFORMATION attribute in the $Volume system file (which is present 51 * in the root directory and has a fixed mft record number, see layout.h). 52 * If the flag VOLUME_DELETE_USN_UNDERWAY is set it means the transaction log 53 * is in the process of being disabled and if this flag is clear it means the 54 * transaction log is enabled. 55 * 56 * The transaction log consists of two parts; the $DATA/$Max attribute as well 57 * as the $DATA/$J attribute. $Max is a header describing the transaction 58 * log whilst $J is the transaction log data itself as a sequence of variable 59 * sized USN_RECORDs (see below for all the structures). 60 * 61 * We do not care about transaction logging at this point in time but we still 62 * need to let windows know that the transaction log is out of date. To do 63 * this we need to stamp the transaction log. This involves setting the 64 * lowest_valid_usn field in the $DATA/$Max attribute to the usn to be used 65 * for the next added USN_RECORD to the $DATA/$J attribute as well as 66 * generating a new journal_id in $DATA/$Max. 67 * 68 * The journal_id is as of the current version (2.0) of the transaction log 69 * simply the 64-bit timestamp of when the journal was either created or last 70 * stamped. 71 * 72 * To determine the next usn there are two ways. The first is to parse 73 * $DATA/$J and to find the last USN_RECORD in it and to add its record_length 74 * to its usn (which is the byte offset in the $DATA/$J attribute). The 75 * second is simply to take the data size of the attribute. Since the usns 76 * are simply byte offsets into $DATA/$J, this is exactly the next usn. For 77 * obvious reasons we use the second method as it is much simpler and faster. 78 * 79 * As an aside, note that to actually disable the transaction log, one would 80 * need to set the VOLUME_DELETE_USN_UNDERWAY flag (see above), then go 81 * through all the mft records on the volume and set the usn field in their 82 * $STANDARD_INFORMATION attribute to zero. Once that is done, one would need 83 * to delete the transaction log file, i.e. \$Extent\$UsnJrnl, and finally, 84 * one would need to clear the VOLUME_DELETE_USN_UNDERWAY flag. 85 * 86 * Note that if a volume is unmounted whilst the transaction log is being 87 * disabled, the process will continue the next time the volume is mounted. 88 * This is why we can safely mount read-write when we see a transaction log 89 * in the process of being deleted. 90 */ 91 92 /* Some $UsnJrnl related constants. */ 93 #define UsnJrnlMajorVer 2 94 #define UsnJrnlMinorVer 0 95 96 /* 97 * $DATA/$Max attribute. This is (always?) resident and has a fixed size of 98 * 32 bytes. It contains the header describing the transaction log. 99 */ 100 typedef struct { 101 /*Ofs*/ 102 /* 0*/sle64 maximum_size; /* The maximum on-disk size of the $DATA/$J 103 attribute. */ 104 /* 8*/sle64 allocation_delta; /* Number of bytes by which to increase the 105 size of the $DATA/$J attribute. */ 106 /*0x10*/sle64 journal_id; /* Current id of the transaction log. */ 107 /*0x18*/leUSN lowest_valid_usn; /* Lowest valid usn in $DATA/$J for the 108 current journal_id. */ 109 /* sizeof() = 32 (0x20) bytes */ 110 } __attribute__ ((__packed__)) USN_HEADER; 111 112 /* 113 * Reason flags (32-bit). Cumulative flags describing the change(s) to the 114 * file since it was last opened. I think the names speak for themselves but 115 * if you disagree check out the descriptions in the Linux NTFS project NTFS 116 * documentation: http://www.linux-ntfs.org/ 117 */ 118 enum { 119 USN_REASON_DATA_OVERWRITE = const_cpu_to_le32(0x00000001), 120 USN_REASON_DATA_EXTEND = const_cpu_to_le32(0x00000002), 121 USN_REASON_DATA_TRUNCATION = const_cpu_to_le32(0x00000004), 122 USN_REASON_NAMED_DATA_OVERWRITE = const_cpu_to_le32(0x00000010), 123 USN_REASON_NAMED_DATA_EXTEND = const_cpu_to_le32(0x00000020), 124 USN_REASON_NAMED_DATA_TRUNCATION= const_cpu_to_le32(0x00000040), 125 USN_REASON_FILE_CREATE = const_cpu_to_le32(0x00000100), 126 USN_REASON_FILE_DELETE = const_cpu_to_le32(0x00000200), 127 USN_REASON_EA_CHANGE = const_cpu_to_le32(0x00000400), 128 USN_REASON_SECURITY_CHANGE = const_cpu_to_le32(0x00000800), 129 USN_REASON_RENAME_OLD_NAME = const_cpu_to_le32(0x00001000), 130 USN_REASON_RENAME_NEW_NAME = const_cpu_to_le32(0x00002000), 131 USN_REASON_INDEXABLE_CHANGE = const_cpu_to_le32(0x00004000), 132 USN_REASON_BASIC_INFO_CHANGE = const_cpu_to_le32(0x00008000), 133 USN_REASON_HARD_LINK_CHANGE = const_cpu_to_le32(0x00010000), 134 USN_REASON_COMPRESSION_CHANGE = const_cpu_to_le32(0x00020000), 135 USN_REASON_ENCRYPTION_CHANGE = const_cpu_to_le32(0x00040000), 136 USN_REASON_OBJECT_ID_CHANGE = const_cpu_to_le32(0x00080000), 137 USN_REASON_REPARSE_POINT_CHANGE = const_cpu_to_le32(0x00100000), 138 USN_REASON_STREAM_CHANGE = const_cpu_to_le32(0x00200000), 139 USN_REASON_CLOSE = const_cpu_to_le32(0x80000000), 140 }; 141 142 typedef le32 USN_REASON_FLAGS; 143 144 /* 145 * Source info flags (32-bit). Information about the source of the change(s) 146 * to the file. For detailed descriptions of what these mean, see the Linux 147 * NTFS project NTFS documentation: 148 * http://www.linux-ntfs.org/ 149 */ 150 enum { 151 USN_SOURCE_DATA_MANAGEMENT = const_cpu_to_le32(0x00000001), 152 USN_SOURCE_AUXILIARY_DATA = const_cpu_to_le32(0x00000002), 153 USN_SOURCE_REPLICATION_MANAGEMENT = const_cpu_to_le32(0x00000004), 154 }; 155 156 typedef le32 USN_SOURCE_INFO_FLAGS; 157 158 /* 159 * $DATA/$J attribute. This is always non-resident, is marked as sparse, and 160 * is of variabled size. It consists of a sequence of variable size 161 * USN_RECORDS. The minimum allocated_size is allocation_delta as 162 * specified in $DATA/$Max. When the maximum_size specified in $DATA/$Max is 163 * exceeded by more than allocation_delta bytes, allocation_delta bytes are 164 * allocated and appended to the $DATA/$J attribute and an equal number of 165 * bytes at the beginning of the attribute are freed and made sparse. Note the 166 * making sparse only happens at volume checkpoints and hence the actual 167 * $DATA/$J size can exceed maximum_size + allocation_delta temporarily. 168 */ 169 typedef struct { 170 /*Ofs*/ 171 /* 0*/le32 length; /* Byte size of this record (8-byte 172 aligned). */ 173 /* 4*/le16 major_ver; /* Major version of the transaction log used 174 for this record. */ 175 /* 6*/le16 minor_ver; /* Minor version of the transaction log used 176 for this record. */ 177 /* 8*/leMFT_REF mft_reference;/* The mft reference of the file (or 178 directory) described by this record. */ 179 /*0x10*/leMFT_REF parent_directory;/* The mft reference of the parent 180 directory of the file described by this 181 record. */ 182 /*0x18*/leUSN usn; /* The usn of this record. Equals the offset 183 within the $DATA/$J attribute. */ 184 /*0x20*/sle64 time; /* Time when this record was created. */ 185 /*0x28*/USN_REASON_FLAGS reason;/* Reason flags (see above). */ 186 /*0x2c*/USN_SOURCE_INFO_FLAGS source_info;/* Source info flags (see above). */ 187 /*0x30*/le32 security_id; /* File security_id copied from 188 $STANDARD_INFORMATION. */ 189 /*0x34*/FILE_ATTR_FLAGS file_attributes; /* File attributes copied from 190 $STANDARD_INFORMATION or $FILE_NAME (not 191 sure which). */ 192 /*0x38*/le16 file_name_size; /* Size of the file name in bytes. */ 193 /*0x3a*/le16 file_name_offset; /* Offset to the file name in bytes from the 194 start of this record. */ 195 /*0x3c*/ntfschar file_name[0]; /* Use when creating only. When reading use 196 file_name_offset to determine the location 197 of the name. */ 198 /* sizeof() = 60 (0x3c) bytes */ 199 } __attribute__ ((__packed__)) USN_RECORD; 200 201 extern bool ntfs_stamp_usnjrnl(ntfs_volume *vol); 202 203 #endif /* NTFS_RW */ 204 205 #endif /* _LINUX_NTFS_USNJRNL_H */ 206