This file is indexed.

/usr/include/ntfs-3g/logfile.h is in ntfs-3g-dev 1:2017.3.23-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
/*
 * logfile.h - Exports for $LogFile handling.  Originated from the Linux-NTFS project.
 *
 * Copyright (c) 2000-2005 Anton Altaparmakov
 * Copyright (c) 2016      Jean-Pierre Andre
 *
 * This program/include file is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as published
 * by the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program/include file is distributed in the hope that it will be
 * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
 * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program (in the main directory of the NTFS-3G
 * distribution in the file COPYING); if not, write to the Free Software
 * Foundation,Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

#ifndef _NTFS_LOGFILE_H
#define _NTFS_LOGFILE_H

#include "types.h"
#include "endians.h"
#include "layout.h"

/*
 * Journal ($LogFile) organization:
 *
 * Two restart areas present in the first two pages (restart pages, one restart
 * area in each page).  When the volume is dismounted they should be identical,
 * except for the update sequence array which usually has a different update
 * sequence number.
 *
 * These are followed by log records organized in pages headed by a log record
 * header going up to log file size.  Not all pages contain log records when a
 * volume is first formatted, but as the volume ages, all records will be used.
 * When the log file fills up, the records at the beginning are purged (by
 * modifying the oldest_lsn to a higher value presumably) and writing begins
 * at the beginning of the file.  Effectively, the log file is viewed as a
 * circular entity.
 *
 * NOTE: Windows NT, 2000, and XP all use log file version 1.1 but they accept
 * versions <= 1.x, including 0.-1.  (Yes, that is a minus one in there!)  We
 * probably only want to support 1.1 as this seems to be the current version
 * and we don't know how that differs from the older versions.  The only
 * exception is if the journal is clean as marked by the two restart pages
 * then it doesn't matter whether we are on an earlier version.  We can just
 * reinitialize the logfile and start again with version 1.1.
 */

/* Some $LogFile related constants. */
#define MaxLogFileSize		0x100000000ULL
#define DefaultLogPageSize	4096
#define MinLogRecordPages	48

/**
 * struct RESTART_PAGE_HEADER - Log file restart page header.
 *
 * Begins the restart area.
 */
typedef struct {
/*Ofs*/
/*  0	NTFS_RECORD; -- Unfolded here as gcc doesn't like unnamed structs. */
/*  0*/	NTFS_RECORD_TYPES magic;/* The magic is "RSTR". */
/*  4*/	le16 usa_ofs;		/* See NTFS_RECORD definition in layout.h.
				   When creating, set this to be immediately
				   after this header structure (without any
				   alignment). */
/*  6*/	le16 usa_count;		/* See NTFS_RECORD definition in layout.h. */

/*  8*/	leLSN chkdsk_lsn;	/* The last log file sequence number found by
				   chkdsk.  Only used when the magic is changed
				   to "CHKD".  Otherwise this is zero. */
/* 16*/	le32 system_page_size;	/* Byte size of system pages when the log file
				   was created, has to be >= 512 and a power of
				   2.  Use this to calculate the required size
				   of the usa (usa_count) and add it to usa_ofs.
				   Then verify that the result is less than the
				   value of the restart_area_offset. */
/* 20*/	le32 log_page_size;	/* Byte size of log file pages, has to be >=
				   512 and a power of 2.  The default is 4096
				   and is used when the system page size is
				   between 4096 and 8192.  Otherwise this is
				   set to the system page size instead. */
/* 24*/	le16 restart_area_offset;/* Byte offset from the start of this header to
				   the RESTART_AREA.  Value has to be aligned
				   to 8-byte boundary.  When creating, set this
				   to be after the usa. */
/* 26*/	sle16 minor_ver;	/* Log file minor version.  Only check if major
				   version is 1. */
/* 28*/	sle16 major_ver;	/* Log file major version.  We only support
				   version 1.1. */
/* 30*/	le16 usn;
/* sizeof() = 32 (0x20) bytes */
} __attribute__((__packed__)) RESTART_PAGE_HEADER;

/*
 * Constant for the log client indices meaning that there are no client records
 * in this particular client array.  Also inside the client records themselves,
 * this means that there are no client records preceding or following this one.
 */
#define LOGFILE_NO_CLIENT_CPU	0xffff
#define LOGFILE_NO_CLIENT	const_cpu_to_le16(LOGFILE_NO_CLIENT_CPU)

/*
 * These are the so far known RESTART_AREA_* flags (16-bit) which contain
 * information about the log file in which they are present.
 */
enum {
	RESTART_VOLUME_IS_CLEAN	= const_cpu_to_le16(0x0002),
	RESTART_SPACE_FILLER	= 0xffff, /* gcc: Force enum bit width to 16. */
} __attribute__((__packed__));

typedef le16 RESTART_AREA_FLAGS;

/**
 * struct RESTART_AREA - Log file restart area record.
 *
 * The offset of this record is found by adding the offset of the
 * RESTART_PAGE_HEADER to the restart_area_offset value found in it.
 * See notes at restart_area_offset above.
 */
typedef struct {
/*Ofs*/
/*  0*/	leLSN current_lsn;	/* The current, i.e. last LSN inside the log
				   when the restart area was last written.
				   This happens often but what is the interval?
				   Is it just fixed time or is it every time a
				   check point is written or something else?
				   On create set to 0. */
/*  8*/	le16 log_clients;	/* Number of log client records in the array of
				   log client records which follows this
				   restart area.  Must be 1.  */
/* 10*/	le16 client_free_list;	/* The index of the first free log client record
				   in the array of log client records.
				   LOGFILE_NO_CLIENT means that there are no
				   free log client records in the array.
				   If != LOGFILE_NO_CLIENT, check that
				   log_clients > client_free_list.  On Win2k
				   and presumably earlier, on a clean volume
				   this is != LOGFILE_NO_CLIENT, and it should
				   be 0, i.e. the first (and only) client
				   record is free and thus the logfile is
				   closed and hence clean.  A dirty volume
				   would have left the logfile open and hence
				   this would be LOGFILE_NO_CLIENT.  On WinXP
				   and presumably later, the logfile is always
				   open, even on clean shutdown so this should
				   always be LOGFILE_NO_CLIENT. */
/* 12*/	le16 client_in_use_list;/* The index of the first in-use log client
				   record in the array of log client records.
				   LOGFILE_NO_CLIENT means that there are no
				   in-use log client records in the array.  If
				   != LOGFILE_NO_CLIENT check that log_clients
				   > client_in_use_list.  On Win2k and
				   presumably earlier, on a clean volume this
				   is LOGFILE_NO_CLIENT, i.e. there are no
				   client records in use and thus the logfile
				   is closed and hence clean.  A dirty volume
				   would have left the logfile open and hence
				   this would be != LOGFILE_NO_CLIENT, and it
				   should be 0, i.e. the first (and only)
				   client record is in use.  On WinXP and
				   presumably later, the logfile is always
				   open, even on clean shutdown so this should
				   always be 0. */
/* 14*/	RESTART_AREA_FLAGS flags;/* Flags modifying LFS behaviour.  On Win2k
				   and presumably earlier this is always 0.  On
				   WinXP and presumably later, if the logfile
				   was shutdown cleanly, the second bit,
				   RESTART_VOLUME_IS_CLEAN, is set.  This bit
				   is cleared when the volume is mounted by
				   WinXP and set when the volume is dismounted,
				   thus if the logfile is dirty, this bit is
				   clear.  Thus we don't need to check the
				   Windows version to determine if the logfile
				   is clean.  Instead if the logfile is closed,
				   we know it must be clean.  If it is open and
				   this bit is set, we also know it must be
				   clean.  If on the other hand the logfile is
				   open and this bit is clear, we can be almost
				   certain that the logfile is dirty. */
/* 16*/	le32 seq_number_bits;	/* How many bits to use for the sequence
				   number.  This is calculated as 67 - the
				   number of bits required to store the logfile
				   size in bytes and this can be used in with
				   the specified file_size as a consistency
				   check. */
/* 20*/	le16 restart_area_length;/* Length of the restart area including the
				   client array.  Following checks required if
				   version matches.  Otherwise, skip them.
				   restart_area_offset + restart_area_length
				   has to be <= system_page_size.  Also,
				   restart_area_length has to be >=
				   client_array_offset + (log_clients *
				   sizeof(log client record)). */
/* 22*/	le16 client_array_offset;/* Offset from the start of this record to
				   the first log client record if versions are
				   matched.  When creating, set this to be
				   after this restart area structure, aligned
				   to 8-bytes boundary.  If the versions do not
				   match, this is ignored and the offset is
				   assumed to be (sizeof(RESTART_AREA) + 7) &
				   ~7, i.e. rounded up to first 8-byte
				   boundary.  Either way, client_array_offset
				   has to be aligned to an 8-byte boundary.
				   Also, restart_area_offset +
				   client_array_offset has to be <= 510.
				   Finally, client_array_offset + (log_clients
				   * sizeof(log client record)) has to be <=
				   system_page_size.  On Win2k and presumably
				   earlier, this is 0x30, i.e. immediately
				   following this record.  On WinXP and
				   presumably later, this is 0x40, i.e. there
				   are 16 extra bytes between this record and
				   the client array.  This probably means that
				   the RESTART_AREA record is actually bigger
				   in WinXP and later. */
/* 24*/	sle64 file_size;	/* Usable byte size of the log file.  If the
				   restart_area_offset + the offset of the
				   file_size are > 510 then corruption has
				   occurred.  This is the very first check when
				   starting with the restart_area as if it
				   fails it means that some of the above values
				   will be corrupted by the multi sector
				   transfer protection.  The file_size has to
				   be rounded down to be a multiple of the
				   log_page_size in the RESTART_PAGE_HEADER and
				   then it has to be at least big enough to
				   store the two restart pages and 48 (0x30)
				   log record pages. */
/* 32*/	le32 last_lsn_data_length;/* Length of data of last LSN, not including
				   the log record header.  On create set to
				   0. */
/* 36*/	le16 log_record_header_length;/* Byte size of the log record header.
				   If the version matches then check that the
				   value of log_record_header_length is a
				   multiple of 8, i.e.
				   (log_record_header_length + 7) & ~7 ==
				   log_record_header_length.  When creating set
				   it to sizeof(LOG_RECORD_HEADER), aligned to
				   8 bytes. */
/* 38*/	le16 log_page_data_offset;/* Offset to the start of data in a log record
				   page.  Must be a multiple of 8.  On create
				   set it to immediately after the update
				   sequence array of the log record page. */
/* 40*/	le32 restart_log_open_count;/* A counter that gets incremented every
				   time the logfile is restarted which happens
				   at mount time when the logfile is opened.
				   When creating set to a random value.  Win2k
				   sets it to the low 32 bits of the current
				   system time in NTFS format (see time.h). */
/* 44*/	le32 reserved;		/* Reserved/alignment to 8-byte boundary. */
/* sizeof() = 48 (0x30) bytes */
} __attribute__((__packed__)) RESTART_AREA;

/**
 * struct LOG_CLIENT_RECORD - Log client record.
 *
 * The offset of this record is found by adding the offset of the
 * RESTART_AREA to the client_array_offset value found in it.
 */
typedef struct {
/*Ofs*/
/*  0*/	leLSN oldest_lsn;	/* Oldest LSN needed by this client.  On create
				   set to 0. */
/*  8*/	leLSN client_restart_lsn;/* LSN at which this client needs to restart
				   the volume, i.e. the current position within
				   the log file.  At present, if clean this
				   should = current_lsn in restart area but it
				   probably also = current_lsn when dirty most
				   of the time.  At create set to 0. */
/* 16*/	le16 prev_client;	/* The offset to the previous log client record
				   in the array of log client records.
				   LOGFILE_NO_CLIENT means there is no previous
				   client record, i.e. this is the first one.
				   This is always LOGFILE_NO_CLIENT. */
/* 18*/	le16 next_client;	/* The offset to the next log client record in
				   the array of log client records.
				   LOGFILE_NO_CLIENT means there are no next
				   client records, i.e. this is the last one.
				   This is always LOGFILE_NO_CLIENT. */
/* 20*/	le16 seq_number;	/* On Win2k and presumably earlier, this is set
				   to zero every time the logfile is restarted
				   and it is incremented when the logfile is
				   closed at dismount time.  Thus it is 0 when
				   dirty and 1 when clean.  On WinXP and
				   presumably later, this is always 0. */
/* 22*/	u8 reserved[6];		/* Reserved/alignment. */
/* 28*/	le32 client_name_length;/* Length of client name in bytes.  Should
				   always be 8. */
/* 32*/	ntfschar client_name[64];/* Name of the client in Unicode.  Should
				   always be "NTFS" with the remaining bytes
				   set to 0. */
/* sizeof() = 160 (0xa0) bytes */
} __attribute__((__packed__)) LOG_CLIENT_RECORD;

/**
 * struct RECORD_PAGE_HEADER - Log page record page header.
 *
 * Each log page begins with this header and is followed by several LOG_RECORD
 * structures, starting at offset 0x40 (the size of this structure and the
 * following update sequence array and then aligned to 8 byte boundary, but is
 * this specified anywhere?).
 */
typedef struct {
/*  0	NTFS_RECORD; -- Unfolded here as gcc doesn't like unnamed structs. */
	NTFS_RECORD_TYPES magic;/* Usually the magic is "RCRD". */
	le16 usa_ofs;		/* See NTFS_RECORD definition in layout.h.
				   When creating, set this to be immediately
				   after this header structure (without any
				   alignment). */
	le16 usa_count;		/* See NTFS_RECORD definition in layout.h. */

	union {
		leLSN last_lsn;
		sle64 file_offset;
	} __attribute__((__packed__)) copy;
	le32 flags;
	le16 page_count;
	le16 page_position;
	le16 next_record_offset;
	le16 reserved[3];
	leLSN last_end_lsn;
} __attribute__((__packed__)) RECORD_PAGE_HEADER;

/**
 * enum LOG_RECORD_FLAGS - Possible 16-bit flags for log records.
 *
 *	Some flags describe what kind of update is being logged.
 *
 * (Or is it log record pages?)
 */
typedef enum {
	LOG_RECORD_MULTI_PAGE = const_cpu_to_le16(0x0001),	/* ??? */
		/* The flags below were introduced in Windows 10 */
	LOG_RECORD_DELETING =	const_cpu_to_le16(0x0002),
	LOG_RECORD_ADDING =	const_cpu_to_le16(0x0004),
	LOG_RECORD_SIZE_PLACE_HOLDER = 0xffff,
		/* This has nothing to do with the log record. It is only so
		   gcc knows to make the flags 16-bit. */
} __attribute__((__packed__)) LOG_RECORD_FLAGS;

/**
 * struct LOG_CLIENT_ID - The log client id structure identifying a log client.
 */
typedef struct {
	le16 seq_number;
	le16 client_index;
} __attribute__((__packed__)) LOG_CLIENT_ID;

/*
 *	LOG_RECORD_TYPE : types of log records
 */

enum {
	LOG_STANDARD =		const_cpu_to_le32(1),
	LOG_CHECKPOINT =	const_cpu_to_le32(2),
	LOG_RECORD_TYPE_PLACE_HOLDER = 0xffffffffU
} ;
typedef le32 LOG_RECORD_TYPE;

/*
 *	ATTRIBUTE_FLAGS : flags describing the kind of NTFS record 
 *	is being updated.
 *	These flags were introduced in Vista, only two flags are known?
 */

enum {
	ACTS_ON_MFT =		const_cpu_to_le16(2),
	ACTS_ON_INDX =		const_cpu_to_le16(8),
	ATTRIBUTE_FLAGS_PLACE_HOLDER = 0xffff,
} ;
typedef le16 ATTRIBUTE_FLAGS;

#define LOG_RECORD_HEAD_SZ 0x30 /* size of header of struct LOG_RECORD */

/**
 * struct LOG_RECORD - Log record header.
 *
 * Each log record seems to have a constant size of 0x70 bytes.
 */
typedef struct {
	leLSN this_lsn;
	leLSN client_previous_lsn;
	leLSN client_undo_next_lsn;
	le32 client_data_length;
	LOG_CLIENT_ID client_id;
	LOG_RECORD_TYPE record_type;
	le32 transaction_id;
	LOG_RECORD_FLAGS log_record_flags;
	le16 reserved_or_alignment[3];
/* Now are at ofs 0x30 into struct. */
	le16 redo_operation;
	le16 undo_operation;
	le16 redo_offset;
	le16 redo_length;
	union {
		struct {
			le16 undo_offset;
			le16 undo_length;
			le16 target_attribute;
			le16 lcns_to_follow;   /* Number of lcn_list entries
					      following this entry. */
/* Now at ofs 0x40. */
			le16 record_offset;
			le16 attribute_offset;
			le16 cluster_index;
			ATTRIBUTE_FLAGS attribute_flags;
			leVCN target_vcn;
/* Now at ofs 0x50. */
			leLCN lcn_list[0]; /* Only present if lcns_to_follow
						is not 0. */
		} __attribute__((__packed__));
		struct {
			leLSN transaction_lsn;
			leLSN attributes_lsn;
			leLSN names_lsn;
			leLSN dirty_pages_lsn;
			le64 unknown_list[0];
		} __attribute__((__packed__));
	} __attribute__((__packed__));
} __attribute__((__packed__)) LOG_RECORD;

/**
 * struct BITMAP_ACTION - Bitmap change being logged
 */

struct BITMAP_ACTION {
	le32 firstbit;
	le32 count;
} ;

/**
 * struct ATTR - Attribute record.
 *
 *	The format of an attribute record has changed from Windows 10.
 *	The old format was 44 bytes long, despite having 8 bytes fields,
 *	and this leads to alignment problems in arrays.
 *	This problem does not occur in the new format, which is shorter.
 *	The format being used can generally be determined from size.
 */
typedef struct {	/* Format up to Win10 (44 bytes) */
	le64 unknown1;
	le64 unknown2;
	le64 inode;
	leLSN lsn;
	le32 unknown3;
	le32 type;
	le32 unknown4;
} __attribute__((__packed__)) ATTR_OLD;

typedef struct {	/* Format since Win10 (40 bytes) */
	le64 unknown1;
	le64 unknown2;
	le32 type;
	le32 unknown3;
	le64 inode;
	leLSN lsn;
} __attribute__((__packed__)) ATTR_NEW;

extern BOOL ntfs_check_logfile(ntfs_attr *log_na, RESTART_PAGE_HEADER **rp);
extern BOOL ntfs_is_logfile_clean(ntfs_attr *log_na, RESTART_PAGE_HEADER *rp);
extern int ntfs_empty_logfile(ntfs_attr *na);

#endif /* defined _NTFS_LOGFILE_H */