From: Vivek Goyal <vgoyal@redhat.com>
To: "Dr. David Alan Gilbert (git)" <dgilbert@redhat.com>
Cc: dinechin@redhat.com, virtio-fs@redhat.com, qemu-devel@nongnu.org,
stefanha@redhat.com
Subject: Re: [PATCH v3 4/5] tools/virtiofsd: xattr name mapping examples
Date: Tue, 20 Oct 2020 10:40:41 -0400 [thread overview]
Message-ID: <20201020144041.GC380917@redhat.com> (raw)
In-Reply-To: <20201014180209.49299-5-dgilbert@redhat.com>
On Wed, Oct 14, 2020 at 07:02:08PM +0100, Dr. David Alan Gilbert (git) wrote:
> From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
>
> Add a few examples of xattrmaps to the documentation.
>
> Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
> ---
> docs/tools/virtiofsd.rst | 50 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 50 insertions(+)
>
> diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst
> index a3a120da2f..5cb64612ed 100644
> --- a/docs/tools/virtiofsd.rst
> +++ b/docs/tools/virtiofsd.rst
> @@ -163,6 +163,56 @@ in which case a 'server' rule will always match on all names from
> the server.
>
>
> +xattr-mapping Examples
> +----------------------
> +
> +1) Prefix all attributes with 'user.virtiofs.'
> +
> +::
> +
> +-o xattrmap=":prefix:all::user.virtiofs.::bad:all:::"
> +
Staring at rule.
":bad:all:::"
and trying to map this to ":type:scope:key:prepend:"
type==bad
scope==all
key==""
prepend==""
> +
> +This uses two rules, using : as the field separator;
> +the first rule prefixes and strips 'user.virtiofs.',
> +the second rule hides any non-prefixed attributes that
> +the host set.
What is non-prefixed xattr in this context. If client sends
"security.selinux", is prefixed or non-prefixed.
Documentation in first patch said.
+- 'bad' - If a client tries to use this name it's
+ denied using EPERM; when the server passes an attribute
+ name matching it's hidden.
I am not sure which xattr name will be blocked if key=="" and prepend==""
> +
> +2) Prefix 'trusted.' attributes, allow others through
> +
> +::
> +
> + "/prefix/all/trusted./user.virtiofs./
> + /bad/server//trusted./
> + /bad/client/user.virtiofs.//
> + /ok/all///"
> +
> +
> +Here there are four rules, using / as the field
> +separator, and also demonstrating that new lines can
> +be included between rules.
> +The first rule is the prefixing of 'trusted.' and
> +stripping of 'user.virtiofs.'.
So this is bidrectional rule, right. For setxattr(), "trusted."
will be replaced with "user.virtiofs" and for listxattr(),
server will replace user.virtiofs with trusted. ?
> +The second rule hides unprefixed 'trusted.' attributes
> +on the host.
If host has "trusted.*", we are not hiding it and as per first
rule we are converting it to "user.virtiofs.trusted.*", right?
So why this second rule is needed.
> +The third rule stops a guest from explicitly setting
> +the 'user.viritofs.' path directly.
> +Finally, the fourth rule lets all remaining attributes
> +through.
So If I don't specify third rule, and client does
setxattr(user.virtiofs.*), it will simply be a passthrough?
Thanks
Vivek
> +
> +3) Hide 'security.' attributes, and allow everything else
> +
> +::
> +
> + "/bad/all/security./security./
> + /ok/all///'
> +
> +The first rule combines what could be separate client and server
> +rules into a single 'all' rule, matching 'security.' in either
> +client arguments or lists returned from the host. This stops
> +the client seeing any 'security.' attributes on the server and
> +stops it setting any.
> +
> Examples
> --------
>
> --
> 2.28.0
>
next prev parent reply other threads:[~2020-10-20 14:47 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-14 18:02 [PATCH v3 0/5] virtiofsd xattr name mappings Dr. David Alan Gilbert (git)
2020-10-14 18:02 ` [PATCH v3 1/5] tools/virtiofsd: xattr name mappings: Add option Dr. David Alan Gilbert (git)
2020-10-20 9:07 ` Stefan Hajnoczi
2020-10-21 17:13 ` Dr. David Alan Gilbert
2020-10-20 14:04 ` Vivek Goyal
2020-10-22 14:52 ` Vivek Goyal
2020-10-23 15:46 ` Dr. David Alan Gilbert
2020-10-14 18:02 ` [PATCH v3 2/5] tools/virtiofsd: xattr name mappings: Map client xattr names Dr. David Alan Gilbert (git)
2020-10-20 9:16 ` Stefan Hajnoczi
2020-10-22 15:28 ` Vivek Goyal
2020-10-23 15:04 ` Dr. David Alan Gilbert
2020-10-14 18:02 ` [PATCH v3 3/5] tools/virtiofsd: xattr name mappings: Map server " Dr. David Alan Gilbert (git)
2020-10-20 9:52 ` Stefan Hajnoczi
2020-10-22 16:16 ` Vivek Goyal
2020-10-23 14:49 ` Dr. David Alan Gilbert
2020-10-14 18:02 ` [PATCH v3 4/5] tools/virtiofsd: xattr name mapping examples Dr. David Alan Gilbert (git)
2020-10-20 9:56 ` Stefan Hajnoczi
2020-10-20 14:40 ` Vivek Goyal [this message]
2020-10-20 15:34 ` Dr. David Alan Gilbert
2020-10-20 17:56 ` Vivek Goyal
2020-10-20 19:02 ` Dr. David Alan Gilbert
2020-10-21 13:44 ` Vivek Goyal
2020-10-21 17:39 ` Dr. David Alan Gilbert
2020-10-14 18:02 ` [PATCH v3 5/5] tools/virtiofsd: xattr name mappings: Simple 'map' Dr. David Alan Gilbert (git)
2020-10-20 10:09 ` Stefan Hajnoczi
2020-10-20 11:35 ` Dr. David Alan Gilbert
2020-10-22 13:42 ` Vivek Goyal
2020-10-23 13:05 ` Dr. David Alan Gilbert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201020144041.GC380917@redhat.com \
--to=vgoyal@redhat.com \
--cc=dgilbert@redhat.com \
--cc=dinechin@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
--cc=virtio-fs@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).