| Message ID | 20200827153657.111098-7-dgilbert@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | virtiofsd xattr name mappings | expand |
On a Thursday in 2020, Dr. David Alan Gilbert (git) wrote: >From: "Dr. David Alan Gilbert" <dgilbert@redhat.com> > >Add a few examples of xattrmaps to the documentation. > >Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> >--- > docs/tools/virtiofsd.rst | 49 ++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 49 insertions(+) > >diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst >index 2efa16d3c5..a138549862 100644 >--- a/docs/tools/virtiofsd.rst >+++ b/docs/tools/virtiofsd.rst >@@ -161,6 +161,55 @@ in which case a 'server' rule will always match on all names from > the server. > > >+xattr-mapping Examples >+---------------------- >+ >+1) Prefix all attributes with 'user.virtiofs.' >+ >+:: >+ >+-o xattrmap=":all:prefix::user.virtiofs.::all:bad:::" >+ >+ >+This uses two rules, using : as the field separator; >+the first rule prefixes and strips 'user.virtiofs.', >+the second rule hides any non-prefixed attributes that >+the host set. >+ >+2) Prefix 'trusted.' attributes, allow others through >+ >+:: >+ >+ "/all/prefix/trusted./user.virtiofs./ >+ /server/bad//trusted./ >+ /client/bad/user.virtiofs.trusted.// >+ /all/ok///" >+ >+ >+Here there are four rules, using / as the field >+separator, and also demonstrating that new lines can >+be included between rules. >+The first rule is the prefixing of 'trusted.'. >+The second rule hides unprefixed 'trusted.' attributes >+on the host. >+The third rule stops a guest from explicitily setting explicitly >+the 'user.viritofs.trusted.' path directly. >+Finally, the fourth rule lets all remaining attributes >+through. >+ >+3) Hide 'security.' attributes, and allow everything else >+ >+:: >+ >+ "/all/bad/security./security./ >+ /all/ok///' >+ >+The first rule combines what could be separate client and server >+rules into a single 'all' rule, matching 'security.' in either >+client arguments or lists returned from the host. This stops >+the client seeing any 'security.' attributes on the server and >+stops it setting any. extra space. Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano
* Ján Tomko (jtomko@redhat.com) wrote: > On a Thursday in 2020, Dr. David Alan Gilbert (git) wrote: > > From: "Dr. David Alan Gilbert" <dgilbert@redhat.com> > > > > Add a few examples of xattrmaps to the documentation. > > > > Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com> > > --- > > docs/tools/virtiofsd.rst | 49 ++++++++++++++++++++++++++++++++++++++++ > > 1 file changed, 49 insertions(+) > > > > diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst > > index 2efa16d3c5..a138549862 100644 > > --- a/docs/tools/virtiofsd.rst > > +++ b/docs/tools/virtiofsd.rst > > @@ -161,6 +161,55 @@ in which case a 'server' rule will always match on all names from > > the server. > > > > > > +xattr-mapping Examples > > +---------------------- > > + > > +1) Prefix all attributes with 'user.virtiofs.' > > + > > +:: > > + > > +-o xattrmap=":all:prefix::user.virtiofs.::all:bad:::" > > + > > + > > +This uses two rules, using : as the field separator; > > +the first rule prefixes and strips 'user.virtiofs.', > > +the second rule hides any non-prefixed attributes that > > +the host set. > > + > > +2) Prefix 'trusted.' attributes, allow others through > > + > > +:: > > + > > + "/all/prefix/trusted./user.virtiofs./ > > + /server/bad//trusted./ > > + /client/bad/user.virtiofs.trusted.// > > + /all/ok///" > > + > > + > > +Here there are four rules, using / as the field > > +separator, and also demonstrating that new lines can > > +be included between rules. > > +The first rule is the prefixing of 'trusted.'. > > +The second rule hides unprefixed 'trusted.' attributes > > +on the host. > > +The third rule stops a guest from explicitily setting > > explicitly Thanks, I'll save that spare 'i' for another time. > > +the 'user.viritofs.trusted.' path directly. > > +Finally, the fourth rule lets all remaining attributes > > +through. > > + > > +3) Hide 'security.' attributes, and allow everything else > > + > > +:: > > + > > + "/all/bad/security./security./ > > + /all/ok///' > > + > > +The first rule combines what could be separate client and server > > +rules into a single 'all' rule, matching 'security.' in either > > +client arguments or lists returned from the host. This stops > > +the client seeing any 'security.' attributes on the server and > > +stops it setting any. > > extra space. Gone. > Reviewed-by: Ján Tomko <jtomko@redhat.com> Thanks! > > Jano
diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst index 2efa16d3c5..a138549862 100644 --- a/docs/tools/virtiofsd.rst +++ b/docs/tools/virtiofsd.rst @@ -161,6 +161,55 @@ in which case a 'server' rule will always match on all names from the server. +xattr-mapping Examples +---------------------- + +1) Prefix all attributes with 'user.virtiofs.' + +:: + +-o xattrmap=":all:prefix::user.virtiofs.::all:bad:::" + + +This uses two rules, using : as the field separator; +the first rule prefixes and strips 'user.virtiofs.', +the second rule hides any non-prefixed attributes that +the host set. + +2) Prefix 'trusted.' attributes, allow others through + +:: + + "/all/prefix/trusted./user.virtiofs./ + /server/bad//trusted./ + /client/bad/user.virtiofs.trusted.// + /all/ok///" + + +Here there are four rules, using / as the field +separator, and also demonstrating that new lines can +be included between rules. +The first rule is the prefixing of 'trusted.'. +The second rule hides unprefixed 'trusted.' attributes +on the host. +The third rule stops a guest from explicitily setting +the 'user.viritofs.trusted.' path directly. +Finally, the fourth rule lets all remaining attributes +through. + +3) Hide 'security.' attributes, and allow everything else + +:: + + "/all/bad/security./security./ + /all/ok///' + +The first rule combines what could be separate client and server +rules into a single 'all' rule, matching 'security.' in either +client arguments or lists returned from the host. This stops +the client seeing any 'security.' attributes on the server and +stops it setting any. + Examples --------