virtiofsd: xattr mapping add a new type "unsupported"

Right now for xattr remapping, we support types of "prefix", "ok" or "bad".
Type "bad" returns -EPERM on setxattr and hides xattr in listxattr. For
getxattr, mapping code returns -EPERM but getxattr code converts it to -ENODATA.

I need a new semantics where if an xattr is unsupported, then
getxattr()/setxattr() return -ENOTSUP and listxattr() should hide the xattr.
This is needed to simulate that security.selinux is not supported by
virtiofs filesystem and in that case client falls back to some default
label specified by policy.

So add a new type "unsupported" which returns -ENOTSUP on getxattr() and
setxattr() and hides xattrs in listxattr().

For example, one can use following mapping rule to not support
security.selinux xattr and allow others.

"-o xattrmap=/unsupported/all/security.selinux/security.selinux//ok/all///"

Suggested-by: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Message-Id: <YUt9qbmgAfCFfg5t@redhat.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
This commit is contained in:
Vivek Goyal 2021-09-22 15:02:01 -04:00 committed by Dr. David Alan Gilbert
parent c5b2f55981
commit 5afc8df46c
2 changed files with 20 additions and 3 deletions

View File

@ -183,6 +183,12 @@ Using ':' as the separator a rule is of the form:
'ok' as either an explicit terminator or for special handling of certain 'ok' as either an explicit terminator or for special handling of certain
patterns. patterns.
- 'unsupported' - If a client tries to use a name matching 'key' it's
denied using ENOTSUP; when the server passes an attribute
name matching 'prepend' it's hidden. In many ways it's use is very like
'ok' as either an explicit terminator or for special handling of certain
patterns.
**key** is a string tested as a prefix on an attribute name originating **key** is a string tested as a prefix on an attribute name originating
on the client. It maybe empty in which case a 'client' rule on the client. It maybe empty in which case a 'client' rule
will always match on client names. will always match on client names.

View File

@ -2465,6 +2465,11 @@ static void lo_flock(fuse_req_t req, fuse_ino_t ino, struct fuse_file_info *fi,
* Automatically reversed on read * Automatically reversed on read
*/ */
#define XATTR_MAP_FLAG_PREFIX (1 << 2) #define XATTR_MAP_FLAG_PREFIX (1 << 2)
/*
* The attribute is unsupported;
* ENOTSUP on write, hidden on read.
*/
#define XATTR_MAP_FLAG_UNSUPPORTED (1 << 3)
/* scopes */ /* scopes */
/* Apply rule to get/set/remove */ /* Apply rule to get/set/remove */
@ -2636,6 +2641,8 @@ static void parse_xattrmap(struct lo_data *lo)
tmp_entry.flags |= XATTR_MAP_FLAG_OK; tmp_entry.flags |= XATTR_MAP_FLAG_OK;
} else if (strstart(map, "bad", &map)) { } else if (strstart(map, "bad", &map)) {
tmp_entry.flags |= XATTR_MAP_FLAG_BAD; tmp_entry.flags |= XATTR_MAP_FLAG_BAD;
} else if (strstart(map, "unsupported", &map)) {
tmp_entry.flags |= XATTR_MAP_FLAG_UNSUPPORTED;
} else if (strstart(map, "map", &map)) { } else if (strstart(map, "map", &map)) {
/* /*
* map is sugar that adds a number of rules, and must be * map is sugar that adds a number of rules, and must be
@ -2646,8 +2653,8 @@ static void parse_xattrmap(struct lo_data *lo)
} else { } else {
fuse_log(FUSE_LOG_ERR, fuse_log(FUSE_LOG_ERR,
"%s: Unexpected type;" "%s: Unexpected type;"
"Expecting 'prefix', 'ok', 'bad' or 'map' in rule %zu\n", "Expecting 'prefix', 'ok', 'bad', 'unsupported' or 'map'"
__func__, lo->xattr_map_nentries); " in rule %zu\n", __func__, lo->xattr_map_nentries);
exit(1); exit(1);
} }
@ -2749,6 +2756,9 @@ static int xattr_map_client(const struct lo_data *lo, const char *client_name,
if (cur_entry->flags & XATTR_MAP_FLAG_BAD) { if (cur_entry->flags & XATTR_MAP_FLAG_BAD) {
return -EPERM; return -EPERM;
} }
if (cur_entry->flags & XATTR_MAP_FLAG_UNSUPPORTED) {
return -ENOTSUP;
}
if (cur_entry->flags & XATTR_MAP_FLAG_OK) { if (cur_entry->flags & XATTR_MAP_FLAG_OK) {
/* Unmodified name */ /* Unmodified name */
return 0; return 0;
@ -2788,7 +2798,8 @@ static int xattr_map_server(const struct lo_data *lo, const char *server_name,
if ((cur_entry->flags & XATTR_MAP_FLAG_SERVER) && if ((cur_entry->flags & XATTR_MAP_FLAG_SERVER) &&
(strstart(server_name, cur_entry->prepend, &end))) { (strstart(server_name, cur_entry->prepend, &end))) {
if (cur_entry->flags & XATTR_MAP_FLAG_BAD) { if (cur_entry->flags & XATTR_MAP_FLAG_BAD ||
cur_entry->flags & XATTR_MAP_FLAG_UNSUPPORTED) {
return -ENODATA; return -ENODATA;
} }
if (cur_entry->flags & XATTR_MAP_FLAG_OK) { if (cur_entry->flags & XATTR_MAP_FLAG_OK) {