Skip to content
Browse files

Filter out security labels, so user FSes do not have to deal with them.

  • Loading branch information...
1 parent c991974 commit 1e1584d15f4b32bc766313e744daf9b7cd2abbd4 @hanwen committed
Showing with 20 additions and 0 deletions.
  1. +7 −0 fuse/api.go
  2. +13 −0 fuse/opcode.go
View
7 fuse/api.go
@@ -223,6 +223,13 @@ type MountOptions struct {
// Write size to use. If 0, use default. This number is
// capped at the kernel maximum.
MaxWrite int
+
+ // If IgnoreSecurityLabels is set, all security related xattr
+ // requests will return NO_DATA without passing through the
+ // user defined filesystem. You should only set this if you
+ // file system implements extended attributes, and you are not
+ // interested in security labels.
+ IgnoreSecurityLabels bool // ignoring labels should be provided as a fusermount mount option.
}
// DefaultFileSystem implements a FileSystem that returns ENOSYS for every operation.
View
13 fuse/opcode.go
@@ -158,7 +158,20 @@ func doWrite(state *MountState, req *request) {
req.status = status
}
+const _SECURITY_CAPABILITY = "security.capability"
+const _SECURITY_ACL = "system.posix_acl_access"
+const _SECURITY_ACL_DEFAULT = "system.posix_acl_default"
+
func doGetXAttr(state *MountState, req *request) {
+ if state.opts.IgnoreSecurityLabels && req.inHeader.opcode == _OP_GETXATTR {
+ fn := req.filenames[0]
+ if fn == _SECURITY_CAPABILITY || fn == _SECURITY_ACL_DEFAULT ||
+ fn == _SECURITY_ACL {
+ req.status = ENODATA
+ return
+ }
+ }
+
input := (*GetXAttrIn)(req.inData)
var data []byte
switch {

0 comments on commit 1e1584d

Please sign in to comment.
Something went wrong with that request. Please try again.