Filter out security labels, so user FSes do not have to deal with them.

1e1584d1 · Han-Wen Nienhuys · c9919744 · 1e1584d1 · 1e1584d1
Commit 1e1584d1 authored Feb 29, 2012 by Han-Wen Nienhuys
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 0 deletions

fuse/api.go fuse/api.go +7 -0

fuse/opcode.go fuse/opcode.go +13 -0

No files found.
--- a/fuse/api.go
+++ b/fuse/api.go
@@ -223,6 +223,13 @@ type MountOptions struct {
 	// Write size to use.  If 0, use default. This number is
 	// capped at the kernel maximum.
 	MaxWrite int
+
+	// If IgnoreSecurityLabels is set, all security related xattr
+	// requests will return NO_DATA without passing through the
+	// user defined filesystem.  You should only set this if you
+	// file system implements extended attributes, and you are not
+	// interested in security labels.
+	IgnoreSecurityLabels bool // ignoring labels should be provided as a fusermount mount option.
 }

 // DefaultFileSystem implements a FileSystem that returns ENOSYS for every operation.

--- a/fuse/opcode.go
+++ b/fuse/opcode.go
@@ -158,7 +158,20 @@ func doWrite(state *MountState, req *request) {
 	req.status = status
 }

+const _SECURITY_CAPABILITY = "security.capability"
+const _SECURITY_ACL = "system.posix_acl_access"
+const _SECURITY_ACL_DEFAULT = "system.posix_acl_default"
+
 func doGetXAttr(state *MountState, req *request) {
+	if state.opts.IgnoreSecurityLabels && req.inHeader.opcode == _OP_GETXATTR {
+		fn := req.filenames[0]
+		if fn == _SECURITY_CAPABILITY || fn == _SECURITY_ACL_DEFAULT ||
+			fn == _SECURITY_ACL {
+			req.status = ENODATA
+			return
+		}
+	}
+	
 	input := (*GetXAttrIn)(req.inData)
 	var data []byte
 	switch {