Commit 1e1584d1 authored by Han-Wen Nienhuys's avatar Han-Wen Nienhuys

Filter out security labels, so user FSes do not have to deal with them.

parent c9919744
...@@ -223,6 +223,13 @@ type MountOptions struct { ...@@ -223,6 +223,13 @@ type MountOptions struct {
// Write size to use. If 0, use default. This number is // Write size to use. If 0, use default. This number is
// capped at the kernel maximum. // capped at the kernel maximum.
MaxWrite int MaxWrite int
// If IgnoreSecurityLabels is set, all security related xattr
// requests will return NO_DATA without passing through the
// user defined filesystem. You should only set this if you
// file system implements extended attributes, and you are not
// interested in security labels.
IgnoreSecurityLabels bool // ignoring labels should be provided as a fusermount mount option.
} }
// DefaultFileSystem implements a FileSystem that returns ENOSYS for every operation. // DefaultFileSystem implements a FileSystem that returns ENOSYS for every operation.
......
...@@ -158,7 +158,20 @@ func doWrite(state *MountState, req *request) { ...@@ -158,7 +158,20 @@ func doWrite(state *MountState, req *request) {
req.status = status req.status = status
} }
const _SECURITY_CAPABILITY = "security.capability"
const _SECURITY_ACL = "system.posix_acl_access"
const _SECURITY_ACL_DEFAULT = "system.posix_acl_default"
func doGetXAttr(state *MountState, req *request) { func doGetXAttr(state *MountState, req *request) {
if state.opts.IgnoreSecurityLabels && req.inHeader.opcode == _OP_GETXATTR {
fn := req.filenames[0]
if fn == _SECURITY_CAPABILITY || fn == _SECURITY_ACL_DEFAULT ||
fn == _SECURITY_ACL {
req.status = ENODATA
return
}
}
input := (*GetXAttrIn)(req.inData) input := (*GetXAttrIn)(req.inData)
var data []byte var data []byte
switch { switch {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment