1nbdkit-protect-filter(1)            NBDKIT            nbdkit-protect-filter(1)
2
3
4

NAME

6       nbdkit-protect-filter - write-protect parts of a plugin
7

SYNOPSIS

9        nbdkit --filter=protect plugin protect=START-END [protect=...]
10

DESCRIPTION

12       "nbdkit-protect-filter" is a filter for nbdkit(1) that lets you write-
13       protect parts of the underlying plugin.  This prevents clients from
14       modifying ranges of the plugin, while still allowing the NBD connection
15       to be writable in general.
16
17       One use for this is to prevent clients from adding a phony header to
18       the data to make it look like a non-raw disk format (like adding a
19       qcow2 header), since that can be used in some exploits.
20
21       To make the whole plugin readonly, use the nbdkit -r option on the
22       command line.  To give selective access to the server, use
23       nbdkit-ip-filter(1).  To serve only a subset of the plugin use
24       nbdkit-offset-filter(1) or nbdkit-partition-filter(1).
25

EXAMPLES

27   Protect the boot sector
28       Protect the first part of the boot sector from writes, but allow the
29       MBR partition table to be updated:
30
31        nbdkit --filter=protect file disk.img protect=0-0x1bd
32
33   Protect everything except a single partition
34       Allow clients to write to a single partition on the disk, but prevent
35       modifications to the partition table, boot sector, other partitions, or
36       any other metadata outside the partition:
37
38        $ fdisk -l disk.img
39        Device    Boot  Start       End  Sectors Size Id Type
40        disk.img1 *      2048  12580863 12578816   6G 83 Linux
41        $ start=$((2048*512))
42        $ end=$((12580863*512+511))
43        $ nbdkit --filter=protect file disk.img protect=~$start-$end
44
45       Notes:
46
47       •   Data in other partitions and parts of the disk is still readable.
48
49       •   The '~' character complements the range protected.  You might need
50           to escape it from the shell using quotes or backslash.
51
52       •   This is different from nbdkit-partition-filter(1) — that filter
53           exposes the partition as a whole device.
54

PARAMETERS

56       protect=START-END
57           Protect the bytes starting at offset "START" through to offset
58           "END" (inclusive).  Reads are permitted.  Writes to the protected
59           range are only permitted if they do not change the content.  If an
60           attempt is made to change the content, then the error "NBD_EPERM"
61           (Operation not permitted) is returned to the client.
62
63           "START" and "END" can be expressed in decimal, octal ("0NN") or
64           hexadecimal ("0xNN").  If omitted then they default to the start
65           and end of the underlying plugin respectively.
66
67           This parameter can be given multiple times to protect several
68           ranges.
69
70       protect=~START-END
71           This protects the complement of the range "START" to "END".
72

FILES

74       $filterdir/nbdkit-protect-filter.so
75           The filter.
76
77           Use "nbdkit --dump-config" to find the location of $filterdir.
78

VERSION

80       "nbdkit-offset-filter" first appeared in nbdkit 1.30.
81

SEE ALSO

83       nbdkit(1), nbdkit-file-plugin(1), nbdkit-ip-filter(1),
84       nbdkit-offset-filter(1), nbdkit-partition-filter(1), nbdkit-filter(3).
85

AUTHORS

87       Richard W.M. Jones
88

COPYRIGHT

90       Copyright (C) 2021 Red Hat Inc.
91

LICENSE

93       Redistribution and use in source and binary forms, with or without
94       modification, are permitted provided that the following conditions are
95       met:
96
97       •   Redistributions of source code must retain the above copyright
98           notice, this list of conditions and the following disclaimer.
99
100       •   Redistributions in binary form must reproduce the above copyright
101           notice, this list of conditions and the following disclaimer in the
102           documentation and/or other materials provided with the
103           distribution.
104
105       •   Neither the name of Red Hat nor the names of its contributors may
106           be used to endorse or promote products derived from this software
107           without specific prior written permission.
108
109       THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ANY
110       EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
111       IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
112       PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS BE
113       LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
114       CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
115       SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
116       BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
117       WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
118       OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
119       ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
120
121
122
123nbdkit-1.32.5                     2023-01-03          nbdkit-protect-filter(1)