1nbdkit-protect-filter(1) NBDKIT nbdkit-protect-filter(1)
2
3
4
6 nbdkit-protect-filter - write-protect parts of a plugin
7
9 nbdkit --filter=protect plugin protect=START-END [protect=...]
10
12 "nbdkit-protect-filter" is a filter for nbdkit(1) that lets you write-
13 protect parts of the underlying plugin. This prevents clients from
14 modifying ranges of the plugin, while still allowing the NBD connection
15 to be writable in general.
16
17 One use for this is to prevent clients from adding a phony header to
18 the data to make it look like a non-raw disk format (like adding a
19 qcow2 header), since that can be used in some exploits.
20
21 To make the whole plugin readonly, use the nbdkit -r option on the
22 command line. To give selective access to the server, use
23 nbdkit-ip-filter(1). To serve only a subset of the plugin use
24 nbdkit-offset-filter(1) or nbdkit-partition-filter(1).
25
27 Protect the boot sector
28 Protect the first part of the boot sector from writes, but allow the
29 MBR partition table to be updated:
30
31 nbdkit --filter=protect file disk.img protect=0-0x1bd
32
33 Protect everything except a single partition
34 Allow clients to write to a single partition on the disk, but prevent
35 modifications to the partition table, boot sector, other partitions, or
36 any other metadata outside the partition:
37
38 $ fdisk -l disk.img
39 Device Boot Start End Sectors Size Id Type
40 disk.img1 * 2048 12580863 12578816 6G 83 Linux
41 $ start=$((2048*512))
42 $ end=$((12580863*512+511))
43 $ nbdkit --filter=protect file disk.img protect=~$start-$end
44
45 Notes:
46
47 • Data in other partitions and parts of the disk is still readable.
48
49 • The '~' character complements the range protected. You might need
50 to escape it from the shell using quotes or backslash.
51
52 • This is different from nbdkit-partition-filter(1) — that filter
53 exposes the partition as a whole device.
54
56 protect=START-END
57 Protect the bytes starting at offset "START" through to offset
58 "END" (inclusive). Reads are permitted. Writes to the protected
59 range are only permitted if they do not change the content. If an
60 attempt is made to change the content, then the error "NBD_EPERM"
61 (Operation not permitted) is returned to the client.
62
63 "START" and "END" can be expressed in decimal, octal ("0NN") or
64 hexadecimal ("0xNN"). If omitted then they default to the start
65 and end of the underlying plugin respectively.
66
67 This parameter can be given multiple times to protect several
68 ranges.
69
70 protect=~START-END
71 This protects the complement of the range "START" to "END".
72
74 $filterdir/nbdkit-protect-filter.so
75 The filter.
76
77 Use "nbdkit --dump-config" to find the location of $filterdir.
78
80 "nbdkit-offset-filter" first appeared in nbdkit 1.30.
81
83 nbdkit(1), nbdkit-file-plugin(1), nbdkit-ip-filter(1),
84 nbdkit-offset-filter(1), nbdkit-partition-filter(1), nbdkit-filter(3).
85
87 Richard W.M. Jones
88
90 Copyright (C) 2021 Red Hat Inc.
91
93 Redistribution and use in source and binary forms, with or without
94 modification, are permitted provided that the following conditions are
95 met:
96
97 • Redistributions of source code must retain the above copyright
98 notice, this list of conditions and the following disclaimer.
99
100 • Redistributions in binary form must reproduce the above copyright
101 notice, this list of conditions and the following disclaimer in the
102 documentation and/or other materials provided with the
103 distribution.
104
105 • Neither the name of Red Hat nor the names of its contributors may
106 be used to endorse or promote products derived from this software
107 without specific prior written permission.
108
109 THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ANY
110 EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
111 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
112 PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS BE
113 LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
114 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
115 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
116 BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
117 WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
118 OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
119 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
120
121
122
123nbdkit-1.32.5 2023-01-03 nbdkit-protect-filter(1)