- 'bad' - If a client tries to use a name matching 'key' it's
denied using EPERM; when the server passes an attribute
name matching 'prepend' it's hidden. In many ways it's use is very like
- 'ok' as either an explict terminator or for special handling of certain
+ 'ok' as either an explicit terminator or for special handling of certain
patterns.
**key** is a string tested as a prefix on an attribute name originating
to the matched **key** (or all attributes if **key** is empty).
There may be at most one 'map' rule and it must be the last rule in the set.
+Note: When the 'security.capability' xattr is remapped, the daemon has to do
+extra work to remove it during many operations, which the host kernel normally
+does itself.
+
xattr-mapping Examples
----------------------