ssh_filter_btrbk.sh: exclude "btrfs subvolume show|list" from restrict-path

btrbk requires "btrfs subvolume list|show" queries from the mount
point in order to build btrfs trees. This conflicts with tightly set
--restrict-path.

doc/ssh_filter_btrbk.1.asciidoc

@@ -34,8 +34,8 @@ The accepted commands are specified by the "--source", "--target",
 
 The following commands are always allowed:
 
- - "btrfs subvolume show"
+ - "btrfs subvolume show" (not affected by "--restrict-path")
- - "btrfs subvolume list"
+ - "btrfs subvolume list" (not affected by "--restrict-path")
  - "readlink"
  - "cat /proc/self/mountinfo"
  - pipes through "gzip", "pigz", "bzip2", "pbzip2", "xz", "lzop",
@@ -80,7 +80,8 @@ OPTIONS
     Allow btrfs receive command: "btrfs receive".
 
 -p, --restrict-path <path>::
-    Restrict btrfs commands to <path>.
+    Restrict commands to <path>. Note that "btrfs subvolume show",
+    "btrfs subvolume list" are NOT affected by this option.
 
 -l, --log::
     Log ACCEPT and REJECT messages to the system log.

ssh_filter_btrbk.sh

@@ -161,8 +161,9 @@ while [[ "$#" -ge 1 ]]; do
     shift
 done
 
-allow_cmd "${sudo_prefix}btrfs subvolume show"; # subvolume queries are always allowed
+# NOTE: subvolume queries no NOT affected by "--restrict-path":
-allow_exact_cmd "${sudo_prefix}btrfs subvolume list ${file_match}"; # subvolume queries are always allowed
+# btrbk also calls show/list on the mount point of the subvolume
+allow_exact_cmd "${sudo_prefix}btrfs subvolume (show|list)( ${option_match})* ${file_match}";
 allow_cmd "${sudo_prefix}readlink"              # used to resolve mountpoints
 allow_exact_cmd "cat /proc/self/mountinfo"      # used to resolve mountpoints
 allow_exact_cmd "cat /proc/self/mounts"         # legacy, for btrbk < 0.27.0