From nobody Tue Aug 29 19:02:58 2023 X-Original-To: current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RZxdd31tSz4s5mL for ; Tue, 29 Aug 2023 19:03:01 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RZxdd1JtCz4Rnp for ; Tue, 29 Aug 2023 19:03:01 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-io1-xd34.google.com with SMTP id ca18e2360f4ac-7923ae72111so174921039f.0 for ; Tue, 29 Aug 2023 12:03:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1693335780; x=1693940580; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=8h2GKuktD4kZBEjAH3B1XT0cNr+Pnjkbme8JR/ksmBM=; b=HZAdTqj9VqON6hzTxQQdUmHKzIHib/6AJZz43eOFRULsvkmVriv4LGApX8Cr5iaY4h Xhv0etVh5N08hh8uMns/eRT92JCuyZjssEqnniuol31wVAKlaR0NLjEei0bhN+nrIlSc +8xakrLiyV1bY7m0YzkebE4Skl6I3pxN2gp8sEDOheprukOGUMOCnM/IgA2fhoOIabhi VZ6wnwNxFe1sbSW0riaLFtjNLWOowpFXYoaRxzCnrm8slqDi6/n4y7StuQRhEMWEP9dA eSx/9gAyDXyRfyKy1IJzDYhRugGJ/VbBoN3G4VvH6typnwfyalZ+zg4Rn1djgN1paETV cSAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693335780; x=1693940580; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=8h2GKuktD4kZBEjAH3B1XT0cNr+Pnjkbme8JR/ksmBM=; b=TY5CHOrsJp2/dqr6ti5h1/sPoLKioAY4OZqh0FPXhN+9zChYcnXxJRLwkqe1YxJO8I cksHMmOvSKWIwcjt5ZmxhJdXBMjBvjjzAM1aY9SvtUOfcXZRG658REq2YlfODv0+oONV bfJZf+wWY/9f5STU6poiRUO7uQm+v7FOvV6e0HaEGSQca3iV4tFi8q2XW00gDpK7k6BM dA0le9Sw0KXQabq3D0niOdjZ1125YSO6zubGKPAbCSKBtKOKOx68zssqtfZhH88WQUH8 +lF06shWhQlf/+NhLTKUK6/zUXNYSMB/YP6mHscXU8kjf3GqO/UoYRSnzGo6rs+8x/lK iPnA== X-Gm-Message-State: AOJu0YxDvE1Z5q9EiHQAubCgcO3rb/TpeAVqNL2El9w3NnaaNua7yvZU 2ww0DcdL9KnIrcWXyr0/uslz8qiAkGM/oEXYNyA= X-Google-Smtp-Source: AGHT+IHXEDf04Bnf8uJQVK9SNZaDoK0bg79YtKHo/1jmDAT/nzXBK6cRyM8l4645Tpibf2KS6DdUGQ== X-Received: by 2002:a6b:7a07:0:b0:790:fcc2:6e9c with SMTP id h7-20020a6b7a07000000b00790fcc26e9cmr231338iom.12.1693335780139; Tue, 29 Aug 2023 12:03:00 -0700 (PDT) Received: from mutt-hbsd ([73.153.118.59]) by smtp.gmail.com with ESMTPSA id b8-20020a05663801a800b004290fd3a68dsm3364783jaq.1.2023.08.29.12.02.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Aug 2023 12:02:59 -0700 (PDT) Date: Tue, 29 Aug 2023 15:02:58 -0400 From: Shawn Webb To: Dmitry Chagin Cc: current@freebsd.org Subject: Re: Possible issue with linux xattr support? Message-ID: <20230829190258.uc67572553e4fq3v@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-ALPHA2-HBSD FreeBSD 14.0--HBSD amd64 1400096 X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <3q2k3tje2ig2s6wzy4hzvjmoyejiecminvcvevivumtukxrgki@btnpjbztyfa6> List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mjpddq7i64klevr4" Content-Disposition: inline In-Reply-To: X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4RZxdd1JtCz4Rnp --mjpddq7i64klevr4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 29, 2023 at 05:45:51PM +0300, Dmitry Chagin wrote: > On Tue, Aug 29, 2023 at 12:59:11PM +0200, Felix Palmen wrote: > > * Dmitry Chagin [20230828 18:57]: > > > On Mon, Aug 28, 2023 at 08:03:33AM +0200, Felix Palmen wrote: > > > > * Cy Schubert [20230827 16:59]: > > > > >=20 > > > > > If we are to break it to fix a problem, maybe a sysctl to enable/= disable then? > > > >=20 > > > > IMHO depends on the exact nature of the problem. If it's confirmed = that > > > > it (always and only) breaks for jailed processes, just disabling it= for > > > > them would be the better workaround. "No-op" calls won't break anyt= hing. > > > >=20 > > >=20 > > > please, try: https://people.freebsd.org/~dchagin/xattrerror.patch > >=20 > > Thanks, I can confirm this avoids the issue in both cases I experienced > > (install from GNU coreutils and python). > >=20 > thanks, this is the first half of the fix, it works for you due to you > are running tools under unprivileged user, afaiu. The second I have > tested by myself :) >=20 > > If I understand this patch correctly, it completely avoids EPERM, > > masking it as not supported, so callers should consider it non-fatal, > > allowing to silently ignore writing of "system" attributes while still > > keeping other functionality? > >=20 > system namespace is accessible only for privileged user, for others Linux > returns ENOTSUP. So many tools ignores this error, eg ls. >=20 > the second: https://people.freebsd.org/~dchagin/sea_jailed.patch >=20 > Try this under privileged user, please. Back in 2019, I had a similar issue: I needed access to be able to read/write to the system extended attribute namespace from within a jailed context. I wrote a rather simple patch that provides that support on a per-jail basis: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/96c85982b45e44= a6105664c7068a92d0a61da2a3 Hopefully that's useful to someone. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --mjpddq7i64klevr4 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmTuQNAACgkQ/y5nonf4 4frosg//YxLXPFWHzrU6naTUDfzdiGxWYq8vGnCyXh6R83lvcg5mTp8UJAkbT/PV w/UiIFVBUrfNxZ7dpO1IzhSEhzGKL8eawn8ERr7mAwpgDWtZ3j+VlKvGRf8DLORt 1og81DHG40PaX/+nABv+prDSHB/0t3CO1/7C2qOJYgMWrwhwg2OhlGgaDE/utJrY n7zmnQnoPJd3i/RFp4iWjCZkFwZc2JHpdImz695quKFfYSAatW2gme7FYydTNRDY in1w34+9NNq6P4meKguNUuO8TPPLiPD7455JVrdlSo5DKSk5zkBHbNDrPYP2Lnqz XnFUB9KssLNypFzMM+0NzzSJ4Kmht7b48skRJzaWmbc9Y1maYjRiwJBe4IcSYEUv RItSJ3oIbXIdfxC0dP+MpnuunqyHDrXzhs3iXfp6GRd0dPpewUHGKSZ+ARL4gg3l BmqccD0j9Egt5s2YAuhB/i2zrLcc5neKLWorMioMbASGNC9uWSv2ENUyklcoJS2g 4ZEH9qBBYlaS01GiJBYNTyWYkSkbZfH9bmJtcJ3y8cM06H9DV1yNTY/SwK5n+79a RtE9Q2CHfWPcKaqEcl5CXF8WT9jddfanj62PTu5omL0sG338+TY4VWFI1Jq9MgC/ 1YiAJSupWbEhs49Y2igU3HoHHN3tOdrQr4F1iZEjCNv+TxCTZIw= =EziF -----END PGP SIGNATURE----- --mjpddq7i64klevr4--