Date: Tue, 29 Aug 2023 14:07:11 -0500 From: Kyle Evans <kevans@FreeBSD.org> To: Shawn Webb <shawn.webb@hardenedbsd.org>, Dmitry Chagin <dchagin@freebsd.org> Cc: current@freebsd.org Subject: Re: Possible issue with linux xattr support? Message-ID: <af11b09e-7b93-7c17-a8b8-6cea86291176@FreeBSD.org> In-Reply-To: <20230829190258.uc67572553e4fq3v@mutt-hbsd> References: <3q2k3tje2ig2s6wzy4hzvjmoyejiecminvcvevivumtukxrgki@btnpjbztyfa6> <ZOuNvisMH_GXHHX2@heemeyer.club> <pzu4sxp4wvfpn3mzzo2giw3otvg6z5ewia6rr2tdgpkjurfcfe@aat2k6ywm6jm> <ZOuoH6Llw8PKgMJQ@heemeyer.club> <wuwg3egv3rilgfaa5hor47v3yjwzvxlt5krj4la4wvugcnhkg3@vgrtgfr7rc6i> <EA27BAE1-C687-47F9-BB6D-B72A85A5CA8D@cschubert.com> <elx6cvceobzgw66fskkfhhicsdpsur5xaktluu5tk7m7p4qwno@s7qmm4kyuvag> <ZOzD9noXVrslppot@heemeyer.club> <smfbmu35sxh2f3hu5nrpdwb355trlucd2bbp4ag5ke7v3zf3il@s3ua2x4i3nzj> <ZO4En1UJqcr4GGiw@heemeyer.club> <20230829190258.uc67572553e4fq3v@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/29/23 14:02, Shawn Webb wrote: > On Tue, Aug 29, 2023 at 05:45:51PM +0300, Dmitry Chagin wrote: >> On Tue, Aug 29, 2023 at 12:59:11PM +0200, Felix Palmen wrote: >>> * Dmitry Chagin <dchagin@freebsd.org> [20230828 18:57]: >>>> On Mon, Aug 28, 2023 at 08:03:33AM +0200, Felix Palmen wrote: >>>>> * Cy Schubert <Cy.Schubert@cschubert.com> [20230827 16:59]: >>>>>> >>>>>> If we are to break it to fix a problem, maybe a sysctl to enable/disable then? >>>>> >>>>> IMHO depends on the exact nature of the problem. If it's confirmed that >>>>> it (always and only) breaks for jailed processes, just disabling it for >>>>> them would be the better workaround. "No-op" calls won't break anything. >>>>> >>>> >>>> please, try: https://people.freebsd.org/~dchagin/xattrerror.patch >>> >>> Thanks, I can confirm this avoids the issue in both cases I experienced >>> (install from GNU coreutils and python). >>> >> thanks, this is the first half of the fix, it works for you due to you >> are running tools under unprivileged user, afaiu. The second I have >> tested by myself :) >> >>> If I understand this patch correctly, it completely avoids EPERM, >>> masking it as not supported, so callers should consider it non-fatal, >>> allowing to silently ignore writing of "system" attributes while still >>> keeping other functionality? >>> >> system namespace is accessible only for privileged user, for others Linux >> returns ENOTSUP. So many tools ignores this error, eg ls. >> >> the second: https://people.freebsd.org/~dchagin/sea_jailed.patch >> >> Try this under privileged user, please. > > Back in 2019, I had a similar issue: I needed access to be able to > read/write to the system extended attribute namespace from within a > jailed context. I wrote a rather simple patch that provides that > support on a per-jail basis: > > https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/96c85982b45e44a6105664c7068a92d0a61da2a3 > > Hopefully that's useful to someone. > > Thanks, > FWIW (which likely isn't much), I like this approach much better; it makes more sense to me that it's a feature controlled by the creator of the jail and not one allowed just by using a compat ABI within a jail. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?af11b09e-7b93-7c17-a8b8-6cea86291176>