Date: Tue, 29 Aug 2023 15:25:16 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: current@freebsd.org Subject: Re: Possible issue with linux xattr support? Message-ID: <20230829192516.jb2t65sp5rdlysss@mutt-hbsd> In-Reply-To: <izo5sjuirgprs6dwcski2xtqqa3fqnjh47jpwrb5v4q4sqmark@3vybbvcdap4z> References: <ZOuoH6Llw8PKgMJQ@heemeyer.club> <wuwg3egv3rilgfaa5hor47v3yjwzvxlt5krj4la4wvugcnhkg3@vgrtgfr7rc6i> <EA27BAE1-C687-47F9-BB6D-B72A85A5CA8D@cschubert.com> <elx6cvceobzgw66fskkfhhicsdpsur5xaktluu5tk7m7p4qwno@s7qmm4kyuvag> <ZOzD9noXVrslppot@heemeyer.club> <smfbmu35sxh2f3hu5nrpdwb355trlucd2bbp4ag5ke7v3zf3il@s3ua2x4i3nzj> <ZO4En1UJqcr4GGiw@heemeyer.club> <20230829190258.uc67572553e4fq3v@mutt-hbsd> <af11b09e-7b93-7c17-a8b8-6cea86291176@FreeBSD.org> <izo5sjuirgprs6dwcski2xtqqa3fqnjh47jpwrb5v4q4sqmark@3vybbvcdap4z>
next in thread | previous in thread | raw e-mail | index | archive | help
--qxjeens6fc7akr5o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 29, 2023 at 09:15:03PM +0200, Felix Palmen wrote: > * Kyle Evans <kevans@FreeBSD.org> [20230829 14:07]: > > On 8/29/23 14:02, Shawn Webb wrote: > > > Back in 2019, I had a similar issue: I needed access to be able to > > > read/write to the system extended attribute namespace from within a > > > jailed context. I wrote a rather simple patch that provides that > > > support on a per-jail basis: > > >=20 > > > https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/96c85982= b45e44a6105664c7068a92d0a61da2a3 > > >=20 > > > Hopefully that's useful to someone. > > >=20 > > > Thanks, > > >=20 > >=20 > > FWIW (which likely isn't much), I like this approach much better; it ma= kes > > more sense to me that it's a feature controlled by the creator of the j= ail > > and not one allowed just by using a compat ABI within a jail. >=20 > Well, a typical GNU userland won't work in a jail without this, that's > what I know now. But I'm certainly with you, it doesn't feel logical > that a Linux binary can do something in a jail a FreeBSD binary can't. >=20 > So, indeed, making it a jail option sounds better. >=20 > Unless, bringing back a question raised earlier in this thread: What's > the reason to restrict this in a jailed context in the first place? IOW, > could it just be allowed unconditionally? In HardenedBSD's case, since we use filesystem extended attributes to toggle exploit mitigations on a per-application basis, there's now a conceptual security boundary between the host and the jail. Should the jail and the host share resources, like executables, a jailed process could toggle an exploit mitigation, and the toggle would bubble up to the host. So the next time the host executed /shared/app/executable/here, the security posture of the host would be affected. FreeBSD uses ELF header tagging, not filesystem extended attributes, to toggle exploit mitigations. So my description above is moot for FreeBSD users. I'm just hoping to share a unique perspective. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --qxjeens6fc7akr5o Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmTuRhUACgkQ/y5nonf4 4fpfng/+KkeJKw4MP4IUTADWW+OqQGddoXovUPSHr7QadmOvkhbG7MGkd4jFtLPd SYE95i1HCERhym36DxLSxLONrwigBsolxxMamgpmHkb0vTWR61hAg2aVf8Ac/Rc8 gomVOcMxUjwQmyNOHZrDYix9zNbpB/wYu53pIyHSA1GIua6Koosad0yLkZrf2EfX Zri/zhP1FEw5WJcaIlD7u/kTR99SmF02i17JImXOrd6Aqd+QHKY1dnkJR6VH23rL C3VKJhzV3XqhY2FG432kieaDPb44W2OgomWVNcsEx85g7CxBgyS2SgBkg5vYNoCE iU2tCD/SshoH14rclXFm87fxPWCXWQWEYDhbr0eDtHRhw5AafROQOwI5eeLTqesG tQPF4PI5i4VdsJi6uAYMOmUoGqzSNVkXsofNIls667fgW+sLtaxXXKtdUScVGlBU tq45S1imSkxQUhgjzmHMfgxLFMThsh16xQNcYoUN4yPBafksYZkNXPoTwvJKB2Dd 21MAV8FcgkPJRGgC2kEIug1+4V8KchmdGrW2bgkcqmJ+RZ/zZtEy/aL5s7GHdyJT 6G2OzVKyJTSrbmsA2zR3Xj6J6PqtzTAXRQuOwTZy9FL2iRzx7mVcRsZOlUMhJAmG Ob31VvYCLarWfR8RT7Ck9hxRWCXa2j6byW8BKrhBsInfmtmAcaM= =2Vw4 -----END PGP SIGNATURE----- --qxjeens6fc7akr5o--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20230829192516.jb2t65sp5rdlysss>