From nobody Tue Aug 29 19:25:16 2023 X-Original-To: current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RZy7N0dh2z4s6tG for ; Tue, 29 Aug 2023 19:25:20 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RZy7M0lP0z4X7k for ; Tue, 29 Aug 2023 19:25:19 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=a7zeBmfW; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::d2f as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org; dmarc=none Received: by mail-io1-xd2f.google.com with SMTP id ca18e2360f4ac-7928dc54896so135224139f.3 for ; Tue, 29 Aug 2023 12:25:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1693337117; x=1693941917; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=06U9dnpoEw/0CBmmuaPmkfzAvBicbkIIe50zVELG4HQ=; b=a7zeBmfWO3QAxicSvOFTqjVM+IYvP6tQb4EJ5bZ6cnoxkZ9O78/X2DfckxQrom8b2t IccmHKhqjeggdYoHXV+Dgrk6TqgwjIN0AWp1Mq8BBAzBCK/ssuXuUQqBNh8E95Bm9S5M ZFdH2n1b7MH/PmEMpa09/BWStBAS9vwe2GfPYS3zKP34lTxPdBNUPL12L9XygPstJH9Y i/Ru/zR9E2fiOdxo8VegCrGy1iX2zKXhJiVm8TTyLMV+GW/B7GqLK39es4evPeABA0bZ ZVrY5QPWO2/rFTWNA7LeeW4/eSE/JFsKFIEhIKzh2SLfl6ssCezxyqVGwJ/1Q/ATN2pe n1JQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693337117; x=1693941917; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=06U9dnpoEw/0CBmmuaPmkfzAvBicbkIIe50zVELG4HQ=; b=kVLzjT4uS1OKY0Rs3hsX5H/O5udJGn0v9jDbHh6MVLQjOU3GD8RtrmnediKBEgx25v bMOYnMWveeaELglpqlNNrdtmZ10YJ5JxJqKPw2hcMG+busOkAwr4TEZ2yPrRxcL1Xu2v aG/oZExwgVOih6hJR4ZRmFjVKBi9xZxCNZn2a/VLKj8s6eG4KxTSm+8z7G5Wzgoduxgc 4PqinCA0eq0B7t2kiGnYR2SXT4HI/375OKS/Fo1lfv506s8479f/t40QRoY3vBuQ60Uw cDOVlxnkpLnGdVauNdnYhKT5eESSz5/mBz9q3U+acvnRP3YbxA6pUYz1y5Zz4o3qAmiY ihUA== X-Gm-Message-State: AOJu0Yxg8pcyVPYaRqDTVxOM4iyOzrGvPz4YZTSkPAv38nEFtXxexRuK S6PaLpOt0gChxEqTdrKAXfXYD0xlIO/fqY4yjSOYnXhZrfiHc1TqYHGH7ValFW1PoiDIegJT8vk lCPeQCuL7tpaRVm0ULVFlhFgmBo8bOqVEQzmb+NYC0JWYNTtZTmJP8eS02r7WUkbM0wkFAAdLSd ouDoau X-Google-Smtp-Source: AGHT+IEXFP38UcANztYaZw2CWaKLUTkk130mBQlxWb+Sn8WMbbMmbOLTGUnTpRD5sP1yIvQb+0WvZg== X-Received: by 2002:a92:cf47:0:b0:34c:bc10:2573 with SMTP id c7-20020a92cf47000000b0034cbc102573mr294811ilr.3.1693337117492; Tue, 29 Aug 2023 12:25:17 -0700 (PDT) Received: from mutt-hbsd ([73.153.118.59]) by smtp.gmail.com with ESMTPSA id fx9-20020a0566381e0900b00430091fd494sm3186255jab.34.2023.08.29.12.25.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Aug 2023 12:25:16 -0700 (PDT) Date: Tue, 29 Aug 2023 15:25:16 -0400 From: Shawn Webb To: current@freebsd.org Subject: Re: Possible issue with linux xattr support? Message-ID: <20230829192516.jb2t65sp5rdlysss@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-ALPHA2-HBSD FreeBSD 14.0--HBSD amd64 1400096 X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <20230829190258.uc67572553e4fq3v@mutt-hbsd> List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="qxjeens6fc7akr5o" Content-Disposition: inline In-Reply-To: X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.10 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MID_RHS_NOT_FQDN(0.50)[]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[current@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; BLOCKLISTDE_FAIL(0.00)[2607:f8b0:4864:20::d2f:server fail,73.153.118.59:server fail]; DMARC_NA(0.00)[hardenedbsd.org]; MLMMJ_DEST(0.00)[current@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d2f:from]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; TO_DN_NONE(0.00)[]; FROM_HAS_DN(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_COUNT_TWO(0.00)[2] X-Rspamd-Queue-Id: 4RZy7M0lP0z4X7k --qxjeens6fc7akr5o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Aug 29, 2023 at 09:15:03PM +0200, Felix Palmen wrote: > * Kyle Evans [20230829 14:07]: > > On 8/29/23 14:02, Shawn Webb wrote: > > > Back in 2019, I had a similar issue: I needed access to be able to > > > read/write to the system extended attribute namespace from within a > > > jailed context. I wrote a rather simple patch that provides that > > > support on a per-jail basis: > > >=20 > > > https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/96c85982= b45e44a6105664c7068a92d0a61da2a3 > > >=20 > > > Hopefully that's useful to someone. > > >=20 > > > Thanks, > > >=20 > >=20 > > FWIW (which likely isn't much), I like this approach much better; it ma= kes > > more sense to me that it's a feature controlled by the creator of the j= ail > > and not one allowed just by using a compat ABI within a jail. >=20 > Well, a typical GNU userland won't work in a jail without this, that's > what I know now. But I'm certainly with you, it doesn't feel logical > that a Linux binary can do something in a jail a FreeBSD binary can't. >=20 > So, indeed, making it a jail option sounds better. >=20 > Unless, bringing back a question raised earlier in this thread: What's > the reason to restrict this in a jailed context in the first place? IOW, > could it just be allowed unconditionally? In HardenedBSD's case, since we use filesystem extended attributes to toggle exploit mitigations on a per-application basis, there's now a conceptual security boundary between the host and the jail. Should the jail and the host share resources, like executables, a jailed process could toggle an exploit mitigation, and the toggle would bubble up to the host. So the next time the host executed /shared/app/executable/here, the security posture of the host would be affected. FreeBSD uses ELF header tagging, not filesystem extended attributes, to toggle exploit mitigations. So my description above is moot for FreeBSD users. I'm just hoping to share a unique perspective. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --qxjeens6fc7akr5o Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmTuRhUACgkQ/y5nonf4 4fpfng/+KkeJKw4MP4IUTADWW+OqQGddoXovUPSHr7QadmOvkhbG7MGkd4jFtLPd SYE95i1HCERhym36DxLSxLONrwigBsolxxMamgpmHkb0vTWR61hAg2aVf8Ac/Rc8 gomVOcMxUjwQmyNOHZrDYix9zNbpB/wYu53pIyHSA1GIua6Koosad0yLkZrf2EfX Zri/zhP1FEw5WJcaIlD7u/kTR99SmF02i17JImXOrd6Aqd+QHKY1dnkJR6VH23rL C3VKJhzV3XqhY2FG432kieaDPb44W2OgomWVNcsEx85g7CxBgyS2SgBkg5vYNoCE iU2tCD/SshoH14rclXFm87fxPWCXWQWEYDhbr0eDtHRhw5AafROQOwI5eeLTqesG tQPF4PI5i4VdsJi6uAYMOmUoGqzSNVkXsofNIls667fgW+sLtaxXXKtdUScVGlBU tq45S1imSkxQUhgjzmHMfgxLFMThsh16xQNcYoUN4yPBafksYZkNXPoTwvJKB2Dd 21MAV8FcgkPJRGgC2kEIug1+4V8KchmdGrW2bgkcqmJ+RZ/zZtEy/aL5s7GHdyJT 6G2OzVKyJTSrbmsA2zR3Xj6J6PqtzTAXRQuOwTZy9FL2iRzx7mVcRsZOlUMhJAmG Ob31VvYCLarWfR8RT7Ck9hxRWCXa2j6byW8BKrhBsInfmtmAcaM= =2Vw4 -----END PGP SIGNATURE----- --qxjeens6fc7akr5o--