Date: Tue, 29 Aug 2023 23:16:39 +0300 From: Dmitry Chagin <dchagin@freebsd.org> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: current@freebsd.org Subject: Re: Possible issue with linux xattr support? Message-ID: <ZO5SJ_I2Pde6YC2p@heemeyer.club> In-Reply-To: <20230829190258.uc67572553e4fq3v@mutt-hbsd> References: <ZOuNvisMH_GXHHX2@heemeyer.club> <pzu4sxp4wvfpn3mzzo2giw3otvg6z5ewia6rr2tdgpkjurfcfe@aat2k6ywm6jm> <ZOuoH6Llw8PKgMJQ@heemeyer.club> <wuwg3egv3rilgfaa5hor47v3yjwzvxlt5krj4la4wvugcnhkg3@vgrtgfr7rc6i> <EA27BAE1-C687-47F9-BB6D-B72A85A5CA8D@cschubert.com> <elx6cvceobzgw66fskkfhhicsdpsur5xaktluu5tk7m7p4qwno@s7qmm4kyuvag> <ZOzD9noXVrslppot@heemeyer.club> <smfbmu35sxh2f3hu5nrpdwb355trlucd2bbp4ag5ke7v3zf3il@s3ua2x4i3nzj> <ZO4En1UJqcr4GGiw@heemeyer.club> <20230829190258.uc67572553e4fq3v@mutt-hbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 29, 2023 at 03:02:58PM -0400, Shawn Webb wrote: > On Tue, Aug 29, 2023 at 05:45:51PM +0300, Dmitry Chagin wrote: > > On Tue, Aug 29, 2023 at 12:59:11PM +0200, Felix Palmen wrote: > > > * Dmitry Chagin <dchagin@freebsd.org> [20230828 18:57]: > > > > On Mon, Aug 28, 2023 at 08:03:33AM +0200, Felix Palmen wrote: > > > > > * Cy Schubert <Cy.Schubert@cschubert.com> [20230827 16:59]: > > > > > > > > > > > > If we are to break it to fix a problem, maybe a sysctl to enable/disable then? > > > > > > > > > > IMHO depends on the exact nature of the problem. If it's confirmed that > > > > > it (always and only) breaks for jailed processes, just disabling it for > > > > > them would be the better workaround. "No-op" calls won't break anything. > > > > > > > > > > > > > please, try: https://people.freebsd.org/~dchagin/xattrerror.patch > > > > > > Thanks, I can confirm this avoids the issue in both cases I experienced > > > (install from GNU coreutils and python). > > > > > thanks, this is the first half of the fix, it works for you due to you > > are running tools under unprivileged user, afaiu. The second I have > > tested by myself :) > > > > > If I understand this patch correctly, it completely avoids EPERM, > > > masking it as not supported, so callers should consider it non-fatal, > > > allowing to silently ignore writing of "system" attributes while still > > > keeping other functionality? > > > > > system namespace is accessible only for privileged user, for others Linux > > returns ENOTSUP. So many tools ignores this error, eg ls. > > > > the second: https://people.freebsd.org/~dchagin/sea_jailed.patch > > > > Try this under privileged user, please. > > Back in 2019, I had a similar issue: I needed access to be able to > read/write to the system extended attribute namespace from within a > jailed context. I wrote a rather simple patch that provides that > support on a per-jail basis: > > https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/96c85982b45e44a6105664c7068a92d0a61da2a3 > > Hopefully that's useful to someone. > Nice, thank you. I'd prefer to disable it by default, like on a host.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZO5SJ_I2Pde6YC2p>