Date: Tue, 29 Aug 2023 15:17:12 -0500 From: Kyle Evans <kevans@FreeBSD.org> To: current@freebsd.org Subject: Re: Possible issue with linux xattr support? Message-ID: <54cf548e-73d8-3376-6ee9-2be0694396c7@FreeBSD.org> In-Reply-To: <izo5sjuirgprs6dwcski2xtqqa3fqnjh47jpwrb5v4q4sqmark@3vybbvcdap4z> References: <pzu4sxp4wvfpn3mzzo2giw3otvg6z5ewia6rr2tdgpkjurfcfe@aat2k6ywm6jm> <ZOuoH6Llw8PKgMJQ@heemeyer.club> <wuwg3egv3rilgfaa5hor47v3yjwzvxlt5krj4la4wvugcnhkg3@vgrtgfr7rc6i> <EA27BAE1-C687-47F9-BB6D-B72A85A5CA8D@cschubert.com> <elx6cvceobzgw66fskkfhhicsdpsur5xaktluu5tk7m7p4qwno@s7qmm4kyuvag> <ZOzD9noXVrslppot@heemeyer.club> <smfbmu35sxh2f3hu5nrpdwb355trlucd2bbp4ag5ke7v3zf3il@s3ua2x4i3nzj> <ZO4En1UJqcr4GGiw@heemeyer.club> <20230829190258.uc67572553e4fq3v@mutt-hbsd> <af11b09e-7b93-7c17-a8b8-6cea86291176@FreeBSD.org> <izo5sjuirgprs6dwcski2xtqqa3fqnjh47jpwrb5v4q4sqmark@3vybbvcdap4z>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/29/23 14:15, Felix Palmen wrote: > * Kyle Evans <kevans@FreeBSD.org> [20230829 14:07]: >> On 8/29/23 14:02, Shawn Webb wrote: >>> Back in 2019, I had a similar issue: I needed access to be able to >>> read/write to the system extended attribute namespace from within a >>> jailed context. I wrote a rather simple patch that provides that >>> support on a per-jail basis: >>> >>> https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/96c85982b45e44a6105664c7068a92d0a61da2a3 >>> >>> Hopefully that's useful to someone. >>> >>> Thanks, >>> >> >> FWIW (which likely isn't much), I like this approach much better; it makes >> more sense to me that it's a feature controlled by the creator of the jail >> and not one allowed just by using a compat ABI within a jail. > > Well, a typical GNU userland won't work in a jail without this, that's > what I know now. But I'm certainly with you, it doesn't feel logical > that a Linux binary can do something in a jail a FreeBSD binary can't. > > So, indeed, making it a jail option sounds better. > > Unless, bringing back a question raised earlier in this thread: What's > the reason to restrict this in a jailed context in the first place? IOW, > could it just be allowed unconditionally? > I don't think we can answer this definitively, FreeBSD has a pretty wide variety of users. I note that we don't /need/ to answer it, either, with Shawn's patch; it defaults to system xattrs allowed and an individual sysadmin can make that decision for their own context (and supporting the knob is relatively low-cost). The only part I'm not sure I agree with is the addition of the new flag to PR_ALLOW_DIFFERENCES. That allows it to be disabled by system root for jail "foo", but root in jail "foo" can create another jail "foo.bar" in which it *is* enabled (rather than only allowing "foo.bar" to have it enabled if its parent does). IMO the name PR_ALLOW_DIFFERENCES is a bit off, because to me it would imply that it just allows the flag to be set in one jail and unset in its child jail. Thanks, Kyle Evans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54cf548e-73d8-3376-6ee9-2be0694396c7>