Date: Tue, 29 Aug 2023 15:17:12 -0500 From: Kyle Evans <kevans@FreeBSD.org> To: current@freebsd.org Subject: Re: Possible issue with linux xattr support? Message-ID: <54cf548e-73d8-3376-6ee9-2be0694396c7@FreeBSD.org> In-Reply-To: <izo5sjuirgprs6dwcski2xtqqa3fqnjh47jpwrb5v4q4sqmark@3vybbvcdap4z> References: <pzu4sxp4wvfpn3mzzo2giw3otvg6z5ewia6rr2tdgpkjurfcfe@aat2k6ywm6jm> <ZOuoH6Llw8PKgMJQ@heemeyer.club> <wuwg3egv3rilgfaa5hor47v3yjwzvxlt5krj4la4wvugcnhkg3@vgrtgfr7rc6i> <EA27BAE1-C687-47F9-BB6D-B72A85A5CA8D@cschubert.com> <elx6cvceobzgw66fskkfhhicsdpsur5xaktluu5tk7m7p4qwno@s7qmm4kyuvag> <ZOzD9noXVrslppot@heemeyer.club> <smfbmu35sxh2f3hu5nrpdwb355trlucd2bbp4ag5ke7v3zf3il@s3ua2x4i3nzj> <ZO4En1UJqcr4GGiw@heemeyer.club> <20230829190258.uc67572553e4fq3v@mutt-hbsd> <af11b09e-7b93-7c17-a8b8-6cea86291176@FreeBSD.org> <izo5sjuirgprs6dwcski2xtqqa3fqnjh47jpwrb5v4q4sqmark@3vybbvcdap4z>
index | next in thread | previous in thread | raw e-mail
On 8/29/23 14:15, Felix Palmen wrote: > * Kyle Evans <kevans@FreeBSD.org> [20230829 14:07]: >> On 8/29/23 14:02, Shawn Webb wrote: >>> Back in 2019, I had a similar issue: I needed access to be able to >>> read/write to the system extended attribute namespace from within a >>> jailed context. I wrote a rather simple patch that provides that >>> support on a per-jail basis: >>> >>> https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/96c85982b45e44a6105664c7068a92d0a61da2a3 >>> >>> Hopefully that's useful to someone. >>> >>> Thanks, >>> >> >> FWIW (which likely isn't much), I like this approach much better; it makes >> more sense to me that it's a feature controlled by the creator of the jail >> and not one allowed just by using a compat ABI within a jail. > > Well, a typical GNU userland won't work in a jail without this, that's > what I know now. But I'm certainly with you, it doesn't feel logical > that a Linux binary can do something in a jail a FreeBSD binary can't. > > So, indeed, making it a jail option sounds better. > > Unless, bringing back a question raised earlier in this thread: What's > the reason to restrict this in a jailed context in the first place? IOW, > could it just be allowed unconditionally? > I don't think we can answer this definitively, FreeBSD has a pretty wide variety of users. I note that we don't /need/ to answer it, either, with Shawn's patch; it defaults to system xattrs allowed and an individual sysadmin can make that decision for their own context (and supporting the knob is relatively low-cost). The only part I'm not sure I agree with is the addition of the new flag to PR_ALLOW_DIFFERENCES. That allows it to be disabled by system root for jail "foo", but root in jail "foo" can create another jail "foo.bar" in which it *is* enabled (rather than only allowing "foo.bar" to have it enabled if its parent does). IMO the name PR_ALLOW_DIFFERENCES is a bit off, because to me it would imply that it just allows the flag to be set in one jail and unset in its child jail. Thanks, Kyle Evanshome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54cf548e-73d8-3376-6ee9-2be0694396c7>