From nobody Wed Aug 30 10:48:11 2023
X-Original-To: current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RbLcJ1hFMz4s07Y
	for <current@mlmmj.nyi.freebsd.org>; Wed, 30 Aug 2023 10:48:16 +0000 (UTC)
	(envelope-from dchagin@heemeyer.club)
Received: from heemeyer.club (heemeyer.club [195.93.173.158])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4RbLcG6p1vz3cFx
	for <current@freebsd.org>; Wed, 30 Aug 2023 10:48:14 +0000 (UTC)
	(envelope-from dchagin@heemeyer.club)
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	spf=none (mx1.freebsd.org: domain of dchagin@heemeyer.club has no SPF policy when checking 195.93.173.158) smtp.mailfrom=dchagin@heemeyer.club;
	dmarc=none
Received: from heemeyer.club (localhost [127.0.0.1])
	by heemeyer.club (8.17.2/8.16.1) with ESMTP id 37UAmBT1010849
	for <current@freebsd.org>; Wed, 30 Aug 2023 13:48:11 +0300 (MSK)
	(envelope-from dchagin@heemeyer.club)
Received: (from dchagin@localhost)
	by heemeyer.club (8.17.2/8.16.1/Submit) id 37UAmBb0010848
	for current@freebsd.org; Wed, 30 Aug 2023 13:48:11 +0300 (MSK)
	(envelope-from dchagin)
Date: Wed, 30 Aug 2023 13:48:11 +0300
From: Dmitry Chagin <dchagin@freebsd.org>
To: current@freebsd.org
Subject: Re: Possible issue with linux xattr support?
Message-ID: <ZO8ea5sXCEKYimr1@heemeyer.club>
References: <ZOzD9noXVrslppot@heemeyer.club>
 <smfbmu35sxh2f3hu5nrpdwb355trlucd2bbp4ag5ke7v3zf3il@s3ua2x4i3nzj>
 <ZO4En1UJqcr4GGiw@heemeyer.club>
 <uvavvxn7vgjhf5fswoxcawuolvviq2idedxyt4fe6vtjlewsex@aqssespkdh4e>
 <ZO409dM4Ws7x_yuM@heemeyer.club>
 <g5lcvxsnjppbfchdtiufwxcbx7au2dbv2wkxwf5pqp66mo547b@vouujjivkgox>
 <ZO8EfRnfbF4ixn_L@heemeyer.club>
 <wp767un2xqnfmmox7uxrl3arrr3mzhccze7okk6zcmc4qnr2xj@kgjyjpezyfy6>
 <ZO8KaKBwliVeGdVG@heemeyer.club>
 <l5vgnwjddobhl5h2vceafhdo5uyqznaih7se7rk7bilwzqjpax@5ucptcralggq>
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <l5vgnwjddobhl5h2vceafhdo5uyqznaih7se7rk7bilwzqjpax@5ucptcralggq>
X-Spamd-Bar: /
X-Spamd-Result: default: False [0.09 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	AUTH_NA(1.00)[];
	SUBJECT_ENDS_QUESTION(1.00)[];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	FORGED_SENDER(0.30)[dchagin@freebsd.org,dchagin@heemeyer.club];
	NEURAL_HAM_SHORT(-0.11)[-0.109];
	MIME_GOOD(-0.10)[text/plain];
	ASN(0.00)[asn:61400, ipnet:195.93.173.0/24, country:RU];
	DMARC_NA(0.00)[freebsd.org];
	R_SPF_NA(0.00)[no SPF record];
	R_DKIM_NA(0.00)[];
	MLMMJ_DEST(0.00)[current@freebsd.org];
	MIME_TRACE(0.00)[0:+];
	RCPT_COUNT_ONE(0.00)[1];
	FROM_NEQ_ENVFROM(0.00)[dchagin@freebsd.org,dchagin@heemeyer.club];
	FREEFALL_USER(0.00)[dchagin];
	RCVD_COUNT_TWO(0.00)[2];
	ARC_NA(0.00)[];
	RCVD_TLS_LAST(0.00)[];
	FROM_HAS_DN(0.00)[];
	PREVIOUSLY_DELIVERED(0.00)[current@freebsd.org];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	TO_DN_NONE(0.00)[];
	TO_DOM_EQ_FROM_DOM(0.00)[]
X-Rspamd-Queue-Id: 4RbLcG6p1vz3cFx

On Wed, Aug 30, 2023 at 12:01:13PM +0200, Felix Palmen wrote:
> * Dmitry Chagin <dchagin@freebsd.org> [20230830 12:22]:
> > On Wed, Aug 30, 2023 at 11:20:39AM +0200, Felix Palmen wrote:
> > > * Unprivileged user will get ENOTSUP when trying to access the system
> > >   namespace (regardless of the new jail setting), so GNU tools like e.g.
> > >   coreutils install should "just work".
> > ENOTSUP or ENODATA (getxattr)
> 
> Unfortunately, install from GNU coreutils is now unable to install
> anything again. I tried both as 'nobody' and as 'root', it doesn't make
> a difference:
> 
> | # /compat/linux/usr/bin/install -c .libs/libexpat.so.1.8.10 /wrkdirs/usr/ports/textproc/linuxsrc-expat/work/stage/compat/linux/usr/lib64/libexpat.so.1.8.10
> | /compat/linux/usr/bin/install: setting permissions for ‘/wrkdirs/usr/ports/textproc/linuxsrc-expat/work/stage/compat/linux/usr/lib64/libexpat.so.1.8.10’: Operation not permitted
> 
> .. and truss shows this again:
> 
> | linux_fsetxattr(0x4,0x401860e8,0x134dd0,0x1c,0x0) ERR#-1 'Operation not permitted'
> 
> This is without the new jail option. When I enable it, it still fails
> the same way as 'nobody' (which poudriere uses for building), but works
> fine as 'root'.
> 
> I assume the fsetxattr call needs some adjustment of error codes as well
> to make GNU tools play nice.
> 

I don't changed setxattr syscalls due to EPERM is a valid error from it,
however here's the essential difference between Linux and FreeBSD.
FreeBSD does not permits manipulatingg attributes in the
system namespace for unprivileged accounts. Well, we can return ENOTSUP
due to in Linux read and write access to system namespace depend on the
policy implemented for each filesystem, so we'll mimics we're a
filesystem that prohibits this for unprivelegd users.

https://people.freebsd.org/~dchagin/xattr.patch