Date: Sat, 29 Mar 2025 19:50:37 +0000 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Rick Macklem <rick.macklem@gmail.com> Cc: Dennis Clarke <dclarke@blastwave.org>, freebsd-current@freebsd.org Subject: Re: RFC: Solaris style extended attributes for FreeBSD Message-ID: <3dso3cojzxnylcfmpmgwzizp4omzpmnbfgz3zt5pvgeur4wss6@kblfkmtssebw> In-Reply-To: <CAM5tNy6DTULRg86ainHQYRP0pic60epi4yVDKJ_U3waf3N%2Be2Q@mail.gmail.com> References: <CAM5tNy6wkfPRUpkyHB3h6=fhJHf-eFSWWNdeHV5VLA_xG7pGDA@mail.gmail.com> <410014e4-75a6-4923-8f84-3935cab41c31@blastwave.org> <CAM5tNy6UEcoNVTaZxXfje4UY%2BNuBcK-O3fBCNcf%2B-K4rBp7sVw@mail.gmail.com> <sntzdnewyxq2ncoemz5kq7ryirvhv2n2rrxkax265vsbjb2smm@ez7eyxigawpu> <CAM5tNy6DTULRg86ainHQYRP0pic60epi4yVDKJ_U3waf3N%2Be2Q@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Sat, Mar 29, 2025 at 12:39:02PM -0700, Rick Macklem wrote: > > I had added filesystem extended attribute support to libarchive, which > > is what FreeBSD's tar(1) is based off of. I upstreamed that, so that's > > taken care of. FreeBSD's tar(1) has supported extended attributes > > since 2020 (see libarchive PR 1409: > > https://github.com/libarchive/libarchive/pull/1409) > Ok, thanks for the info. If this stuff goes into FreeBSD, it probably needs > to be tweaked to use the different syscall API so that it can handle large > attributes and maybe the attribute's mode. (someday, maybe?) I believe libarchive has been updated in FreeBSD since October 2020, so the vendored libarchive in FreeBSD should already support it. But, yeah, if FreeBSD makes changes to how extended attributes work, I or someone else would need to update libarchive to account for that. Since HardenedBSD follows FreeBSD closely (we sync every six hours), I would probably volunteer to update the libarchive code. > > Just one data point here: HardenedBSD uses filesystem extended > > attributes to toggle certain exploit mitigations on a per-application > > basis. That's why we added support to libarchive: so we can ship > > certain packages with exploit mitigations pre-toggled. > Just curious. Does it use "system" or "user" attribute space? We use the system namespace, though the userland tool (hbsdcontrol) was recently taught about the user namespace. The kernel side only supports system namespace. So the user namespace support in hbsdcontrol is somewhat meaningless. I do plan to eventually get to the kernel side, but my TODO list continues growing. :-) Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmfoTwUACgkQ/y5nonf4 4foj2BAApZMuqQy+32YutBrw/UPEz2gt2hlfb1u4JR7FoeZRs9cEGTBNrKoJjngc X6hBgw9aYUZbABLC2bn3HGnSZ8Al/SlDj/qUzSGzMoeBgqzKMH54LPssBQ+x1u/W g/iY4iu3j87SMTw4prS1Zz62q9vV/lAOo2xgM1MXo6R5yUVaxN+aT8oVOt/F+BKs APSz7SzcdV1ccGTKoeZLwNyoqdQQDJJpA+twFDOaPU1SPRrUMU5dS/eQHx3Gf2VD FXxUu7TMRHrMOj8rPdnRJv84o+aJWd0XCzgcr6qSuouoLogtlpUh8RqSTGAbNW6G QMFZAN7vpFCCGBkK3HmKTN/RgvEXqUJJHnslxOuw/2aYLZrgpXtTEHBRbRr6agcL fC3hL1flCAMzwEW1zq5ZARamK5hasMcEAOY3FjJWe6fNy96G4Tn3gYClUD0Qayi1 cY+/cUf2f0l4S2anIxrlNsMU+fAJIR2Hgvxaj8r8hp8ccJkkPnB72SWuA6nGxy2w /nWPaEPda9FArGcRqI38Cwe06OJfw3MjtBL+7bvDUf26e5VKZwu2wddWb3IbXlwC KEJ17CqFUAuOSGWdCRdHLEhQ7J0Vgj/HVXaR/opucWtChZDfWX8yS+b6Zq4V4cUm JvINGaR7NmpnmsgjjSpNimNdJdyu+WvxunHLT7nfItICVdWyzcs= =taP7 -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3dso3cojzxnylcfmpmgwzizp4omzpmnbfgz3zt5pvgeur4wss6>