From nobody Sat Mar 29 19:50:37 2025 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZQ7Ks4Ty5z5rylr for ; Sat, 29 Mar 2025 19:50:41 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZQ7Kr5v5Mz3L7b for ; Sat, 29 Mar 2025 19:50:40 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=ZkBIC8mx; dmarc=none; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::136 as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org Received: by mail-il1-x136.google.com with SMTP id e9e14a558f8ab-3ce868498d3so11566445ab.3 for ; Sat, 29 Mar 2025 12:50:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1743277839; x=1743882639; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=S3ueps1v4+ZjrFerWxHg48SwzMsZinI+vR45yQ92WQ8=; b=ZkBIC8mxp2kirTFxXTXvmItPEXBtLsyHLlCwyLwsBskk3rqTSU04kwCjuOkMMYFp27 CLXuem4cBTzaAJ2QEB4OlgmBztIAo/+CQVHtfZ+N9lR2YE69xicuuSJfDYwkoKmbYvgS nW9ijN6+TfoKssdcLbcuQMdJg5ixnnFeozeL4C7v0XvvGGLSN+O1W6vJ3ZxqDm0ixV35 qw+sTqSMu4MGlRFVmKhuj0zGFDnjmwIGyDf1jVD4M1d5HpwIoh1aQ5yHP11/6ORdzLEs RNUWWMZIiXn3Pm61b+YMhbuY0yRGNY37ljHmXg6KtLKVpCjYRI/y6TonEWRZWRqs3pSN eXSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743277839; x=1743882639; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=S3ueps1v4+ZjrFerWxHg48SwzMsZinI+vR45yQ92WQ8=; b=aJyqJ/Jc3RX3/bLiCKJIsrTnlqfPi6ivdMPjJry8xYrTrW+ThqHvzoRq2hPSX4eNXz 7lh/syVN6dRxudbpC9fcnGL8dP1/mHKSzJA3Md3CUhSYo9XdMkaFLP3NUaBps/puqrL6 58ZWt3yTjB2C/1OrW8EuNIY2lbGAtVr7UNAeTpy/hpCDL4ArHs/xYAOUwlofXWF+aKYm kV9sYUjTRUNdGzT5b3ShjifajBKQv/lOungE9jLEIEb6KKa/1/x5u4cYm1c8ZOi/76Ry YlV+jQZdzV+qb8G8EH+qvYLbxKbnX3d5RoCNx2ajXDtA9sNy03MuS67I4UCVUloQWfGx qV9Q== X-Forwarded-Encrypted: i=1; AJvYcCUR1sET2EUEGVmty0fEGfmgJjI/1O6OUkFRpF4p+fKYXq4zius7QmM5v7Se5ulLvDWYLuchsWcPYOcT7PrVZJc=@freebsd.org X-Gm-Message-State: AOJu0Yy5r2pr0JWkvWzXnV0kwbOVWRXXQYxFIDzhHqS7l4qsHe8eBb1q UuqE9+Ov/4dw4GQnkoTmoDQIUXxeuJ+74Nxz+7/M+FmuXMBKXajDSSPUOuyorlI= X-Gm-Gg: ASbGncsgL45Licpwfb5+w05zU1SUjMPrhlXuV0nWjdcl6Ir0djsQ996MwuoYSdyvbDt AbM1wKXrxfeTPwN0r6sRNkdEJm8dDdfrBsSJPtUaTyIxe02hD+3Mj0EKMggqHTC6m7BnAj5qYVK TKSGJ7qa/1obEcugR1ZOHbx5IS8BseLRArMNI0ecZ4eho4DmA5jSZ4u6tg1K7KNkMtx1vKtoa0U m777xo0nP3An+vTY8iogJRDJlpjRUdQiuWl/pXJSwDReZCHpgc50MUgQiDD1Ignom3RjN6k+T5d tyO240wWGZm2lC1409s0v5ZM5TE= X-Google-Smtp-Source: AGHT+IGi6lzm2Y05+T75/Rf/IfoX/JSEaNuRQngxyyth+PVna4KF7VuaT4MKRYyxoTG0f4RGTGhweg== X-Received: by 2002:a05:6e02:3a04:b0:3d1:966c:fc8c with SMTP id e9e14a558f8ab-3d5e09f7834mr31662295ab.17.1743277839527; Sat, 29 Mar 2025 12:50:39 -0700 (PDT) Received: from mutt-hbsd ([2001:470:4001:1::95]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4f46473f1f6sm1041956173.33.2025.03.29.12.50.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 29 Mar 2025 12:50:38 -0700 (PDT) Date: Sat, 29 Mar 2025 19:50:37 +0000 From: Shawn Webb To: Rick Macklem Cc: Dennis Clarke , freebsd-current@freebsd.org Subject: Re: RFC: Solaris style extended attributes for FreeBSD Message-ID: <3dso3cojzxnylcfmpmgwzizp4omzpmnbfgz3zt5pvgeur4wss6@kblfkmtssebw> X-Operating-System: FreeBSD mutt-hbsd 14.2-STABLE-HBSD FreeBSD 14.2-STABLE-HBSD HARDENEDBSD-14-STABLE amd64 X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <410014e4-75a6-4923-8f84-3935cab41c31@blastwave.org> List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="glikkbzwkjj4siap" Content-Disposition: inline In-Reply-To: X-Spamd-Result: default: False [-4.80 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; NEURAL_HAM_LONG(-1.00)[-0.997]; NEURAL_HAM_SHORT(-0.71)[-0.706]; MID_RHS_NOT_FQDN(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; RCPT_COUNT_THREE(0.00)[3]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_TO(0.00)[gmail.com]; ARC_NA(0.00)[]; DMARC_NA(0.00)[hardenedbsd.org]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; MISSING_XM_UA(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-current@freebsd.org]; TAGGED_RCPT(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::136:from] X-Rspamd-Queue-Id: 4ZQ7Kr5v5Mz3L7b X-Spamd-Bar: ---- --glikkbzwkjj4siap Content-Type: text/plain; protected-headers=v1; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Subject: Re: RFC: Solaris style extended attributes for FreeBSD MIME-Version: 1.0 On Sat, Mar 29, 2025 at 12:39:02PM -0700, Rick Macklem wrote: > > I had added filesystem extended attribute support to libarchive, which > > is what FreeBSD's tar(1) is based off of. I upstreamed that, so that's > > taken care of. FreeBSD's tar(1) has supported extended attributes > > since 2020 (see libarchive PR 1409: > > https://github.com/libarchive/libarchive/pull/1409) > Ok, thanks for the info. If this stuff goes into FreeBSD, it probably nee= ds > to be tweaked to use the different syscall API so that it can handle large > attributes and maybe the attribute's mode. (someday, maybe?) I believe libarchive has been updated in FreeBSD since October 2020, so the vendored libarchive in FreeBSD should already support it. But, yeah, if FreeBSD makes changes to how extended attributes work, I or someone else would need to update libarchive to account for that. Since HardenedBSD follows FreeBSD closely (we sync every six hours), I would probably volunteer to update the libarchive code. > > Just one data point here: HardenedBSD uses filesystem extended > > attributes to toggle certain exploit mitigations on a per-application > > basis. That's why we added support to libarchive: so we can ship > > certain packages with exploit mitigations pre-toggled. > Just curious. Does it use "system" or "user" attribute space? We use the system namespace, though the userland tool (hbsdcontrol) was recently taught about the user namespace. The kernel side only supports system namespace. So the user namespace support in hbsdcontrol is somewhat meaningless. I do plan to eventually get to the kernel side, but my TODO list continues growing. :-) Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --glikkbzwkjj4siap Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmfoTwUACgkQ/y5nonf4 4foj2BAApZMuqQy+32YutBrw/UPEz2gt2hlfb1u4JR7FoeZRs9cEGTBNrKoJjngc X6hBgw9aYUZbABLC2bn3HGnSZ8Al/SlDj/qUzSGzMoeBgqzKMH54LPssBQ+x1u/W g/iY4iu3j87SMTw4prS1Zz62q9vV/lAOo2xgM1MXo6R5yUVaxN+aT8oVOt/F+BKs APSz7SzcdV1ccGTKoeZLwNyoqdQQDJJpA+twFDOaPU1SPRrUMU5dS/eQHx3Gf2VD FXxUu7TMRHrMOj8rPdnRJv84o+aJWd0XCzgcr6qSuouoLogtlpUh8RqSTGAbNW6G QMFZAN7vpFCCGBkK3HmKTN/RgvEXqUJJHnslxOuw/2aYLZrgpXtTEHBRbRr6agcL fC3hL1flCAMzwEW1zq5ZARamK5hasMcEAOY3FjJWe6fNy96G4Tn3gYClUD0Qayi1 cY+/cUf2f0l4S2anIxrlNsMU+fAJIR2Hgvxaj8r8hp8ccJkkPnB72SWuA6nGxy2w /nWPaEPda9FArGcRqI38Cwe06OJfw3MjtBL+7bvDUf26e5VKZwu2wddWb3IbXlwC KEJ17CqFUAuOSGWdCRdHLEhQ7J0Vgj/HVXaR/opucWtChZDfWX8yS+b6Zq4V4cUm JvINGaR7NmpnmsgjjSpNimNdJdyu+WvxunHLT7nfItICVdWyzcs= =taP7 -----END PGP SIGNATURE----- --glikkbzwkjj4siap--