Date: Sat, 29 Mar 2025 13:04:08 -0700 From: Rick Macklem <rick.macklem@gmail.com> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: Dennis Clarke <dclarke@blastwave.org>, freebsd-current@freebsd.org Subject: Re: RFC: Solaris style extended attributes for FreeBSD Message-ID: <CAM5tNy5Mc8sdcU5CQgTfSQRwxbe_Z7CxJwG3x_rkPj5Bj6nH3A@mail.gmail.com> In-Reply-To: <3dso3cojzxnylcfmpmgwzizp4omzpmnbfgz3zt5pvgeur4wss6@kblfkmtssebw> References: <CAM5tNy6wkfPRUpkyHB3h6=fhJHf-eFSWWNdeHV5VLA_xG7pGDA@mail.gmail.com> <410014e4-75a6-4923-8f84-3935cab41c31@blastwave.org> <CAM5tNy6UEcoNVTaZxXfje4UY%2BNuBcK-O3fBCNcf%2B-K4rBp7sVw@mail.gmail.com> <sntzdnewyxq2ncoemz5kq7ryirvhv2n2rrxkax265vsbjb2smm@ez7eyxigawpu> <CAM5tNy6DTULRg86ainHQYRP0pic60epi4yVDKJ_U3waf3N%2Be2Q@mail.gmail.com> <3dso3cojzxnylcfmpmgwzizp4omzpmnbfgz3zt5pvgeur4wss6@kblfkmtssebw>
index | next in thread | previous in thread | raw e-mail
On Sat, Mar 29, 2025 at 12:50 PM Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > On Sat, Mar 29, 2025 at 12:39:02PM -0700, Rick Macklem wrote: > > > I had added filesystem extended attribute support to libarchive, which > > > is what FreeBSD's tar(1) is based off of. I upstreamed that, so that's > > > taken care of. FreeBSD's tar(1) has supported extended attributes > > > since 2020 (see libarchive PR 1409: > > > https://github.com/libarchive/libarchive/pull/1409) > > Ok, thanks for the info. If this stuff goes into FreeBSD, it probably needs > > to be tweaked to use the different syscall API so that it can handle large > > attributes and maybe the attribute's mode. (someday, maybe?) > > I believe libarchive has been updated in FreeBSD since October 2020, > so the vendored libarchive in FreeBSD should already support it. But, > yeah, if FreeBSD makes changes to how extended attributes work, I or > someone else would need to update libarchive to account for that. > > Since HardenedBSD follows FreeBSD closely (we sync every six hours), I > would probably volunteer to update the libarchive code. > > > > Just one data point here: HardenedBSD uses filesystem extended > > > attributes to toggle certain exploit mitigations on a per-application > > > basis. That's why we added support to libarchive: so we can ship > > > certain packages with exploit mitigations pre-toggled. > > Just curious. Does it use "system" or "user" attribute space? > > We use the system namespace, though the userland tool (hbsdcontrol) > was recently taught about the user namespace. The kernel side only > supports system namespace. So the user namespace support in > hbsdcontrol is somewhat meaningless. I do plan to eventually get to > the kernel side, but my TODO list continues growing. :-) Ok, this wouldn't be affected by the patches I've been doing, since they handle user space only. (system space will still work, but only via the extattr_XXX() APIs. rick > > Thanks, > > -- > Shawn Webb > Cofounder / Security Engineer > HardenedBSD > > Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 > https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.aschome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM5tNy5Mc8sdcU5CQgTfSQRwxbe_Z7CxJwG3x_rkPj5Bj6nH3A>