From nobody Sat Mar 29 20:04:08 2025
X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZQ7dc4Vz6z5s188
	for <freebsd-current@mlmmj.nyi.freebsd.org>; Sat, 29 Mar 2025 20:04:20 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZQ7dc2KGJz3Vmy
	for <freebsd-current@freebsd.org>; Sat, 29 Mar 2025 20:04:20 +0000 (UTC)
	(envelope-from rick.macklem@gmail.com)
Authentication-Results: mx1.freebsd.org;
	none
Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-5e5c9662131so5009206a12.3
        for <freebsd-current@freebsd.org>; Sat, 29 Mar 2025 13:04:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1743278659; x=1743883459; darn=freebsd.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=MV2btYa5bjHa4dDBDafGDhN48XxHPX7q+PLp0+WksBU=;
        b=N17l3BTO6Sxtzuqb35h6x1f9lAth/eMKMSXGCgCyT198n0lc5Mp0EjSRL0kAW3GK5Q
         Bp/gkadTeo/j0RSiBGMe++6eb9iuzrlr35PNmXRSmHCHssE8Q7G+xlkwOw4ucweogTae
         nQfmThCgjGdqDIqvW5k0tQdVD8HAWwrqZMr9LawpuEM9zjRvg23S13Nur/8WXm5CLy71
         4YtdVV2LbXEXhHkLavYPnU2z95F4BYaciuEAJLembTswuRwJkszq0RnVKnZWSj0lOABS
         2wH9E5tYUr/8Ja6WPSiffmGhvbr+QKJT4AOpUEcbwkFWeNNl07o3EDNbvIQvVECeo93B
         OWVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1743278659; x=1743883459;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=MV2btYa5bjHa4dDBDafGDhN48XxHPX7q+PLp0+WksBU=;
        b=X6n0ee9rupaTeLEunDEC2Nus3vS7AQDGg95fOVjcca6SQEGcHEBLwf8DTntOR7WJG7
         09b3yGsKbWhrIyBkHsfOg2DJAfrjc+TgLgBtueXx+JdRCeGpQByRdBHV+L08GmD7iXBf
         I6nibSf5oKThPB1QoI5FxuUZYr73sWrYLNru7MTCjfeE3Kpi/qTbQ2Y7A719v++czyYX
         gauT6v0+mGjR+/18t0X0nj31iZb9igoI1pOEIV4DSIWCc07BwujBxfErwvP5eVmhn+0C
         j8yqtt+lzRpUsoNUFHFRvLzDpD1DMFyLt3YJXRozXsnn70LBXdK2yy1ZTej04hcKwNSE
         AOWg==
X-Forwarded-Encrypted: i=1; AJvYcCWVwu77eTKFLYEygX9NUXiKPsufpgt34GkcLsEncf1SDA4lxwgnvaO9FLmY2Id15id3T4VO+y34V8zIGTJe0VA=@freebsd.org
X-Gm-Message-State: AOJu0Yz2Ec9bcWeP2YCmO/tIu2m0kKmDjdCwwkLxT3ICyBD1MQyN800o
	UCuNY8zTO85uud8FYuTcjLoddjUMz5ZwnHe7Ugs/v+cWmX+sFrOufQcizXDBF9xIcQdXmawxgGI
	1970zO5mnRXu1yjNMfX0j4c4zJAJ5
X-Gm-Gg: ASbGnctK2wlKoQF42GQGlYehOTrQo1iznp5JWuZKmFfxguzI+I1fgIeNVHePLLgNhxi
	4y3se4Hhs6OJ69PVZTgd0mN2/w6Qt42eORsjVpmiiRhGDnzsV+dlKrL7F0zFHMED/AKZiXjfpez
	dBdIfFrM8Dfe3vbTYH/hVeIB3M/QzQL9D2qdTFqpbd+jPVWoeOS1TdFd7+LA==
X-Google-Smtp-Source: AGHT+IFBjd3fkOiPBEEUzqPObypORsHmLaQzvZ/kNPvTNqCejJndhy0PdEfBHk84B0zIdIWY3gDtLaP+HopIWL7LsXQ=
X-Received: by 2002:a05:6402:348e:b0:5eb:cc1c:bb9e with SMTP id
 4fb4d7f45d1cf-5edfcc2724dmr3698002a12.7.1743278658663; Sat, 29 Mar 2025
 13:04:18 -0700 (PDT)
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@FreeBSD.org
MIME-Version: 1.0
References: <CAM5tNy6wkfPRUpkyHB3h6=fhJHf-eFSWWNdeHV5VLA_xG7pGDA@mail.gmail.com>
 <410014e4-75a6-4923-8f84-3935cab41c31@blastwave.org> <CAM5tNy6UEcoNVTaZxXfje4UY+NuBcK-O3fBCNcf+-K4rBp7sVw@mail.gmail.com>
 <sntzdnewyxq2ncoemz5kq7ryirvhv2n2rrxkax265vsbjb2smm@ez7eyxigawpu>
 <CAM5tNy6DTULRg86ainHQYRP0pic60epi4yVDKJ_U3waf3N+e2Q@mail.gmail.com> <3dso3cojzxnylcfmpmgwzizp4omzpmnbfgz3zt5pvgeur4wss6@kblfkmtssebw>
In-Reply-To: <3dso3cojzxnylcfmpmgwzizp4omzpmnbfgz3zt5pvgeur4wss6@kblfkmtssebw>
From: Rick Macklem <rick.macklem@gmail.com>
Date: Sat, 29 Mar 2025 13:04:08 -0700
X-Gm-Features: AQ5f1JrBLw7qN6X9EIEEGSBgAmR2p1EXiGgU-sVe4NfdFL4DWV3xYWTNTJH4xY8
Message-ID: <CAM5tNy5Mc8sdcU5CQgTfSQRwxbe_Z7CxJwG3x_rkPj5Bj6nH3A@mail.gmail.com>
Subject: Re: RFC: Solaris style extended attributes for FreeBSD
To: Shawn Webb <shawn.webb@hardenedbsd.org>
Cc: Dennis Clarke <dclarke@blastwave.org>, freebsd-current@freebsd.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	TAGGED_FROM(0.00)[];
	ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]
X-Rspamd-Queue-Id: 4ZQ7dc2KGJz3Vmy
X-Spamd-Bar: ----

On Sat, Mar 29, 2025 at 12:50=E2=80=AFPM Shawn Webb <shawn.webb@hardenedbsd=
.org> wrote:
>
> On Sat, Mar 29, 2025 at 12:39:02PM -0700, Rick Macklem wrote:
> > > I had added filesystem extended attribute support to libarchive, whic=
h
> > > is what FreeBSD's tar(1) is based off of. I upstreamed that, so that'=
s
> > > taken care of. FreeBSD's tar(1) has supported extended attributes
> > > since 2020 (see libarchive PR 1409:
> > > https://github.com/libarchive/libarchive/pull/1409)
> > Ok, thanks for the info. If this stuff goes into FreeBSD, it probably n=
eeds
> > to be tweaked to use the different syscall API so that it can handle la=
rge
> > attributes and maybe the attribute's mode. (someday, maybe?)
>
> I believe libarchive has been updated in FreeBSD since October 2020,
> so the vendored libarchive in FreeBSD should already support it. But,
> yeah, if FreeBSD makes changes to how extended attributes work, I or
> someone else would need to update libarchive to account for that.
>
> Since HardenedBSD follows FreeBSD closely (we sync every six hours), I
> would probably volunteer to update the libarchive code.
>
> > > Just one data point here: HardenedBSD uses filesystem extended
> > > attributes to toggle certain exploit mitigations on a per-application
> > > basis. That's why we added support to libarchive: so we can ship
> > > certain packages with exploit mitigations pre-toggled.
> > Just curious. Does it use "system" or "user" attribute space?
>
> We use the system namespace, though the userland tool (hbsdcontrol)
> was recently taught about the user namespace. The kernel side only
> supports system namespace. So the user namespace support in
> hbsdcontrol is somewhat meaningless. I do plan to eventually get to
> the kernel side, but my TODO list continues growing. :-)
Ok, this wouldn't be affected by the patches I've been doing, since they
handle user space only. (system space will still work, but only via the
extattr_XXX() APIs.

rick

>
> Thanks,
>
> --
> Shawn Webb
> Cofounder / Security Engineer
> HardenedBSD
>
> Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50
> https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/0=
3A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc