From nobody Wed Aug 30 20:23:34 2023 X-Original-To: current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RbbNB4mcpz4sSJD for ; Wed, 30 Aug 2023 20:23:38 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RbbNB0ySsz4N82 for ; Wed, 30 Aug 2023 20:23:38 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-io1-xd2d.google.com with SMTP id ca18e2360f4ac-7923ae72111so6978239f.0 for ; Wed, 30 Aug 2023 13:23:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1693427016; x=1694031816; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=OByBILCI9NC30UwQDcVvjZPE6/HlyTqQrRCOKvQcwfw=; b=gNou6m3hdey6h/tR3zLonP5vs73sEbuPdA9fL4GarZrHbktqT/Q6KeT8ub2z8dzv4m eHQCNJEavarxGTULxTD+zXkf0lHSX44Gz4HE7P1ArXmnxaWmm1SxzssPoBrgFxHU8sDs xFjP4Pczmf/0T7o5Xxx+UZIpk9U67zW9ViDSNFV14AaXwF7RMJi6CdIVWsQQb/klhuLJ Ng6DsDSxSGNfu7mx5/IoOJMA3M6Jzud2kAJECvMHeWxcLXDhs1UgXaU+adQmdcWdogEN zaQbDFZeySMQcJSbCJj33GGWxm6GOPSFDDO8cJSdLnXtoHhgeLZksS05MqfjhDREiV4D VkmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693427016; x=1694031816; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=OByBILCI9NC30UwQDcVvjZPE6/HlyTqQrRCOKvQcwfw=; b=VfCorPR4EDSp6XS8YB2nJBT9/6wdj/gothLv4c8UdW60i69Fgt7k3uXCLlh3C1jjpr HSOPodtenRtLwv6qX8jfmt3575R1q6G3y6dp8nMInitCA32oaugdvaTuCjNEQc534UW2 mjWwoThdYRSeBAfLgUHEB3wKSYd5qzCQDShstTjgrIKykWzCg6pA0jDrW4AJj3mEEYSl n3+1uaFU9BWcX6mW7fThaDAkwDOZY8seUGkdxdV3dxj0sNKhHpGZJf1nhsif9zUG01UI tUiW9OCefCHL9VJdWwXwYzEm20yC3HS91KzodzvSM9ykbdBx7In9V3iqS2Z9PjypLCAb VFFw== X-Gm-Message-State: AOJu0YxzG3Vg7ZmpU2Tto6G6KTtF/CMiIiOHigFS43m7k1noSBBN0Kce 9QwJ5e5RBrB77z8GfrcvDgRScg== X-Google-Smtp-Source: AGHT+IFmoi475+8bC0Gn+Ru1wOwjotnkI1D8KiAdhy4W0Jbn+mM9Cs9Ij4Jtt98Z1iqbYh6duy+//g== X-Received: by 2002:a6b:e812:0:b0:787:1697:1b3b with SMTP id f18-20020a6be812000000b0078716971b3bmr3880692ioh.8.1693427016578; Wed, 30 Aug 2023 13:23:36 -0700 (PDT) Received: from mutt-hbsd ([73.153.118.59]) by smtp.gmail.com with ESMTPSA id w11-20020a5ec24b000000b00790d81167a7sm4015858iop.2.2023.08.30.13.23.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Aug 2023 13:23:35 -0700 (PDT) Date: Wed, 30 Aug 2023 16:23:34 -0400 From: Shawn Webb To: Alexander Leidinger Cc: Dmitry Chagin , current@freebsd.org Subject: Re: Possible issue with linux xattr support? Message-ID: <20230830202334.vvois6ijpf3h54zh@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 14.0-ALPHA2-HBSD FreeBSD 14.0--HBSD amd64 1400096 X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <20230829190258.uc67572553e4fq3v@mutt-hbsd> <8b49a01cfc32aa0a4bb9d0e9aebbe7be@Leidinger.net> List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="t3q6xn7etqdmgxyz" Content-Disposition: inline In-Reply-To: <8b49a01cfc32aa0a4bb9d0e9aebbe7be@Leidinger.net> X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4RbbNB0ySsz4N82 --t3q6xn7etqdmgxyz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 30, 2023 at 06:55:14AM +0200, Alexander Leidinger wrote: > Am 2023-08-29 21:02, schrieb Shawn Webb: >=20 > > Back in 2019, I had a similar issue: I needed access to be able to > > read/write to the system extended attribute namespace from within a > > jailed context. I wrote a rather simple patch that provides that > > support on a per-jail basis: > >=20 > > https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/96c85982b4= 5e44a6105664c7068a92d0a61da2a3 >=20 > You enabled it by default. I would assume you had a thought about the > implications... any memories about it? I hope you don't mind if I quote a response I wrote to another person on the list about the feature: =3D=3D=3D begin quote =3D=3D=3D In HardenedBSD's case, since we use filesystem extended attributes to toggle exploit mitigations on a per-application basis, there's now a conceptual security boundary between the host and the jail. Should the jail and the host share resources, like executables, a jailed process could toggle an exploit mitigation, and the toggle would bubble up to the host. So the next time the host executed /shared/app/executable/here, the security posture of the host would be affected. FreeBSD uses ELF header tagging, not filesystem extended attributes, to toggle exploit mitigations. So my description above is moot for FreeBSD users. I'm just hoping to share a unique perspective. =3D=3D=3D end quote =3D=3D=3D The main reason for enabling it by default in HardenedBSD is so that exploit mitigation toggles get applied to the application on `pkg install` (or `make install` in ports.) We have patches to our ports tree and have forked pkg to support the way we toggle exploit mitigations. So, I wanted to make sure that applications would behave the same in a jailed environment and the host... to avoid a POLA violation. >=20 > What I'm after is: > - What can go wrong if we enable it by default? I don't know if there's anything that could go wrong if FreeBSD was to enable it by default. I think it might be more of a downstream issue: those who have developed custom behavior backed by filesystem extended attributes. > - Why would we like to disable it (or any ideas why it is disabled by > default in FreeBSD)? I wouldn't want to dictate what approach FreeBSD takes, if any. I think the approach I've taken works well for HardenedBSD. But the FreeBSD community might prefer an entirely different approach altogether. >=20 > Depending in the answers we may even use a simpler patch and have it allo= wed > in jails even without the possibility to configure it. I also wonder if extended attributes could be taught to (optionally?) scope extended attributes to each jail. That might be a topic worth exploring some day for someone. Just a random thought. :-) Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --t3q6xn7etqdmgxyz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmTvpUAACgkQ/y5nonf4 4frJsA/9HUv37Ws/kNyDJPCclIrBp+roiKSt4t/z5W8JR9hPWMKOgDIjU674ZayD vnOyhvIgFX3aP9sp0VNFCF5JLcMXBln23FVkxszdNxtBhD8qIISboJz+pgVwNP8k ZYL6uVC0KikZz+SzSJiFhmU1apenGN5Df7SUF8GqOvmgOvpd10bozBNjzkqCP2Wi DMXJ5M3WDC5d5XTzjkb4PG9aplL7FC4Xs5plMENjbhwIZK8Nhnyx13HXfiRvgTxG /4faQ8I9XfZjDKmG3cvpjtSUQx/h6NCgs3gedkdQ74bnFqS4oZFwB4Pr75cRTQ+U nf6HHimXuhmtU75vztOfkQDwSh28HLp7AgJt2VrMGHSYMr2+KmFoLWcQKTKWd99M X/tOraqR9Tz3ZtwUrOVViv7YH9cVeXlO89TUduoOWnoHBWKipu+lmUyFp6+POmoa DQ8RcOR7ydPbo5eNhnl/RdZgQbU7yMVe3MlYnPw0gLp+PVs0Ow1OemfNFtoHdOVn SD7bip3Hs6YVVXyRxnnUjfUzSyfeUuNjnYoGhWeRCJRoTmV7WFuZWM+6L3AC7pkP czULanGDoyneDRZXqOvK0ZSrWDKqAhpInUBha0ti3VTjQ1i8SHfTWJqFASOafTdu pQELJqgKzJYmnvqWtLvm2VrwChAgkVGvTR4c1JauQyGQTyfLAe8= =bOlk -----END PGP SIGNATURE----- --t3q6xn7etqdmgxyz--