Date: Sat, 29 Mar 2025 20:09:33 +0000 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Rick Macklem <rick.macklem@gmail.com> Cc: Dennis Clarke <dclarke@blastwave.org>, freebsd-current@freebsd.org Subject: Re: RFC: Solaris style extended attributes for FreeBSD Message-ID: <yjms7fqzbsxsqhu5hpbsosquqld6f2drifilfqn6d5qf2nsyer@pi72scnvai56> In-Reply-To: <CAM5tNy5Mc8sdcU5CQgTfSQRwxbe_Z7CxJwG3x_rkPj5Bj6nH3A@mail.gmail.com> References: <CAM5tNy6wkfPRUpkyHB3h6=fhJHf-eFSWWNdeHV5VLA_xG7pGDA@mail.gmail.com> <410014e4-75a6-4923-8f84-3935cab41c31@blastwave.org> <CAM5tNy6UEcoNVTaZxXfje4UY%2BNuBcK-O3fBCNcf%2B-K4rBp7sVw@mail.gmail.com> <sntzdnewyxq2ncoemz5kq7ryirvhv2n2rrxkax265vsbjb2smm@ez7eyxigawpu> <CAM5tNy6DTULRg86ainHQYRP0pic60epi4yVDKJ_U3waf3N%2Be2Q@mail.gmail.com> <3dso3cojzxnylcfmpmgwzizp4omzpmnbfgz3zt5pvgeur4wss6@kblfkmtssebw> <CAM5tNy5Mc8sdcU5CQgTfSQRwxbe_Z7CxJwG3x_rkPj5Bj6nH3A@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Sat, Mar 29, 2025 at 01:04:08PM -0700, Rick Macklem wrote: > On Sat, Mar 29, 2025 at 12:50 PM Shawn Webb <shawn.webb@hardenedbsd.org> wrote: > > > > On Sat, Mar 29, 2025 at 12:39:02PM -0700, Rick Macklem wrote: > > > > I had added filesystem extended attribute support to libarchive, which > > > > is what FreeBSD's tar(1) is based off of. I upstreamed that, so that's > > > > taken care of. FreeBSD's tar(1) has supported extended attributes > > > > since 2020 (see libarchive PR 1409: > > > > https://github.com/libarchive/libarchive/pull/1409) > > > Ok, thanks for the info. If this stuff goes into FreeBSD, it probably needs > > > to be tweaked to use the different syscall API so that it can handle large > > > attributes and maybe the attribute's mode. (someday, maybe?) > > > > I believe libarchive has been updated in FreeBSD since October 2020, > > so the vendored libarchive in FreeBSD should already support it. But, > > yeah, if FreeBSD makes changes to how extended attributes work, I or > > someone else would need to update libarchive to account for that. > > > > Since HardenedBSD follows FreeBSD closely (we sync every six hours), I > > would probably volunteer to update the libarchive code. > > > > > > Just one data point here: HardenedBSD uses filesystem extended > > > > attributes to toggle certain exploit mitigations on a per-application > > > > basis. That's why we added support to libarchive: so we can ship > > > > certain packages with exploit mitigations pre-toggled. > > > Just curious. Does it use "system" or "user" attribute space? > > > > We use the system namespace, though the userland tool (hbsdcontrol) > > was recently taught about the user namespace. The kernel side only > > supports system namespace. So the user namespace support in > > hbsdcontrol is somewhat meaningless. I do plan to eventually get to > > the kernel side, but my TODO list continues growing. :-) > Ok, this wouldn't be affected by the patches I've been doing, since they > handle user space only. (system space will still work, but only via the > extattr_XXX() APIs. Cool. I have another project that uses user namespaces: https://git.hardenedbsd.org/shawn.webb/altfs AltFS is a fusefs driver that stores file payload in filesystem extended attributes, using the user namespace. It only partially works and again is bitten by more important items on my TODO list. It mainly serves as a proof-of-concept for a weird data exfiltration technique. Not at all meant for actual production use. Do you already have a patch for review in Phabric? I might want to add myself to it so I can more easily keep informed. Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmfoU3YACgkQ/y5nonf4 4fr/Og/8DG/z0p1L9HbivCXVXD2aioV2kZJWOdiMXTHd7xBG9OFcO+uqilvcU3qg rErNz14ntZZNgq4rqydE5igWzaC2+pQo+0Dn5QJ/9LKAYfL8J6G1Z8RTEwD34BFz u95FatLpQw0hC1PM9VAeEV8hOPw+jnVL+LhCo2Xp5koL+ufV7pHRMEG2fllcAIgJ 7E+/qbkcP6x5mv7IxbkdsEWiUMs3WEX4s11Fsk8Mz63g65z8gkejOhFXxAgcLIJS KzOW1LQy4DeLzSBGybbwiQNPUb0YvHqCOcebmVYLAvAP9CyELtkqTwmXrr8lTOgR XrpUdMKyF85bYF4p0vt4rPz+Uop0Qm1PBz4N/nix5gnENNoCA87Ajxp/5sB3e5kF /SieyTn2rGK91Yv1HKXJX1zAkKdNHkCGpV35RIcNBoZDg58w4cleWLgtevhaOT3g TjOeWR6+Px8nO6YvaOjlVKrHen4WY3PnYd0E+zLKv1Of4DXufYDXqQWLIumgefSH HDHQ4fyiAkknMsxRBm2bBVOxJoGEWHgkP8o47wl0KNlTSJhjFZzIJc94/qdmS8a+ 94GxS6WFWGXsXB4+8XEvnn8IvW5hT6iZIMQaa+wRKRyLjA58KMYiL1BsjGPMO67q BUS4ukiXUAB32YlihUB1/WmebQPWeOkzFJWdrkhR2SCCZOlViQk= =mndp -----END PGP SIGNATURE-----home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?yjms7fqzbsxsqhu5hpbsosquqld6f2drifilfqn6d5qf2nsyer>