Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 23 Mar 2024 15:57:33 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 277908] Capsicum filesystem extended attribute support is broken
Message-ID:  <bug-277908-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D277908

            Bug ID: 277908
           Summary: Capsicum filesystem extended attribute support is
                    broken
           Product: Base System
           Version: 14.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: shawn.webb@hardenedbsd.org
 Attachment #249428 text/plain
         mime type:

Created attachment 249428
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D249428&action=
=3Dedit
Example test case code

The extattr_get_fd(2) syscall is broken for file descriptors with the
CAP_EXTATTR_GET capability in a Capabilities-enabled process. Though I have=
n't
tried them, I suspect extattr_list_fd(2) and extattr_set_fd(2) is broken as
well (assuming the file descriptor has the matching CAP_EXTATTR_* rights(4)=
).

I've written a test case here:
https://git.hardenedbsd.org/shawn.webb/broken-capsicum/-/tree/main/extattr?=
ref_type=3Dheads

Reproduction steps are as follows:

1. git clone https://git.hardenedbsd.org/shawn.webb/broken-capsicum.git
2. cd broken-capsicum/extattr
3. make
4. touch /tmp/testfile-01
4. (as root) setextattr system test-01 asdf /tmp/testfile-01
5. (as root) obj/extattr /tmp/testfile-01

A message will be printed out: "extattr_get_fd: Not permitted in capability
mode"

>From reading the rights(4) manual page, the only thing needed for getting a
filesystem extended attribute value in a capabilities-enabled process is th=
at
the file descriptor has the CAP_EXTATTR_GET capability.

ZFS is being used on the systems I've tested. I don't know if UFS versus ZFS
makes any difference.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-277908-227>