Date: Fri, 14 Jul 2017 12:17:47 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Konstantin Belousov <kostikbel@gmail.com>, Dewayne Geraghty <dewayne.geraghty@heuristicsystems.com.au> Cc: FreeBSD Stable Mailing List <freebsd-stable@freebsd.org> Subject: Re: Extended "system" attributes within jailed environment dont work Message-ID: <YQBPR01MB018034F2FBD0820E508BC3F8DDAD0@YQBPR01MB0180.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <20170714094314.GT1935@kib.kiev.ua> References: <cb70e03c-4dce-a530-2cf7-daaf1d9df74f@heuristicsystems.com.au> <20170714075607.GQ1935@kib.kiev.ua> <3c08bee6-3f4e-e176-24b3-4b987188634f@heuristicsystems.com.au>, <20170714094314.GT1935@kib.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
Konstantin Belousov wrote: >On Fri, Jul 14, 2017 at 07:28:58PM +1000, Dewayne Geraghty wrote: [stuff snipped] >> >> I suppose that the crux to the question is - why should the "system" >> namespace not be available within a jail? >Perhaps because system namespace (can) carry attributes which modify the >filesystem behaviour in a way which is considered inappropriate to allow >for jailed root. This is somewhat similar to jail security.allow_chflags >knob, but with more unfortunate consequences. > >I do not claim that system namespace cannot be opened to the jailed root, >but doing so requires a review of all implemented system ext attributes, >across all types of filesystems. One *hackish* way to deal with this might be to have the attribute created within the "user" namepsace with "system." prepended to it's name when with= in a jail. - That would allow SAMBA (and others) set/get attributes that they specify as "system namespace", but the attributes wouldn't actually be in "system= namespace". Although the patch never ended up in head as yet, there was a similar issue w.r.t. extended attribute namespace for fuse filesystems, since fuse doesn'= t support the notion of a namespace. Just a suggestion. I have no strong opinion on this, rick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YQBPR01MB018034F2FBD0820E508BC3F8DDAD0>