From nobody Sat Sep 02 10:16:43 2023
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Rd9mW3RFXz4rVQg
	for <bugs@mlmmj.nyi.freebsd.org>; Sat,  2 Sep 2023 10:16:43 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Rd9mW0fT1z4LPh
	for <bugs@FreeBSD.org>; Sat,  2 Sep 2023 10:16:43 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1693649803; a=rsa-sha256; cv=none;
	b=UaU3jXtvxWbOQqvW6psK6Z0GSBSt9CpEILJtEXZgwrSXWZ4O9XFLIwLbz20MQFtWZUc0L3
	c7tqvP3vnbHYyuoD4auT01MOJIO800K/d+CFyOEeamkacWSQPPzLWD/pRT4PgIZfDeOcHV
	EAKpOcrvIXCYlcvZdJ/0FCrsqcxrHclOwA3JNlnTihaOLe14AuaUSZ3pmaRuCK1EUUJxAV
	GBYsfDsMXlXfpbPuXD8XH+FHdWH5AgJ6EgzhJztW0f0wKKpbBd5HpNiZdxQ6YQ4T3AzBNJ
	5fw74TrtTZmAQkevRkBvp3Y95PIHcKhg02vuLyzftopyFQ/oWJlOrzrQYpP1nQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1693649803;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=aZZg5mut1g94++UYZuMWXdkM3l0/5hNJB5BWXH/peI4=;
	b=Aj8V3YDQb0lYV/UZT31ZbWmw5oeC6PRCF9rFSzjcOMlUrOthqwktHFvivGunuu7biCYyah
	lCEZbSL/pCYkkBbvwsoMKuWdymJ1YgXyFw1KHgDBDVR7FGM0A0n2ToMwe6xm1ogd7BsTYK
	EkVOe2h6PEvAL5HQqZhlZDf5DJ4FhC4OS7qoKC6/ZiV3Kaz/3z76Lva6kO3IL9+IYdfAi7
	F3tDdl51In8ve6RDq+SUt4MTSjDSCGnKRg8Jn1jZmH9Z1HPoWd1R6Af+Vij6q15kABIgYd
	QwUtXSNB6S/1/2KrHmHRjMRN7uhZY6bezHST3iW/eKqUnr1Y6bkCg1hGuB8k0w==
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Rd9mV6mrRzfB9
	for <bugs@FreeBSD.org>; Sat,  2 Sep 2023 10:16:42 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 382AGgrW017322
	for <bugs@FreeBSD.org>; Sat, 2 Sep 2023 10:16:42 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 382AGgI1017321
	for bugs@FreeBSD.org; Sat, 2 Sep 2023 10:16:42 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 273517] [Linuxulator]: getxattr EPERM for non-root users inside
 chroots
Date: Sat, 02 Sep 2023 10:16:43 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 14.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: jwmullally@gmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: bugs@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-273517-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273517

            Bug ID: 273517
           Summary: [Linuxulator]: getxattr EPERM for non-root users
                    inside chroots
           Product: Base System
           Version: 14.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: jwmullally@gmail.com

Hi,

## Summary:
It seems that on FreeBSD 14.0-ALPHA3 for non-root users in Linux chroots,
getxattr returns EPERM which causes some coreutils commands to fail (e.g. cp
-a), whereas on FreeBSD 13.1 getxattr simply returned EOPNOTSUPP which lets=
 the
tools skip that step and continue successfully.

It might be the same issue as
https://lists.freebsd.org/archives/freebsd-current/2023-August/004433.html
"Possible issue with linux xattr support?"

## Example impact:
"apt update" failing in a fresh debootstrap due to "cp -a" failure in the
apt-key script, which runs as another user "_apt". This works OK on FreeBSD
13.1. (See here
https://forums.freebsd.org/threads/debian-12-bookworm-jail-encounters-gpg-e=
rror-in-freebsd-14-0.90093/#post-620794
for more details )


## Steps to reproduce:

### On fresh install FreeBSD system, where /root homedir is on UFS partition
pkg install sysutils/debootstrap
kldload linux64 fdescfs linprocfs linsysfs tmpfs
service linux onestart
cd /root
mkdir debian_build
cd debian_build
mkdir dev dev/fd dev/shm proc sys tmp
mount -t linprocfs none `pwd`/proc
mount -t devfs none `pwd`/dev
mount -t fdescfs none `pwd`/dev/fd
mount -t tmpfs none `pwd`/dev/shm
mount -t linsysfs none `pwd`/sys
mount -t tmpfs none `pwd`/tmp
chmod 1777 dev/shm tmp
debootstrap bullseye . http://deb.debian.org/debian
chroot . /bin/bash

### Inside the chroot
adduser --disabled-password --gecos "" someguy
su someguy
cd /home/someguy

### Comparing cp -a / cp --preserve=3Dmode on both FreeBSD 13 and 14

someguy@freebsd14:~$ uname -a
FreeBSD freebsd14 14.0-ALPHA3 FreeBSD 14.0-ALPHA3 amd64 1400097 #0
stable/14-n265022-2af9390e54ed: Fri Aug 25 05:45:56 UTC 2023=20=20=20=20
root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64

someguy@freebsd13:~$ strace cp --preserve=3Dmode hello hello2
fgetxattr(3, "system.posix_acl_access", 0x7fffffffdcc0, 132) =3D -1 EOPNOTS=
UPP
(Operation not supported)
fsetxattr(4, "system.posix_acl_access",
"\2\0\0\0\1\0\6\0\377\377\377\377\4\0\4\0\377\377\377\377
\0\4\0\377\377\377\377", 28, 0) =3D -1 EOPNOTSUPP (Operation not supported)
+++ exited with 0 +++

someguy@freebsd14:~$ strace cp --preserve=3Dmode hello hello2
fgetxattr(3, "system.posix_acl_access", 0x7fffffffbd30, 132) =3D -1 EPERM
(Operation not permitted)
+++ exited with 1 +++

### ls -l fails on FreeBSD 14

someguy@freebsd14:~$ ls -l
ls: hello: Operation not permitted
ls: hello2: Operation not permitted
total 0K
-rw-r--r-- 1 someguy someguy    0 Sep  1 20:11 hello
-rw-r--r-- 1 someguy someguy    0 Sep  1 21:14 hello2

someguy@freebsd14:~$ strace ls -l 2>&1 | grep getxattr
getxattr("hello", "system.posix_acl_access", NULL, 0) =3D -1 EPERM (Operati=
on not
permitted)
getxattr("hello2", "system.posix_acl_access", NULL, 0) =3D -1 EPERM (Operat=
ion
not permitted)


### apt update apt-key failure:
root@freebsd14:/# ps auxfww
root       949  0.0  0.1  13404  2964 ?        Ss   15:39   0:00 login [pam]
root       950  0.0  0.1  13368  3152 ?        S    15:39   0:01  \_ -sh
root     25160  0.0  0.2   6036  4400 ?        S    18:11   0:03      \_
/bin/bash
root     26053  0.0  0.5  14720 11140 ?        T    18:25   0:00          \_
apt -oAPT::Status-Fd=3D1 -oDebug::Acquire::gpgv=3D1 update
_apt     26056  0.0  0.7  20448 14932 ?        T    18:25   0:00          |=
=20=20
\_ /usr/lib/apt/methods/http
_apt     26058  0.0  0.4  13884  9832 ?        T    18:25   0:00          |=
=20=20
\_ /usr/lib/apt/methods/gpgv
_apt     26059  0.0  0.4  14140  9944 ?        T    18:25   0:00          |=
=20=20=20=20
  \_ /usr/lib/apt/methods/gpgv
_apt     26060  0.0  0.0   2464  1652 ?        T    18:25   0:00          |=
=20=20=20=20
      \_ /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3
/tmp/apt.sig.OO1MDD /tmp/apt.data.FtsGdD
_apt     26061  0.0  0.0   2376  1552 ?        T    18:25   0:00          |=
=20=20=20=20
          \_ sleep 3600

root@freebsd14:~# su _apt -s /bin/dash
$ id
uid=3D100(_apt) gid=3D65534(nogroup) groups=3D65534(nogroup)

_apt@freebsd14:/$ /bin/sh -x /usr/bin/apt-key --quiet --readonly verify
--status-fd 1 /tmp/apt.sig.OO1MDD /tmp/apt.data.FtsGdD
# ...
+ ls -la /tmp/apt-key-gpghome.ptBlRcbxDY
ls: /tmp/apt-key-gpghome.ptBlRcbxDY: Operation not permitted
ls: /tmp/apt-key-gpghome.ptBlRcbxDY/.: Operation not permitted
ls: /tmp/apt-key-gpghome.ptBlRcbxDY/..: Operation not permitted
ls: /tmp/apt-key-gpghome.ptBlRcbxDY/pubring.gpg: Operation not permitted
total 56K
drwx------ 2 _apt root    64 Sep  1 19:41 .
drwxrwxrwt 3 root root   256 Sep  1 19:41 ..
-rw-r--r-- 1 _apt root 56156 Sep  1 19:41 pubring.gpg
+ cp -a /tmp/apt-key-gpghome.ptBlRcbxDY/pubring.gpg
/tmp/apt-key-gpghome.ptBlRcbxDY/pubring.orig.gpg
cp: =E2=80=98/tmp/apt-key-gpghome.ptBlRcbxDY/pubring.gpg=E2=80=99: Operatio=
n not permitted

--=20
You are receiving this mail because:
You are the assignee for the bug.=