Re: Possible issue with linux xattr support?

On 2023-08-28 05:17, Alexander Leidinger wrote:
> Am 2023-08-28 13:06, schrieb Dmitry Chagin:
>> On Sun, Aug 27, 2023 at 09:55:23PM +0200, Felix Palmen wrote:
>>> * Dmitry Chagin <dchagin@freebsd.org> [20230827 22:46]:
> 
>>> > I can fix this completely disabling exttatr for jailed proc,
>>> > however, it's gonna be bullshit, though
>>> 
>>> Would probably be better than nothing. AFAIK, "Linux jails" are used 
>>> a
>>> lot, probably with userlands from distributions actually using xattr.
>>> 
>> 
>> It might sense to allow this priv (PRIV_VFS_EXTATTR_SYSTEM) for linux
>> jails by default? What do think, James?
> 
> I think the question is more if we want to allow it in jails (not
> specific to linux jails, as in: if it is ok for linux jails, it should
> be ok for FreeBSD jails too). So the question is what does this
> protect the hosts from, if this is not allowed in jails? Some kind of
> possibility to DoS the host?

It's definitely an any-jail question, as there's no kernel-level idea
of a Linux jail, in that any jail on a system with the linux module
loaded can run whatever Linux binaries may exist.

- Jamie