From nobody Mon Aug 28 18:06:46 2023 X-Original-To: current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RZJRK3HLGz4rp86 for ; Mon, 28 Aug 2023 18:06:53 +0000 (UTC) (envelope-from jamie@freebsd.org) Received: from gritton.org (gritton.org [67.43.236.212]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "gritton.org", Issuer "gritton.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RZJRK1bV7z3TRt; Mon, 28 Aug 2023 18:06:53 +0000 (UTC) (envelope-from jamie@freebsd.org) Authentication-Results: mx1.freebsd.org; none Received: from gritton.org (localgritton [127.0.0.212]) (authenticated bits=0) by gritton.org (8.16.1/8.16.1) with ESMTPA id 37SI6kdr028430; Mon, 28 Aug 2023 11:06:46 -0700 (PDT) (envelope-from jamie@freebsd.org) List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Date: Mon, 28 Aug 2023 11:06:46 -0700 From: James Gritton To: Alexander Leidinger Cc: Dmitry Chagin , current@freebsd.org Subject: Re: Possible issue with linux xattr support? In-Reply-To: <7ef4e05c0dc9b9e10e1dbc16f485d83c@Leidinger.net> References: <3q2k3tje2ig2s6wzy4hzvjmoyejiecminvcvevivumtukxrgki@btnpjbztyfa6> <7ef4e05c0dc9b9e10e1dbc16f485d83c@Leidinger.net> User-Agent: Roundcube Webmail/1.4.11 Message-ID: <8c074df2316ba921aa94cbcea298641c@freebsd.org> X-Sender: jamie@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:36666, ipnet:67.43.224.0/20, country:CA] X-Rspamd-Queue-Id: 4RZJRK1bV7z3TRt On 2023-08-28 05:17, Alexander Leidinger wrote: > Am 2023-08-28 13:06, schrieb Dmitry Chagin: >> On Sun, Aug 27, 2023 at 09:55:23PM +0200, Felix Palmen wrote: >>> * Dmitry Chagin [20230827 22:46]: > >>> > I can fix this completely disabling exttatr for jailed proc, >>> > however, it's gonna be bullshit, though >>> >>> Would probably be better than nothing. AFAIK, "Linux jails" are used >>> a >>> lot, probably with userlands from distributions actually using xattr. >>> >> >> It might sense to allow this priv (PRIV_VFS_EXTATTR_SYSTEM) for linux >> jails by default? What do think, James? > > I think the question is more if we want to allow it in jails (not > specific to linux jails, as in: if it is ok for linux jails, it should > be ok for FreeBSD jails too). So the question is what does this > protect the hosts from, if this is not allowed in jails? Some kind of > possibility to DoS the host? It's definitely an any-jail question, as there's no kernel-level idea of a Linux jail, in that any jail on a system with the linux module loaded can run whatever Linux binaries may exist. - Jamie