Re: Possible issue with linux xattr support?
- Reply: Kyle Evans : "Re: Possible issue with linux xattr support?"
- Reply: Dmitry Chagin : "Re: Possible issue with linux xattr support?"
- Reply: Alexander Leidinger : "Re: Possible issue with linux xattr support?"
- In reply to: Dmitry Chagin : "Re: Possible issue with linux xattr support?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 29 Aug 2023 19:02:58 UTC
On Tue, Aug 29, 2023 at 05:45:51PM +0300, Dmitry Chagin wrote: > On Tue, Aug 29, 2023 at 12:59:11PM +0200, Felix Palmen wrote: > > * Dmitry Chagin <dchagin@freebsd.org> [20230828 18:57]: > > > On Mon, Aug 28, 2023 at 08:03:33AM +0200, Felix Palmen wrote: > > > > * Cy Schubert <Cy.Schubert@cschubert.com> [20230827 16:59]: > > > > > > > > > > If we are to break it to fix a problem, maybe a sysctl to enable/disable then? > > > > > > > > IMHO depends on the exact nature of the problem. If it's confirmed that > > > > it (always and only) breaks for jailed processes, just disabling it for > > > > them would be the better workaround. "No-op" calls won't break anything. > > > > > > > > > > please, try: https://people.freebsd.org/~dchagin/xattrerror.patch > > > > Thanks, I can confirm this avoids the issue in both cases I experienced > > (install from GNU coreutils and python). > > > thanks, this is the first half of the fix, it works for you due to you > are running tools under unprivileged user, afaiu. The second I have > tested by myself :) > > > If I understand this patch correctly, it completely avoids EPERM, > > masking it as not supported, so callers should consider it non-fatal, > > allowing to silently ignore writing of "system" attributes while still > > keeping other functionality? > > > system namespace is accessible only for privileged user, for others Linux > returns ENOTSUP. So many tools ignores this error, eg ls. > > the second: https://people.freebsd.org/~dchagin/sea_jailed.patch > > Try this under privileged user, please. Back in 2019, I had a similar issue: I needed access to be able to read/write to the system extended attribute namespace from within a jailed context. I wrote a rather simple patch that provides that support on a per-jail basis: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/96c85982b45e44a6105664c7068a92d0a61da2a3 Hopefully that's useful to someone. Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc