Re: Possible issue with linux xattr support?

In reply to: Felix Palmen : "Re: Possible issue with linux xattr support?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Tue, 29 Aug 2023 19:36:06 UTC

On Tue, Aug 29, 2023 at 09:31:46PM +0200, Felix Palmen wrote:
> * Shawn Webb <shawn.webb@hardenedbsd.org> [20230829 15:25]:
> > On Tue, Aug 29, 2023 at 09:15:03PM +0200, Felix Palmen wrote:
> > > * Kyle Evans <kevans@FreeBSD.org> [20230829 14:07]:
> > > > On 8/29/23 14:02, Shawn Webb wrote:
> > > > > Back in 2019, I had a similar issue: I needed access to be able to
> > > > > read/write to the system extended attribute namespace from within a
> > > > > jailed context. I wrote a rather simple patch that provides that
> > > > > support on a per-jail basis:
> > > > > 
> > > > > https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/96c85982b45e44a6105664c7068a92d0a61da2a3
> > > > > 
> > > > > Hopefully that's useful to someone.
> > > > > 
> > > > > Thanks,
> > > > > 
> > > > 
> > > > FWIW (which likely isn't much), I like this approach much better; it makes
> > > > more sense to me that it's a feature controlled by the creator of the jail
> > > > and not one allowed just by using a compat ABI within a jail.
> > > 
> > > Well, a typical GNU userland won't work in a jail without this, that's
> > > what I know now. But I'm certainly with you, it doesn't feel logical
> > > that a Linux binary can do something in a jail a FreeBSD binary can't.
> > > 
> > > So, indeed, making it a jail option sounds better.
> > > 
> > > Unless, bringing back a question raised earlier in this thread: What's
> > > the reason to restrict this in a jailed context in the first place? IOW,
> > > could it just be allowed unconditionally?
> > 
> > In HardenedBSD's case, since we use filesystem extended attributes to
> > toggle exploit mitigations on a per-application basis, there's now a
> > conceptual security boundary between the host and the jail.
> > 
> > Should the jail and the host share resources, like executables, a
> > jailed process could toggle an exploit mitigation, and the toggle
> > would bubble up to the host. So the next time the host executed
> > /shared/app/executable/here, the security posture of the host would be
> > affected.
> 
> Isn't the sane approach here *not* to share any executables with a jail
> other than via a read-only nullfs mount?

I thought about that, too, but nullfs is not guaranteed to be
available or applicable in all environments.

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc