jail: Add the ability to access system-level filesystem extended attributes
ClosedPublic
Actions

Authored by dchagin on Aug 30 2023, 8:01 AM.

Details

Reviewers

jamie
kevans
netchild

Group Reviewers

manpages

Commits

rGcb48780db4d6: jail: Add the ability to access system-level filesystem extended attributes

Summary

Prior to this commit privileged accounts in a jail could not access to the
filesystem extended attributes in the system namespace. To control access to
the system namespace in a per-jail basis add a new configuration parameter
allow.extattr which is off by default.

Reported by: zirias
Obtained from: HardenedBSD
MFC after: 2 weeks

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

dchagin created this revision.Aug 30 2023, 8:01 AM

Herald added a subscriber: imp. · View Herald TranscriptAug 30 2023, 8:01 AM

dchagin requested review of this revision.Aug 30 2023, 8:01 AM

dchagin added reviewers: jamie, kevans, netchild.Aug 30 2023, 8:03 AM

dchagin added a reviewer: manpages.Aug 30 2023, 9:09 AM

netchild added inline comments.Aug 30 2023, 8:13 PM

sys/kern/kern_jail.c
223	Do we create an KBI issue if we have conditional items in-between?
4063	The other PRIVs have a comment with an explanation why we have the PRIV.
4567	Same comment as above.
usr.sbin/jail/jail.8
646	s/jail/jail to/ ? Beware, english is not my native language. Maybe also add an explicit mention about the non-system namespace, to make it clear if it is affected by this or not?

kevans added inline comments.Aug 30 2023, 8:18 PM

sys/kern/kern_jail.c
223	Negative
usr.sbin/jail/jail.8
646	Yes, "jail to ..."

Harbormaster completed remote builds in B53336: Diff 126672.Aug 31 2023, 3:32 AM

Done, thanks!

Harbormaster completed remote builds in B53365: Diff 126725.Aug 31 2023, 9:33 AM

dchagin marked 6 inline comments as done.Aug 31 2023, 9:38 AM

dchagin added inline comments.

sys/kern/kern_jail.c
223	I don't see how
usr.sbin/jail/jail.8
646	Well, I added a link to extattr(9) that mentions privileges in the user namespace

Apart from the man page I have no further suggestions.

usr.sbin/jail/jail.8
646	The extattr(9) man page doesn't talk about limitations in jails. As such I propose to add the sentence "Other extattr namespaces are not affected by this setting (they are not restricted by jails)." or something to the effect that it makes clear that only the system namespace is limited in jails and that this setting removes this restriction.

dchagin added inline comments.Aug 31 2023, 12:54 PM

usr.sbin/jail/jail.8
646	The extattr(9) man page doesn't talk about limitations in jails. As such I propose to add the sentence "Other extattr namespaces are not affected by this setting (they are not restricted by jails)." or something to the effect that it makes clear that only the system namespace is limited in jails and that this setting removes this restriction. I agree with the first sentence, maybe it would be better to fix the extattr(9)? The statement about system namespace restrictions is not clear, per my POV