Discussion:
[Bug 220712] Extended attributes within a jail cant be set
(too old to reply)
b***@freebsd.org
2017-07-14 05:54:48 UTC
Permalink
Raw Message
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220712

Mark Linimon <***@FreeBSD.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Assignee|freebsd-***@FreeBSD.org |freebsd-***@FreeBSD.org
--
You are receiving this mail because:
You are the assignee for the bug.
b***@freebsd.org
2017-07-14 08:32:05 UTC
Permalink
Raw Message
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220712

Mark Millard <***@dsl-only.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |***@dsl-only.net

--- Comment #1 from Mark Millard <***@dsl-only.net> ---
For reference, quoting Konstantin Belousov from:

https://lists.freebsd.org/pipermail/freebsd-stable/2017-July/087398.html . . .

"System namespace access is not allowed for jailed processes by design.
See sys/kern/vfs_subr.c:extattr_check_cred() and a comment there
explicitely mentioning the behaviour. The behaviour predates ~ year
2002, where extended attributes were introduced, and it makes sense."
--
You are receiving this mail because:
You are the assignee for the bug.
b***@freebsd.org
2017-07-19 07:18:03 UTC
Permalink
Raw Message
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220712

--- Comment #2 from ***@heuristicsystems.com.au ---
(In reply to Mark Millard from comment #1)
Refer to short-term, unsafe (from the SAMBA developers' perspective)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220844

Mark, as you've quoted, this was my reply, via the mailing-list to Konstantin
(who I have great respect for).

"With the passage of 15 years
other applications have come to use "system" namespace extended
attributes, as though they were in the host system. Unfortunately if
you have one physical box available to act as both an authentication
server (Quasi Active Directory) and a fileserver, then using a jailed
environment is the only solution.

By design? I suppose its akin to saying, why would you want to use
sysvipc from within a jail, with its global namespace (since FreeBSD
V5.0) ; or perhaps the use of raw sockets (FreeBSDv6.0); or mount within
a jail (FreeBSD V9.0); or...?
Probably because sophisticated use of jails is one of the many
outstanding features that sets FreeBSD apart from restrictive and
antiquated environments. Not all features of a base system should be
reflected in a jail, that would be silly; but where upstream
applications use features, then the enhancement of a jail's
configuration via way of, at least, an option - makes sense."

Interestingly the absence of SYSTEM namespace within a jailed environment also
prohibits use of MAC BIBA|MLS|LOMAC.
--
You are receiving this mail because:
You are the assignee for the bug.
Loading...