Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 May 2012 23:32:45 +0300
From:      Andriy Syrovenko <andriys@gmail.com>
To:        freebsd-jail@freebsd.org
Subject:   Access to system extattrs from withing a jail
Message-ID:  <CAP1uzMgyRdL7rvGcpF3%2BSuooBaNQFiLYTY=ebrN3_RgPPGG8mA@mail.gmail.com>

next in thread | raw e-mail | index | archive | help
--bcaec554dec00743c704c10a810f
Content-Type: text/plain; charset=ISO-8859-1

Hello,

Current implementation of FreeBSD jails does not allow access to
extattrs in system namespace from within a jail. I think, however,
that there are cases when it is desirable to allow jailed root to
access and modify system extended attributes. One case is running
jailed Samba, which, under certain circumstances, may store
information in system extended attributes.

Please find attached two patches, that solve this issue for me. They
add additional jail parameter "allow.extattr_system". Being set to 1
this parameter allows jailed root to access and manipulate extattrs in
the system namespace. I've tested the patches on 9.0-RELEASE.

Are there any security concerns I may have overlooked? Are there any
chance to see these patches commited to base?

Best regards,
Andrey.

--bcaec554dec00743c704c10a810f
Content-Type: application/octet-stream; name="jail_extaddr_system_kern.patch"
Content-Disposition: attachment; filename="jail_extaddr_system_kern.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_h2qjwhrn0

ZGlmZiAtdXJOIC56ZnMvc25hcHNob3Qvb3JpZy9zeXMva2Vybi9rZXJuX2phaWwuYyAuL3N5cy9r
ZXJuL2tlcm5famFpbC5jCi0tLSAuemZzL3NuYXBzaG90L29yaWcvc3lzL2tlcm4va2Vybl9qYWls
LmMJMjAxMi0wMS0wMyAwNToyNjoyMi4wMDAwMDAwMDAgKzAyMDAKKysrIC4vc3lzL2tlcm4va2Vy
bl9qYWlsLmMJMjAxMi0wNS0yNyAxNzoxNzoxNy42NDM2MDY2OTIgKzAzMDAKQEAgLTIwMCw2ICsy
MDAsNyBAQAogCSJhbGxvdy5tb3VudCIsCiAJImFsbG93LnF1b3RhcyIsCiAJImFsbG93LnNvY2tl
dF9hZiIsCisJImFsbG93LmV4dGF0dHJfc3lzdGVtIiwKIH07CiBjb25zdCBzaXplX3QgcHJfYWxs
b3dfbmFtZXNfc2l6ZSA9IHNpemVvZihwcl9hbGxvd19uYW1lcyk7CiAKQEAgLTIxMSw2ICsyMTIs
NyBAQAogCSJhbGxvdy5ub21vdW50IiwKIAkiYWxsb3cubm9xdW90YXMiLAogCSJhbGxvdy5ub3Nv
Y2tldF9hZiIsCisJImFsbG93Lm5vZXh0YXR0cl9zeXN0ZW0iLAogfTsKIGNvbnN0IHNpemVfdCBw
cl9hbGxvd19ub25hbWVzX3NpemUgPSBzaXplb2YocHJfYWxsb3dfbm9uYW1lcyk7CiAKQEAgLTM4
NDQsNiArMzg0NiwxNSBAQAogCQkJcmV0dXJuIChFUEVSTSk7CiAKIAkJLyoKKwkJICogQ29uZGl0
aW9uYWxseSBhbGxvdyBhY2Nlc3Npbmcgc3lzdGVtIGV4dGVuZGVkIGF0dHJpYnV0ZXMKKwkJICov
CisJY2FzZSBQUklWX1ZGU19FWFRBVFRSX1NZU1RFTToKKwkJaWYgKGNyZWQtPmNyX3ByaXNvbi0+
cHJfYWxsb3cgJiBQUl9BTExPV19FWFRBVFRSX1NZU1RFTSkKKwkJCXJldHVybiAoMCk7CisJCWVs
c2UKKwkJCXJldHVybiAoRVBFUk0pOworCisJCS8qCiAJCSAqIEFsbG93IGphaWxlZCByb290IHRv
IGJpbmQgcmVzZXJ2ZWQgcG9ydHMgYW5kIHJldXNlIGluLXVzZQogCQkgKiBwb3J0cy4KIAkJICov
CkBAIC00MTMwLDYgKzQxNDEsMTAgQEAKICAgICBDVExUWVBFX0lOVCB8IENUTEZMQUdfUlcgfCBD
VExGTEFHX01QU0FGRSwKICAgICBOVUxMLCBQUl9BTExPV19NT1VOVCwgc3lzY3RsX2phaWxfZGVm
YXVsdF9hbGxvdywgIkkiLAogICAgICJQcm9jZXNzZXMgaW4gamFpbCBjYW4gbW91bnQvdW5tb3Vu
dCBqYWlsLWZyaWVuZGx5IGZpbGUgc3lzdGVtcyIpOworU1lTQ1RMX1BST0MoX3NlY3VyaXR5X2ph
aWwsIE9JRF9BVVRPLCBleHRhdHRyX3N5c3RlbV9hbGxvd2VkLAorICAgIENUTFRZUEVfSU5UIHwg
Q1RMRkxBR19SVyB8IENUTEZMQUdfTVBTQUZFLAorICAgIE5VTEwsIFBSX0FMTE9XX0VYVEFUVFJf
U1lTVEVNLCBzeXNjdGxfamFpbF9kZWZhdWx0X2FsbG93LCAiSSIsCisgICAgIlByaXNvbiByb290
IGNhbiBhY2Nlc3MgYW5kIG1hbmlwdWxhdGUgc3lzdGVtIGV4dGVuZGVkIGF0dHJpYnV0ZXMiKTsK
IAogc3RhdGljIGludAogc3lzY3RsX2phaWxfZGVmYXVsdF9sZXZlbChTWVNDVExfSEFORExFUl9B
UkdTKQpAQCAtNDI2Miw2ICs0Mjc3LDggQEAKICAgICAiQiIsICJKYWlsIG1heSBzZXQgZmlsZSBx
dW90YXMiKTsKIFNZU0NUTF9KQUlMX1BBUkFNKF9hbGxvdywgc29ja2V0X2FmLCBDVExUWVBFX0lO
VCB8IENUTEZMQUdfUlcsCiAgICAgIkIiLCAiSmFpbCBtYXkgY3JlYXRlIHNvY2tldHMgb3RoZXIg
dGhhbiBqdXN0IFVOSVgvSVB2NC9JUHY2L3JvdXRlIik7CitTWVNDVExfSkFJTF9QQVJBTShfYWxs
b3csIGV4dGF0dHJfc3lzdGVtLCBDVExUWVBFX0lOVCB8IENUTEZMQUdfUlcsCisgICAgIkIiLCAi
SmFpbCBtYXkgYWNjZXNzIGFuZCBtYW5pcHVsYXRlIHN5c3RlbSBleHRlbmRlZCBhdHRyaWJ1dGVz
Iik7CiAKIHZvaWQKIHByaXNvbl9yYWNjdF9mb3JlYWNoKHZvaWQgKCpjYWxsYmFjaykoc3RydWN0
IHJhY2N0ICpyYWNjdCwKZGlmZiAtdXJOIC56ZnMvc25hcHNob3Qvb3JpZy9zeXMvc3lzL2phaWwu
aCAuL3N5cy9zeXMvamFpbC5oCi0tLSAuemZzL3NuYXBzaG90L29yaWcvc3lzL3N5cy9qYWlsLmgJ
MjAxMi0wMS0wMyAwNToyNzowNy4wMDAwMDAwMDAgKzAyMDAKKysrIC4vc3lzL3N5cy9qYWlsLmgJ
MjAxMi0wNS0yNyAxNjowNzoyNS40MTUxNjAyMzEgKzAzMDAKQEAgLTIyMiw3ICsyMjIsOCBAQAog
I2RlZmluZQlQUl9BTExPV19NT1VOVAkJCTB4MDAxMAogI2RlZmluZQlQUl9BTExPV19RVU9UQVMJ
CQkweDAwMjAKICNkZWZpbmUJUFJfQUxMT1dfU09DS0VUX0FGCQkweDAwNDAKLSNkZWZpbmUJUFJf
QUxMT1dfQUxMCQkJMHgwMDdmCisjZGVmaW5lCVBSX0FMTE9XX0VYVEFUVFJfU1lTVEVNCQkweDAw
ODAKKyNkZWZpbmUJUFJfQUxMT1dfQUxMCQkJMHgwMGZmCiAKIC8qCiAgKiBPU0QgbWV0aG9kcwo=
--bcaec554dec00743c704c10a810f
Content-Type: application/octet-stream; name="jail_extaddr_system_user.patch"
Content-Disposition: attachment; filename="jail_extaddr_system_user.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_h2qjwjt51

ZGlmZiAtdXJOIC56ZnMvc25hcHNob3Qvb3JpZy91c3Iuc2Jpbi9qYWlsL2phaWwuYyAuL3Vzci5z
YmluL2phaWwvamFpbC5jCi0tLSAuemZzL3NuYXBzaG90L29yaWcvdXNyLnNiaW4vamFpbC9qYWls
LmMJMjAxMi0wMS0wMyAwNToyNTo1My4wMDAwMDAwMDAgKzAyMDAKKysrIC4vdXNyLnNiaW4vamFp
bC9qYWlsLmMJMjAxMi0wNS0yNyAyMzowMzowMS4xMjg1ODE5OTAgKzAzMDAKQEAgLTg3LDYgKzg3
LDggQEAKIAkgICJhbGxvdy5ub21vdW50IiwgImFsbG93Lm1vdW50IiB9LAogCXsgInNlY3VyaXR5
LmphaWwuc29ja2V0X3VuaXhpcHJvdXRlX29ubHkiLAogCSAgImFsbG93LnNvY2tldF9hZiIsICJh
bGxvdy5ub3NvY2tldF9hZiIgfSwKKwl7ICJzZWN1cml0eS5qYWlsLmV4dGF0dHJfc3lzdGVtX2Fs
bG93ZWQiLAorCSAgImFsbG93LmV4dGF0dHJfc3lzdGVtIiwgImFsbG93Lm5vZXh0YXR0cl9zeXN0
ZW0iIH0sCiB9OwogCiBleHRlcm4gY2hhciAqKmVudmlyb247Cg==
--bcaec554dec00743c704c10a810f--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAP1uzMgyRdL7rvGcpF3%2BSuooBaNQFiLYTY=ebrN3_RgPPGG8mA>