From owner-freebsd-jail@FreeBSD.ORG Sun May 27 20:32:46 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79D011065691 for ; Sun, 27 May 2012 20:32:46 +0000 (UTC) (envelope-from andriys@gmail.com) Received: from mail-gg0-f182.google.com (mail-gg0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 3146A8FC19 for ; Sun, 27 May 2012 20:32:46 +0000 (UTC) Received: by ggnm2 with SMTP id m2so1868389ggn.13 for ; Sun, 27 May 2012 13:32:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=n7/Dva390P7dRbCDQuIbxrHUEs/jsLSPwGyTjjIS80o=; b=HDQ511AoviY4l405sCXXenh2SNWm5sckLIy/F46dU/Zx5GMYqPxoFefz5G8nUteePA GGeV9jTa62tBeHHs2UZKGBk7Wq7oBwt8lG4ktw2qKhZf6k6Ve77Th7gaYculeehe7ceA p4Qg8hoRDR6NZ8hnbeyaA8gUH3B7pJ9IHzvMIwizhbCd1+4yCtbLAupWNJr/HRWtYgJT 6f7nDoqBxG6t0//gp2kI2/uQKJR2k1w3fdQY4o3d/9uMMXkfwO4byRQss0lWVsEmFKzo +skri2S2ZoT4w4cbLB1cgqsZaQd7Js5Q+YgnaGMjJ0H5MHoeEX0LWZBB9mSkHORTkH6W RSmQ== MIME-Version: 1.0 Received: by 10.50.220.136 with SMTP id pw8mr3151319igc.1.1338150765413; Sun, 27 May 2012 13:32:45 -0700 (PDT) Received: by 10.231.19.9 with HTTP; Sun, 27 May 2012 13:32:45 -0700 (PDT) Date: Sun, 27 May 2012 23:32:45 +0300 Message-ID: From: Andriy Syrovenko To: freebsd-jail@freebsd.org Content-Type: multipart/mixed; boundary=bcaec554dec00743c704c10a810f Subject: Access to system extattrs from withing a jail X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 May 2012 20:32:46 -0000 --bcaec554dec00743c704c10a810f Content-Type: text/plain; charset=ISO-8859-1 Hello, Current implementation of FreeBSD jails does not allow access to extattrs in system namespace from within a jail. I think, however, that there are cases when it is desirable to allow jailed root to access and modify system extended attributes. One case is running jailed Samba, which, under certain circumstances, may store information in system extended attributes. Please find attached two patches, that solve this issue for me. They add additional jail parameter "allow.extattr_system". Being set to 1 this parameter allows jailed root to access and manipulate extattrs in the system namespace. I've tested the patches on 9.0-RELEASE. Are there any security concerns I may have overlooked? Are there any chance to see these patches commited to base? Best regards, Andrey. --bcaec554dec00743c704c10a810f Content-Type: application/octet-stream; name="jail_extaddr_system_kern.patch" Content-Disposition: attachment; filename="jail_extaddr_system_kern.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_h2qjwhrn0 ZGlmZiAtdXJOIC56ZnMvc25hcHNob3Qvb3JpZy9zeXMva2Vybi9rZXJuX2phaWwuYyAuL3N5cy9r ZXJuL2tlcm5famFpbC5jCi0tLSAuemZzL3NuYXBzaG90L29yaWcvc3lzL2tlcm4va2Vybl9qYWls LmMJMjAxMi0wMS0wMyAwNToyNjoyMi4wMDAwMDAwMDAgKzAyMDAKKysrIC4vc3lzL2tlcm4va2Vy bl9qYWlsLmMJMjAxMi0wNS0yNyAxNzoxNzoxNy42NDM2MDY2OTIgKzAzMDAKQEAgLTIwMCw2ICsy MDAsNyBAQAogCSJhbGxvdy5tb3VudCIsCiAJImFsbG93LnF1b3RhcyIsCiAJImFsbG93LnNvY2tl dF9hZiIsCisJImFsbG93LmV4dGF0dHJfc3lzdGVtIiwKIH07CiBjb25zdCBzaXplX3QgcHJfYWxs b3dfbmFtZXNfc2l6ZSA9IHNpemVvZihwcl9hbGxvd19uYW1lcyk7CiAKQEAgLTIxMSw2ICsyMTIs NyBAQAogCSJhbGxvdy5ub21vdW50IiwKIAkiYWxsb3cubm9xdW90YXMiLAogCSJhbGxvdy5ub3Nv Y2tldF9hZiIsCisJImFsbG93Lm5vZXh0YXR0cl9zeXN0ZW0iLAogfTsKIGNvbnN0IHNpemVfdCBw cl9hbGxvd19ub25hbWVzX3NpemUgPSBzaXplb2YocHJfYWxsb3dfbm9uYW1lcyk7CiAKQEAgLTM4 NDQsNiArMzg0NiwxNSBAQAogCQkJcmV0dXJuIChFUEVSTSk7CiAKIAkJLyoKKwkJICogQ29uZGl0 aW9uYWxseSBhbGxvdyBhY2Nlc3Npbmcgc3lzdGVtIGV4dGVuZGVkIGF0dHJpYnV0ZXMKKwkJICov CisJY2FzZSBQUklWX1ZGU19FWFRBVFRSX1NZU1RFTToKKwkJaWYgKGNyZWQtPmNyX3ByaXNvbi0+ cHJfYWxsb3cgJiBQUl9BTExPV19FWFRBVFRSX1NZU1RFTSkKKwkJCXJldHVybiAoMCk7CisJCWVs c2UKKwkJCXJldHVybiAoRVBFUk0pOworCisJCS8qCiAJCSAqIEFsbG93IGphaWxlZCByb290IHRv IGJpbmQgcmVzZXJ2ZWQgcG9ydHMgYW5kIHJldXNlIGluLXVzZQogCQkgKiBwb3J0cy4KIAkJICov CkBAIC00MTMwLDYgKzQxNDEsMTAgQEAKICAgICBDVExUWVBFX0lOVCB8IENUTEZMQUdfUlcgfCBD VExGTEFHX01QU0FGRSwKICAgICBOVUxMLCBQUl9BTExPV19NT1VOVCwgc3lzY3RsX2phaWxfZGVm YXVsdF9hbGxvdywgIkkiLAogICAgICJQcm9jZXNzZXMgaW4gamFpbCBjYW4gbW91bnQvdW5tb3Vu dCBqYWlsLWZyaWVuZGx5IGZpbGUgc3lzdGVtcyIpOworU1lTQ1RMX1BST0MoX3NlY3VyaXR5X2ph aWwsIE9JRF9BVVRPLCBleHRhdHRyX3N5c3RlbV9hbGxvd2VkLAorICAgIENUTFRZUEVfSU5UIHwg Q1RMRkxBR19SVyB8IENUTEZMQUdfTVBTQUZFLAorICAgIE5VTEwsIFBSX0FMTE9XX0VYVEFUVFJf U1lTVEVNLCBzeXNjdGxfamFpbF9kZWZhdWx0X2FsbG93LCAiSSIsCisgICAgIlByaXNvbiByb290 IGNhbiBhY2Nlc3MgYW5kIG1hbmlwdWxhdGUgc3lzdGVtIGV4dGVuZGVkIGF0dHJpYnV0ZXMiKTsK IAogc3RhdGljIGludAogc3lzY3RsX2phaWxfZGVmYXVsdF9sZXZlbChTWVNDVExfSEFORExFUl9B UkdTKQpAQCAtNDI2Miw2ICs0Mjc3LDggQEAKICAgICAiQiIsICJKYWlsIG1heSBzZXQgZmlsZSBx dW90YXMiKTsKIFNZU0NUTF9KQUlMX1BBUkFNKF9hbGxvdywgc29ja2V0X2FmLCBDVExUWVBFX0lO VCB8IENUTEZMQUdfUlcsCiAgICAgIkIiLCAiSmFpbCBtYXkgY3JlYXRlIHNvY2tldHMgb3RoZXIg dGhhbiBqdXN0IFVOSVgvSVB2NC9JUHY2L3JvdXRlIik7CitTWVNDVExfSkFJTF9QQVJBTShfYWxs b3csIGV4dGF0dHJfc3lzdGVtLCBDVExUWVBFX0lOVCB8IENUTEZMQUdfUlcsCisgICAgIkIiLCAi SmFpbCBtYXkgYWNjZXNzIGFuZCBtYW5pcHVsYXRlIHN5c3RlbSBleHRlbmRlZCBhdHRyaWJ1dGVz Iik7CiAKIHZvaWQKIHByaXNvbl9yYWNjdF9mb3JlYWNoKHZvaWQgKCpjYWxsYmFjaykoc3RydWN0 IHJhY2N0ICpyYWNjdCwKZGlmZiAtdXJOIC56ZnMvc25hcHNob3Qvb3JpZy9zeXMvc3lzL2phaWwu aCAuL3N5cy9zeXMvamFpbC5oCi0tLSAuemZzL3NuYXBzaG90L29yaWcvc3lzL3N5cy9qYWlsLmgJ MjAxMi0wMS0wMyAwNToyNzowNy4wMDAwMDAwMDAgKzAyMDAKKysrIC4vc3lzL3N5cy9qYWlsLmgJ MjAxMi0wNS0yNyAxNjowNzoyNS40MTUxNjAyMzEgKzAzMDAKQEAgLTIyMiw3ICsyMjIsOCBAQAog I2RlZmluZQlQUl9BTExPV19NT1VOVAkJCTB4MDAxMAogI2RlZmluZQlQUl9BTExPV19RVU9UQVMJ CQkweDAwMjAKICNkZWZpbmUJUFJfQUxMT1dfU09DS0VUX0FGCQkweDAwNDAKLSNkZWZpbmUJUFJf QUxMT1dfQUxMCQkJMHgwMDdmCisjZGVmaW5lCVBSX0FMTE9XX0VYVEFUVFJfU1lTVEVNCQkweDAw ODAKKyNkZWZpbmUJUFJfQUxMT1dfQUxMCQkJMHgwMGZmCiAKIC8qCiAgKiBPU0QgbWV0aG9kcwo= --bcaec554dec00743c704c10a810f Content-Type: application/octet-stream; name="jail_extaddr_system_user.patch" Content-Disposition: attachment; filename="jail_extaddr_system_user.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_h2qjwjt51 ZGlmZiAtdXJOIC56ZnMvc25hcHNob3Qvb3JpZy91c3Iuc2Jpbi9qYWlsL2phaWwuYyAuL3Vzci5z YmluL2phaWwvamFpbC5jCi0tLSAuemZzL3NuYXBzaG90L29yaWcvdXNyLnNiaW4vamFpbC9qYWls LmMJMjAxMi0wMS0wMyAwNToyNTo1My4wMDAwMDAwMDAgKzAyMDAKKysrIC4vdXNyLnNiaW4vamFp bC9qYWlsLmMJMjAxMi0wNS0yNyAyMzowMzowMS4xMjg1ODE5OTAgKzAzMDAKQEAgLTg3LDYgKzg3 LDggQEAKIAkgICJhbGxvdy5ub21vdW50IiwgImFsbG93Lm1vdW50IiB9LAogCXsgInNlY3VyaXR5 LmphaWwuc29ja2V0X3VuaXhpcHJvdXRlX29ubHkiLAogCSAgImFsbG93LnNvY2tldF9hZiIsICJh bGxvdy5ub3NvY2tldF9hZiIgfSwKKwl7ICJzZWN1cml0eS5qYWlsLmV4dGF0dHJfc3lzdGVtX2Fs bG93ZWQiLAorCSAgImFsbG93LmV4dGF0dHJfc3lzdGVtIiwgImFsbG93Lm5vZXh0YXR0cl9zeXN0 ZW0iIH0sCiB9OwogCiBleHRlcm4gY2hhciAqKmVudmlyb247Cg== --bcaec554dec00743c704c10a810f--