Date: Sun, 5 Jul 2020 07:15:38 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Baptiste Daroussin <bapt@FreeBSD.org> Cc: pkg@freebsd.org, dev@hardenedbsd.org Subject: Re: Filesystem extended attributes support Message-ID: <20200705111538.axuh3ohdpqkb74ym@mutt-hbsd> In-Reply-To: <20200704201100.lkcde42gtlgspwpr@ivaldir.net> References: <20200704141345.xwdf2ckxak2hfpkh@mutt-hbsd> <20200704201100.lkcde42gtlgspwpr@ivaldir.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--722nrty244veuwai Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 04, 2020 at 10:11:00PM +0200, Baptiste Daroussin wrote: > On Sat, Jul 04, 2020 at 10:13:45AM -0400, Shawn Webb wrote: > > Hey FreeBSD pkg(8) developers, > >=20 > > Attached is a patch that implements filesystem extended attributes > > support. Only the system namespace is supported. In case the patch > > gets scrubbed from this email, I've posted it here: > > https://gist.github.com/d0b4653bc5942dbcdcd1db877d37c2dc > >=20 > > Anyone who wants to write unit tests is welcomed to do so. > >=20 > > This patch to pkg does depend on a separate patch to libarchive: > > https://github.com/libarchive/libarchive/pull/1409 > >=20 > > HardenedBSD has a separate patch to tmpfs that enables incredibly > > basic extended attribute support. The tmpfs patch is only needed for > > those who use tmpfs with poudriere. > >=20 > > And finally, another patch to the jails subsystem that allows a > > privileged user within a jail to set system namespace filesystem > > extended attributes (disabled by default) is needed for poudriere > > users. > >=20 > > The patch to tmpfs and jails is not included here as they are > > tangential. >=20 > Thank you for the patch at quick glance it looks fine to me. I would have > obviously to wait for libarchive to merge the patch first to be able to t= est it > and do a proper review at the time. >=20 > Don't hesitate to ping me again if you see no progress with libarchive has > merged the said patch. >=20 > I would have to rework it a bit probably: > - Add a configure detection of the fact libarchive does or not have the > necessary support > - Add regression tests to ensure I don't break this in the future. > - Maybe add an option to enable/disable it via pkg.conf (not sure yet abo= ut > that ;)) Sounds good. Thanks for the positive response. I might try to upstream the tmpfs patch as well, but I'm not sure I've got the locking right, yet. It's my first time working on a filesystem of any sort, and I'm not confident I got it right on the first try. Time will tell. With extended attribute support, pkg could also store a hash of the file as an extended attribute. One could use that as a method to determine whether changes have been made. Think: application integrity enforcement. So filesystem extended attribute support may have virtues outside of HardenedBSD's exploit mitigation toggling use case. Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD GPG Key ID: 0xFF2E67A277F8E1FA GPG Key Fingerprint: D206 BB45 15E0 9C49 0CF9 3633 C85B 0AF8 AB23 0FB2 https://git-01.md.hardenedbsd.org/HardenedBSD/pubkeys/src/branch/master/Sha= wn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --722nrty244veuwai Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAl8BtlQACgkQ/y5nonf4 4fpq3w/+MO9tvFnIhtZT/NUIBH019bZ4LOWlFI0MT5IYigrXon51mdKyMUSUrtu0 YEb5lklPilPm3lg2FNEb5dXXjktfNDYg9iCpde3MazPmGpyQJJbvJWpgRCFfiKQG bmtyA/7FY1VPy4s4qgrFQtOK7xUl7xzoxtcqnYL2Jnub8hqdc71ZE/xI6SgSCL+q 0Z+rOQc67iuSaGNQqmAhx+nDQi0mGv/qzt213/o7olwGDmacRUsGfw089eCHCD1N i0RN7yk9BszEOg021+PD1/CTe4mfPps4PtM4g/qk6BfrvQ3eACKjWK1ew5FLZ18J qpSbeIMcAXM0A57CsM1YvNKxxvzb8/CWUBrr6SjIypT2N8JaU6DD7328cZz+Hfpp ss6o7hUdDBV2LCfS9HBri2Fmm/B5m7Qci08PSu1q24nTG7r+mSbCN3CVAYP7dRT9 zigxkNiZMuICCaT7k8akuDSv7xTjhqAZQnr5o2Dtdj27jX1iZOepCLcbX7IQg4wY fXquds/S4RBf5dSEbE/C7BXSQ/xtaGY8EyzegHXeV8OHaZZzpKycO4zLiNAmbinr wJ6uscd/SguiG2GZ2sddME16g+xkMZtN+Tirc+WBYLGLD6BRuIYF0lqt6yqkrWne zz+0k5lD16deotN3MFJ7rWHTf0mF/bqj5wGL0NMmASuYBxIJTnw= =gp6m -----END PGP SIGNATURE----- --722nrty244veuwai--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200705111538.axuh3ohdpqkb74ym>