From owner-freebsd-stable@freebsd.org  Fri Jul 14 12:17:50 2017
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 842F5DA05E2
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Fri, 14 Jul 2017 12:17:50 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from CAN01-QB1-obe.outbound.protection.outlook.com
 (mail-eopbgr660061.outbound.protection.outlook.com [40.107.66.61])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits))
 (Client CN "mail.protection.outlook.com",
 Issuer "Microsoft IT SSL SHA2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 29AD563A61
 for <freebsd-stable@freebsd.org>; Fri, 14 Jul 2017 12:17:49 +0000 (UTC)
 (envelope-from rmacklem@uoguelph.ca)
Received: from YQBPR01MB0180.CANPRD01.PROD.OUTLOOK.COM (10.169.141.138) by
 YQBPR01MB0180.CANPRD01.PROD.OUTLOOK.COM (10.169.141.138) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
 15.1.1261.13; Fri, 14 Jul 2017 12:17:47 +0000
Received: from YQBPR01MB0180.CANPRD01.PROD.OUTLOOK.COM ([10.169.141.138]) by
 YQBPR01MB0180.CANPRD01.PROD.OUTLOOK.COM ([10.169.141.138]) with mapi id
 15.01.1261.018; Fri, 14 Jul 2017 12:17:47 +0000
From: Rick Macklem <rmacklem@uoguelph.ca>
To: Konstantin Belousov <kostikbel@gmail.com>, Dewayne Geraghty
 <dewayne.geraghty@heuristicsystems.com.au>
CC: FreeBSD Stable Mailing List <freebsd-stable@freebsd.org>
Subject: Re: Extended "system" attributes within jailed environment dont work
Thread-Topic: Extended "system" attributes within jailed environment dont work
Thread-Index: AQHS/FUJC0dBeU/51EiCtJCi5MguKaJS9KKAgAAZ8QCAAAP8AIAAKHiu
Date: Fri, 14 Jul 2017 12:17:47 +0000
Message-ID: <YQBPR01MB018034F2FBD0820E508BC3F8DDAD0@YQBPR01MB0180.CANPRD01.PROD.OUTLOOK.COM>
References: <cb70e03c-4dce-a530-2cf7-daaf1d9df74f@heuristicsystems.com.au>
 <20170714075607.GQ1935@kib.kiev.ua>
 <3c08bee6-3f4e-e176-24b3-4b987188634f@heuristicsystems.com.au>,
 <20170714094314.GT1935@kib.kiev.ua>
In-Reply-To: <20170714094314.GT1935@kib.kiev.ua>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: freebsd.org; dkim=none (message not signed)
 header.d=none;freebsd.org; dmarc=none action=none header.from=uoguelph.ca;
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; YQBPR01MB0180;
 7:0B6LkB9gbf6b+2WKDeYrpcupZZGUuVtgsFOhD8GDjisVNfLAG6Ph6O3EGgkdvtEZqEF1H0+yhJAt16yV+ET6feBxEb5akTuYOo6FrAO8UhKKJEeIuy999CEk53wVyzLcDPPiDzJH4POvpDSkV19caGoYIjLlqgUoMpcYehhiMBOm37B4SJ4S1G0sPHhY+crw9Nt1Hbsz8rNMVuSqTyYZjgI1j/BL8jvw0vSWKuoX8iht07c1d2umM+HYhJatIy1Yi6xo40wwHf8peaDrKTvIEDus4uPEZ0/By38BT+dvGpiZJJOhLvX4ScHg32Oh4u08pr/r2FO/3L91oLEOlm6Lt7Cs58uBdKW5ZLfj3/Yb29DWw1e0ikmkPvn+M5vSVsOJyvNCjT9YuLOOAGpmUZ+qpHbSUAcvGZOEF/TbIqOv4Jh4Bd6ZBZK6f+EsE8Uu2kbeY3hvMnw9w7jGAYDIWD+FERS2YfuGNtq0yXRQ+kXD5JVjErzi6TmLoxuPgxTeMro+MdqETRxpjgempwymMSWvhchNkX8SxIQ/dPz80yRxywMfBa+IILDWoScUi1poX4pWDauWTqocKbKF2s2yqNovk1rdlZbEWfXXNzFUwJdV7URfDoSmQ9E0fA4c503bONttrTSWtOkY1LvlffwxIJ/Hkbza+xeL7CRmxe8YUu3ght6aqr3ERbMLur3rDB435wxC66ukpdM/IBm8QWxDTUbaHBzF2pYXu4Kz3Noo57D+iCQr6rit5dCuuDwLd/Y1jZJr577IWOWY0U/JrWEMwjCoaDdt7l4zQvSooxgXLdcMEkQ=
x-ms-office365-filtering-correlation-id: 908347c8-63e5-4d43-004d-08d4cab256c6
x-microsoft-antispam: UriScan:; BCL:0; PCL:0;
 RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);
 SRVR:YQBPR01MB0180; 
x-ms-traffictypediagnostic: YQBPR01MB0180:
x-exchange-antispam-report-test: UriScan:(133145235818549)(236129657087228)(247924648384137); 
x-microsoft-antispam-prvs: <YQBPR01MB0180A591891A964268A6D237DDAD0@YQBPR01MB0180.CANPRD01.PROD.OUTLOOK.COM>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0;
 RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(5005006)(8121501046)(2017060910075)(93006095)(93001095)(10201501046)(3002001)(100000703101)(100105400095)(6041248)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123555025)(20161123564025)(20161123562025)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095);
 SRVR:YQBPR01MB0180; BCL:0; PCL:0;
 RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);
 SRVR:YQBPR01MB0180; 
x-forefront-prvs: 0368E78B5B
x-forefront-antispam-report: SFV:NSPM;
 SFS:(10009020)(6009001)(39400400002)(39410400002)(39450400003)(39840400002)(24454002)(229853002)(86362001)(4326008)(189998001)(50986999)(6436002)(6506006)(93886004)(74316002)(5660300001)(305945005)(77096006)(38730400002)(6246003)(68736007)(76176999)(39060400002)(14454004)(54356999)(7696004)(55016002)(9686003)(2950100002)(53936002)(25786009)(478600001)(2906002)(33656002)(102836003)(2900100001)(3280700002)(3660700001)(81166006)(74482002)(8676002)(8936002)(192303002);
 DIR:OUT; SFP:1101; SCL:1; SRVR:YQBPR01MB0180;
 H:YQBPR01MB0180.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; MLV:ovrnspm;
 PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: uoguelph.ca
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2017 12:17:47.3617 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YQBPR01MB0180
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jul 2017 12:17:50 -0000

Konstantin Belousov wrote:
>On Fri, Jul 14, 2017 at 07:28:58PM +1000, Dewayne Geraghty wrote:
[stuff snipped]
>>
>> I suppose that the crux to the question is - why should the "system"
>> namespace not be available within a jail?
>Perhaps because system namespace (can) carry attributes which modify the
>filesystem behaviour in a way which is considered inappropriate to allow
>for jailed root. This is somewhat similar to jail security.allow_chflags
>knob, but with more unfortunate consequences.
>
>I do not claim that system namespace cannot be opened to the jailed root,
>but doing so requires a review of all implemented system ext attributes,
>across all types of filesystems.
One *hackish* way to deal with this might be to have the attribute created
within the "user" namepsace with "system." prepended to it's name when with=
in
a jail.
- That would allow SAMBA (and others) set/get attributes that they specify
  as "system namespace", but the attributes wouldn't actually be in "system=
 namespace".

Although the patch never ended up in head as yet, there was a similar issue
w.r.t. extended attribute namespace for fuse filesystems, since fuse doesn'=
t
support the notion of a namespace.

Just a suggestion. I have no strong opinion on this, rick