On 2023-08-28 05:17, Alexander Leidinger wrote:
Am 2023-08-28 13:06, schrieb Dmitry Chagin:
On Sun, Aug 27, 2023 at 09:55:23PM +0200, Felix Palmen wrote:
* Dmitry Chagin <dcha...@freebsd.org> [20230827 22:46]:
> I can fix this completely disabling exttatr for jailed proc,
> however, it's gonna be bullshit, though
Would probably be better than nothing. AFAIK, "Linux jails" are used
a
lot, probably with userlands from distributions actually using xattr.
It might sense to allow this priv (PRIV_VFS_EXTATTR_SYSTEM) for linux
jails by default? What do think, James?
I think the question is more if we want to allow it in jails (not
specific to linux jails, as in: if it is ok for linux jails, it should
be ok for FreeBSD jails too). So the question is what does this
protect the hosts from, if this is not allowed in jails? Some kind of
possibility to DoS the host?
It's definitely an any-jail question, as there's no kernel-level idea
of a Linux jail, in that any jail on a system with the linux module
loaded can run whatever Linux binaries may exist.
- Jamie
