On Sat, Mar 29, 2025 at 12:39:02PM -0700, Rick Macklem wrote: > > I had added filesystem extended attribute support to libarchive, which > > is what FreeBSD's tar(1) is based off of. I upstreamed that, so that's > > taken care of. FreeBSD's tar(1) has supported extended attributes > > since 2020 (see libarchive PR 1409: > > https://github.com/libarchive/libarchive/pull/1409) > Ok, thanks for the info. If this stuff goes into FreeBSD, it probably needs > to be tweaked to use the different syscall API so that it can handle large > attributes and maybe the attribute's mode. (someday, maybe?)
I believe libarchive has been updated in FreeBSD since October 2020, so the vendored libarchive in FreeBSD should already support it. But, yeah, if FreeBSD makes changes to how extended attributes work, I or someone else would need to update libarchive to account for that. Since HardenedBSD follows FreeBSD closely (we sync every six hours), I would probably volunteer to update the libarchive code. > > Just one data point here: HardenedBSD uses filesystem extended > > attributes to toggle certain exploit mitigations on a per-application > > basis. That's why we added support to libarchive: so we can ship > > certain packages with exploit mitigations pre-toggled. > Just curious. Does it use "system" or "user" attribute space? We use the system namespace, though the userland tool (hbsdcontrol) was recently taught about the user namespace. The kernel side only supports system namespace. So the user namespace support in hbsdcontrol is somewhat meaningless. I do plan to eventually get to the kernel side, but my TODO list continues growing. :-) Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD Tor-ified Signal: +1 303-901-1600 / shawn_webb_opsec.50 https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature
