Konstantin Belousov wrote: >On Fri, Jul 14, 2017 at 07:28:58PM +1000, Dewayne Geraghty wrote: [stuff snipped] >> >> I suppose that the crux to the question is - why should the "system" >> namespace not be available within a jail? >Perhaps because system namespace (can) carry attributes which modify the >filesystem behaviour in a way which is considered inappropriate to allow >for jailed root. This is somewhat similar to jail security.allow_chflags >knob, but with more unfortunate consequences. > >I do not claim that system namespace cannot be opened to the jailed root, >but doing so requires a review of all implemented system ext attributes, >across all types of filesystems. One *hackish* way to deal with this might be to have the attribute created within the "user" namepsace with "system." prepended to it's name when within a jail. - That would allow SAMBA (and others) set/get attributes that they specify as "system namespace", but the attributes wouldn't actually be in "system namespace".
Although the patch never ended up in head as yet, there was a similar issue w.r.t. extended attribute namespace for fuse filesystems, since fuse doesn't support the notion of a namespace. Just a suggestion. I have no strong opinion on this, rick _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
