Dewayne Geraghty
2017-Jul-14 03:53 UTC
Extended "system" attributes within jailed environment dont work
Can someone advise how I can enable extended attributes in a "system" namespace within a jailed (or bhyve) environment? There was no guidance in "man jail" nor "man jail.conf". Simple test>From the host or base system:# touch /a ; setextattr user t1 first /a ; getextattr user t1 /a /a first # touch /a ; setextattr system t2 second /a ; getextattr system t2 /a /a second Within a jail: # touch /a ; setextattr user t1 first /a ; getextattr user t1 /a /a first # touch /a ; setextattr system t2 second /a ; getextattr system t2 /a setextattr: /a: failed: Operation not permitted getextattr: /a: failed: Operation not permitted The impact of this is that SAMBA after 4.3 uses "system" namespace extended attributes; hence can not provision an Active Directory within a jailed environment. (For the inclined, this affects sysvol, and interestingly "rsync -x" is unable to copy extended attributes, so having consistent sysvols across a SAMBA domain may be a challenge) Regards, Dewayne.
Konstantin Belousov
2017-Jul-14 07:56 UTC
Extended "system" attributes within jailed environment dont work
On Fri, Jul 14, 2017 at 01:53:40PM +1000, Dewayne Geraghty wrote:> Can someone advise how I can enable extended attributes in a "system" > namespace within a jailed (or bhyve) environment? There was no guidance > in "man jail" nor "man jail.conf".Mentioning jails and bhyve in a single sentence clearly indicates serious issues with understanding either feature.> > Simple test > >From the host or base system: > # touch /a ; setextattr user t1 first /a ; getextattr user t1 /a > /a first > # touch /a ; setextattr system t2 second /a ; getextattr system t2 /a > /a second > > Within a jail: > # touch /a ; setextattr user t1 first /a ; getextattr user t1 /a > /a first > # touch /a ; setextattr system t2 second /a ; getextattr system t2 /a > setextattr: /a: failed: Operation not permitted > getextattr: /a: failed: Operation not permitted > > The impact of this is that SAMBA after 4.3 uses "system" namespace > extended attributes; hence can not provision an Active Directory within > a jailed environment. (For the inclined, this affects sysvol, and > interestingly "rsync -x" is unable to copy extended attributes, so > having consistent sysvols across a SAMBA domain may be a challenge)System namespace access is not allowed for jailed processes by design. See sys/kern/vfs_subr.c:extattr_check_cred() and a comment there explicitely mentioning the behaviour. The behaviour predates ~ year 2002, where extended attributes were introduced, and it makes sense.