Re: [PATCH] security: Use org namespace for xattrs on macOS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2020-10-28 at 20:25 +0100, Michal Privoznik wrote:
> On 10/28/20 8:16 PM, Andrea Bolognani wrote:
> > On Mon, 2020-10-26 at 00:25 +0300, Roman Bolshakov wrote:
> > > +++ b/src/security/security_util.c
> > > @@ -56,6 +56,8 @@ VIR_LOG_INIT("security.security_util");
> > >   # define XATTR_NAMESPACE "trusted"
> > >   #elif defined(__FreeBSD__)
> > >   # define XATTR_NAMESPACE "system"
> > > +#elif defined(__APPLE__)
> > > +# define XATTR_NAMESPACE "org"
> > >   #endif
> > 
> > Considering that Apple uses com.apple for its own xattrs, libvirt
> > using org.libvirt makes sense to me.
> 
> One thing to consider here (and my rough googling did not help) is that 
> we need the namespace to be RW only by root. If it were writable by a 
> regular user (e.g "user." on linux) then a regular user could trick us 
> to chown() the file to whatever user they please. Is "org" (and per your 
> commit message in fact any XATTR namespace, since it doesn't look like 
> mac os has any notion of namespaces after all) writable by root only?

Yeah that's a solid point, thanks for keeping an eye on me ;)

Assuming macOS doesn't have any root-only namespaces, can we simply
compile out the feature entirely on that OS? What about other targets
like Windows?

-- 
Andrea Bolognani / Red Hat / Virtualization




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux