Re: [PATCH] security: Use org namespace for xattrs on macOS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/29/20 11:49 AM, Andrea Bolognani wrote:
On Wed, 2020-10-28 at 20:25 +0100, Michal Privoznik wrote:
On 10/28/20 8:16 PM, Andrea Bolognani wrote:
On Mon, 2020-10-26 at 00:25 +0300, Roman Bolshakov wrote:
+++ b/src/security/security_util.c
@@ -56,6 +56,8 @@ VIR_LOG_INIT("security.security_util");
   # define XATTR_NAMESPACE "trusted"
   #elif defined(__FreeBSD__)
   # define XATTR_NAMESPACE "system"
+#elif defined(__APPLE__)
+# define XATTR_NAMESPACE "org"
   #endif

Considering that Apple uses com.apple for its own xattrs, libvirt
using org.libvirt makes sense to me.

One thing to consider here (and my rough googling did not help) is that
we need the namespace to be RW only by root. If it were writable by a
regular user (e.g "user." on linux) then a regular user could trick us
to chown() the file to whatever user they please. Is "org" (and per your
commit message in fact any XATTR namespace, since it doesn't look like
mac os has any notion of namespaces after all) writable by root only?

Yeah that's a solid point, thanks for keeping an eye on me ;)

Assuming macOS doesn't have any root-only namespaces, can we simply
compile out the feature entirely on that OS? What about other targets
like Windows?


What do you mean by compile out? The whole security_uitl.c is divided into two parts: the actual implementation if XATTR_NAMESPACE is set (which is currently only on Linux + BSD) and stubs which do nothing but report an error.

Then, these internal APIs are called only from the secdrivers which we don't build on Windows, do we?

Roman, is there any misbehaviour you're seeing? Or is this just porting the feature to macOS? I'm not against it, I just don't have anywhere to test it.

Michal




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux