Re: [PATCH] security: Use org namespace for xattrs on macOS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/29/20 6:56 PM, Andrea Bolognani wrote:
On Thu, 2020-10-29 at 15:23 +0100, Michal Privoznik wrote:
On 10/29/20 2:36 PM, Andrea Bolognani wrote:
In the former case we should modify the functions dealing with them
so that they become successful no-ops, in the latter we should
probably do what we do on Windows and not build the security drivers
at all on macOS.

At least that's my current reading of the situation :)

We should probably disable the test on non-Linux && non-BSD. But let's
wait for the answer to my question.

Based on the understanding of the situation that I've gained through
your very detailed explanations (thanks!), I would say that by doing
so we'd only be papering over the issue: when actually starting
guests on macOS, we'd still attempt to store the original owner in
xattrs and fail, right?

I don't think we would fail. My assumption is that macOS has no notion of namespaces and XATTRs can be manipulated by anybody (well, the owner of the file + root). So we would not fail but create a huge security hole. But then again, it all boils down to still unanswered question, how does macOS handle XATTRs and whether there is a namespace we can safely use.

Roman, can you chime in? We could really use your input here.

So I think on macOS we need to always behave
as if remember_owner had been set to 0 in qemu.conf.


This should be working like that already.

Michal




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux