[PATCH] security: Use org namespace for xattrs on macOS

Daniel P. Berrangé berrange at redhat.com
Thu Oct 29 13:40:43 UTC 2020

On Thu, Oct 29, 2020 at 02:36:42PM +0100, Andrea Bolognani wrote:
> On Thu, 2020-10-29 at 12:18 +0100, Michal Privoznik wrote:
> > On 10/29/20 11:49 AM, Andrea Bolognani wrote:
> > > Assuming macOS doesn't have any root-only namespaces, can we simply
> > > compile out the feature entirely on that OS? What about other targets
> > > like Windows?
> > 
> > What do you mean by compile out? The whole security_uitl.c is divided 
> > into two parts: the actual implementation if XATTR_NAMESPACE is set 
> > (which is currently only on Linux + BSD) and stubs which do nothing but 
> > report an error.
> > 
> > Then, these internal APIs are called only from the secdrivers which we 
> > don't build on Windows, do we?
> > 
> > Roman, is there any misbehaviour you're seeing? Or is this just porting 
> > the feature to macOS? I'm not against it, I just don't have anywhere to 
> > test it.
> The issue Roman is trying to address with this patch is that
> qemusecuritytest fails reporting a bunch of
>   Security Driver error : Extended attributes are not supported on
>   this system: Function not implemented
> messages.
> I'm not very familiar with security drivers but I guess the question
> is: are xattrs a critical part of the security story, without which
> no isolation is possible at all, or is it conceivable to have
> security drivers that provide some amount of protection on macOS even
> though they can't go as far as they can on Linux and FreeBSD?
> In the former case we should modify the functions dealing with them
> so that they become successful no-ops, in the latter we should
> probably do what we do on Windows and not build the security drivers
> at all on macOS.

Windows is irrelevant since none of the QEMU code builds there.

With did without xattrs in Linux for 10 years. The problem xattrs
solve is restoring the file ownership back to the original owner,
instead of hardcoding it as "root".

If xattrs can be modified by non-root user though, then use of
xattrs is a *massive* security hole you can drive a tank through
and must *not* be enabled.

|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list