On Wed, Aug 30, 2023 at 12:01:13PM +0200, Felix Palmen wrote: > * Dmitry Chagin <dcha...@freebsd.org> [20230830 12:22]: > > On Wed, Aug 30, 2023 at 11:20:39AM +0200, Felix Palmen wrote: > > > * Unprivileged user will get ENOTSUP when trying to access the system > > > namespace (regardless of the new jail setting), so GNU tools like e.g. > > > coreutils install should "just work". > > ENOTSUP or ENODATA (getxattr) > > Unfortunately, install from GNU coreutils is now unable to install > anything again. I tried both as 'nobody' and as 'root', it doesn't make > a difference: > > | # /compat/linux/usr/bin/install -c .libs/libexpat.so.1.8.10 > /wrkdirs/usr/ports/textproc/linuxsrc-expat/work/stage/compat/linux/usr/lib64/libexpat.so.1.8.10 > | /compat/linux/usr/bin/install: setting permissions for > ‘/wrkdirs/usr/ports/textproc/linuxsrc-expat/work/stage/compat/linux/usr/lib64/libexpat.so.1.8.10’: > Operation not permitted > > .. and truss shows this again: > > | linux_fsetxattr(0x4,0x401860e8,0x134dd0,0x1c,0x0) ERR#-1 'Operation not > permitted' > > This is without the new jail option. When I enable it, it still fails > the same way as 'nobody' (which poudriere uses for building), but works > fine as 'root'. > > I assume the fsetxattr call needs some adjustment of error codes as well > to make GNU tools play nice. >
I don't changed setxattr syscalls due to EPERM is a valid error from it, however here's the essential difference between Linux and FreeBSD. FreeBSD does not permits manipulatingg attributes in the system namespace for unprivileged accounts. Well, we can return ENOTSUP due to in Linux read and write access to system namespace depend on the policy implemented for each filesystem, so we'll mimics we're a filesystem that prohibits this for unprivelegd users. https://people.freebsd.org/~dchagin/xattr.patch
