attribute namespace and DAC protection on file:
- Attribute names beginning with '$' are in the system namespace
- The attribute name "$" is reserved
- System namespace attributes may only be read/set by suser()
or by kernel (cred == NULL)
- Other attribute names are in the application namespace
- The attribute name "" is reserved
- Application namespace attributes are protected in the manner
of the target file permission
o Kernel changes
- Add ufs_extattr_valid_attrname() to check whether the requested
attribute "set" or "enable" is appropriate (i.e., non-reserved)
- Modify ufs_extattr_credcheck() to accept target file vnode, not
to take inode uid
- Modify ufs_extattr_credcheck() to check namespace, then enforce
either kernel/suser for system namespace, or vaccess() for
application namespace
o EA backing file format changes
- Remove permission fields from extended attribute backing file
header
- Bump extended attribute backing file header version to 3
o Update extattrctl.c and extattrctl.8
- Remove now deprecated -r and -w arguments to initattr, as
permissions are now implicit
- (unrelated) fix error reporting and unlinking during failed
initattr to remove duplicate/inaccurate error messages, and to
only unlink if the failure wasn't in the backing file open()
Obtained from: TrustedBSD Project
argument via optarg. This corrects a segfault when initattr is invoked
with either of these two arguments. Not sure how this got broken given
that in the original patches it was fine -- presumably a merging
mistake.
Obtained from: TrustedBSD Project
o Update extattrctl.c to default new attributes to readable and writable
only by the kernel and root user. Previously the default was to allow
the file owner to directory view and manipulate the attributes, which
is probably an inappropriate default.
that space for extended attributes should be preallocated, instead of
using a sparse attribute file. NOTE: This can result in a really
large file full of zeros. However, it can prevent a low disk condition
from causing an attribute write to fail, which is good for security and
consistency attributes.
o Unlink the attribute file during initattr if an error occurs -- this is
alright, as we specify O_CREAT when opening the file.
attributes (recently committed). Using extattrctl, the extended attribute
service may be started and stopped for specific file systems; specific
attributes may be enabled or disabled, and the backing file for each
attribute configured. Also, backing files may be initialized.
Reviewed by: adrian, bp, freebsd-fs, the unthanked masses
Obtained from: TrustedBSD