Re: [PATCH] security: Use org namespace for xattrs on macOS

On 10/29/20 2:36 PM, Andrea Bolognani wrote: > On Thu, 2020-10-29 at 12:18 +0100, Michal Privoznik wrote: > > I'm not very familiar with security drivers but I guess the question > is: are xattrs a critical part of the security story, without which > no isolation is possible at all, or is it conceivable to have > security drivers that provide some amount of protection on macOS even > though they can't go as far as they can on Linux and FreeBSD? The way seclabel remmebering works is whenever libvirt wants to chown()/setfilecon() the current owner/SELinux label is recorded into XATTRs [1] and then on restore we look into these XATTRs and restore to the owner stored there. With this it is easy to see that if XATTRs were editable by a regular user it is very simple to trick libvirt into changing the owner of a file. As easy as: 1) start a vm with /etc/shadow as a disk

2) modify XATTRs so that the original owner recorded is "michal:michal" 3) kill the vm 4) profit Now, in Linux and BSD XATTRs must have a prefix. In Linux there are four: * user - can be modified by anybody, * system - used by ACLs * security - used by SELinux * trusted - accessibly by CAP_SYS_ADMIN processes only and in BSD there are only two: * user - can be modified by anybody, * system - accessible by CAP_SYS_ADMIN processes only That is why on linux we use "trusted" and on BSD we use "system". Therefore, on any new system we must use something equivalent. What is the equivalent on macOS? Does it even have namespaces (as in a subset that is modifiable only by a CAP_SYS_ADMIN process)?