Re: [PATCH] security: Use org namespace for xattrs on macOS

On Wed, 2020-10-28 at 20:25 +0100, Michal Privoznik wrote: > On 10/28/20 8:16 PM, Andrea Bolognani wrote: >> On Mon, 2020-10-26 at 00:25 +0300, Roman Bolshakov wrote: >>> +++ b/src/security/security_util.c >>> @@ -56,6 +56,8 @@ VIR_LOG_INIT("security.security_util"); >>> # define XATTR_NAMESPACE "trusted" >>> #elif defined(__FreeBSD__) >>> # define XATTR_NAMESPACE "system" >>> +#elif defined(__APPLE__) >>> +# define XATTR_NAMESPACE "org" >>> #endif >> >> Considering that Apple uses com.apple for its own xattrs, libvirt >> using org.libvirt makes sense to me. > > One thing to consider here (and my rough googling did not help) is that > we need the namespace to be RW only by root. If it were writable by a > regular user (e.g "user." on linux) then a regular user could trick us > to chown() the file to whatever user they please. Is "org" (and per your > commit message in fact any XATTR namespace, since it doesn't look like > mac os has any notion of namespaces after all) writable by root only? Yeah that's a solid point, thanks for keeping an eye on me ;) Assuming macOS doesn't have any root-only namespaces, can we simply compile out the feature entirely on that OS? What about other targets like Windows?