273517 – [Linuxulator]: getxattr EPERM for non-root users inside chroots

Bug 273517 - [Linuxulator]: getxattr EPERM for non-root users inside chroots

Summary: [Linuxulator]: getxattr EPERM for non-root users inside chroots

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	14.0-CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Dmitry Chagin

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-09-02 10:16 UTC by Joe Mullally
Modified:	2023-09-17 16:40 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joe Mullally 2023-09-02 10:16:43 UTC

Hi,

## Summary:
It seems that on FreeBSD 14.0-ALPHA3 for non-root users in Linux chroots, getxattr returns EPERM which causes some coreutils commands to fail (e.g. cp -a), whereas on FreeBSD 13.1 getxattr simply returned EOPNOTSUPP which lets the tools skip that step and continue successfully.

It might be the same issue as https://lists.freebsd.org/archives/freebsd-current/2023-August/004433.html "Possible issue with linux xattr support?"

## Example impact:
"apt update" failing in a fresh debootstrap due to "cp -a" failure in the apt-key script, which runs as another user "_apt". This works OK on FreeBSD 13.1. (See here https://forums.freebsd.org/threads/debian-12-bookworm-jail-encounters-gpg-error-in-freebsd-14-0.90093/#post-620794 for more details )


## Steps to reproduce:

### On fresh install FreeBSD system, where /root homedir is on UFS partition
pkg install sysutils/debootstrap
kldload linux64 fdescfs linprocfs linsysfs tmpfs
service linux onestart
cd /root
mkdir debian_build
cd debian_build
mkdir dev dev/fd dev/shm proc sys tmp
mount -t linprocfs none `pwd`/proc
mount -t devfs none `pwd`/dev
mount -t fdescfs none `pwd`/dev/fd
mount -t tmpfs none `pwd`/dev/shm
mount -t linsysfs none `pwd`/sys
mount -t tmpfs none `pwd`/tmp
chmod 1777 dev/shm tmp
debootstrap bullseye . http://deb.debian.org/debian
chroot . /bin/bash

### Inside the chroot
adduser --disabled-password --gecos "" someguy
su someguy
cd /home/someguy

### Comparing cp -a / cp --preserve=mode on both FreeBSD 13 and 14

someguy@freebsd14:~$ uname -a
FreeBSD freebsd14 14.0-ALPHA3 FreeBSD 14.0-ALPHA3 amd64 1400097 #0 stable/14-n265022-2af9390e54ed: Fri Aug 25 05:45:56 UTC 2023     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64

someguy@freebsd13:~$ strace cp --preserve=mode hello hello2
fgetxattr(3, "system.posix_acl_access", 0x7fffffffdcc0, 132) = -1 EOPNOTSUPP (Operation not supported)
fsetxattr(4, "system.posix_acl_access", "\2\0\0\0\1\0\6\0\377\377\377\377\4\0\4\0\377\377\377\377 \0\4\0\377\377\377\377", 28, 0) = -1 EOPNOTSUPP (Operation not supported)
+++ exited with 0 +++

someguy@freebsd14:~$ strace cp --preserve=mode hello hello2
fgetxattr(3, "system.posix_acl_access", 0x7fffffffbd30, 132) = -1 EPERM (Operation not permitted)
+++ exited with 1 +++

### ls -l fails on FreeBSD 14

someguy@freebsd14:~$ ls -l
ls: hello: Operation not permitted
ls: hello2: Operation not permitted
total 0K
-rw-r--r-- 1 someguy someguy    0 Sep  1 20:11 hello
-rw-r--r-- 1 someguy someguy    0 Sep  1 21:14 hello2

someguy@freebsd14:~$ strace ls -l 2>&1 | grep getxattr
getxattr("hello", "system.posix_acl_access", NULL, 0) = -1 EPERM (Operation not permitted)
getxattr("hello2", "system.posix_acl_access", NULL, 0) = -1 EPERM (Operation not permitted)


### apt update apt-key failure:
root@freebsd14:/# ps auxfww
root       949  0.0  0.1  13404  2964 ?        Ss   15:39   0:00 login [pam]
root       950  0.0  0.1  13368  3152 ?        S    15:39   0:01  \_ -sh
root     25160  0.0  0.2   6036  4400 ?        S    18:11   0:03      \_ /bin/bash
root     26053  0.0  0.5  14720 11140 ?        T    18:25   0:00          \_ apt -oAPT::Status-Fd=1 -oDebug::Acquire::gpgv=1 update
_apt     26056  0.0  0.7  20448 14932 ?        T    18:25   0:00          |   \_ /usr/lib/apt/methods/http
_apt     26058  0.0  0.4  13884  9832 ?        T    18:25   0:00          |   \_ /usr/lib/apt/methods/gpgv
_apt     26059  0.0  0.4  14140  9944 ?        T    18:25   0:00          |       \_ /usr/lib/apt/methods/gpgv
_apt     26060  0.0  0.0   2464  1652 ?        T    18:25   0:00          |           \_ /bin/sh /usr/bin/apt-key --quiet --readonly verify --status-fd 3 /tmp/apt.sig.OO1MDD /tmp/apt.data.FtsGdD
_apt     26061  0.0  0.0   2376  1552 ?        T    18:25   0:00          |               \_ sleep 3600

root@freebsd14:~# su _apt -s /bin/dash
$ id
uid=100(_apt) gid=65534(nogroup) groups=65534(nogroup)

_apt@freebsd14:/$ /bin/sh -x /usr/bin/apt-key --quiet --readonly verify --status-fd 1 /tmp/apt.sig.OO1MDD /tmp/apt.data.FtsGdD
# ...
+ ls -la /tmp/apt-key-gpghome.ptBlRcbxDY
ls: /tmp/apt-key-gpghome.ptBlRcbxDY: Operation not permitted
ls: /tmp/apt-key-gpghome.ptBlRcbxDY/.: Operation not permitted
ls: /tmp/apt-key-gpghome.ptBlRcbxDY/..: Operation not permitted
ls: /tmp/apt-key-gpghome.ptBlRcbxDY/pubring.gpg: Operation not permitted
total 56K
drwx------ 2 _apt root    64 Sep  1 19:41 .
drwxrwxrwt 3 root root   256 Sep  1 19:41 ..
-rw-r--r-- 1 _apt root 56156 Sep  1 19:41 pubring.gpg
+ cp -a /tmp/apt-key-gpghome.ptBlRcbxDY/pubring.gpg /tmp/apt-key-gpghome.ptBlRcbxDY/pubring.orig.gpg
cp: ‘/tmp/apt-key-gpghome.ptBlRcbxDY/pubring.gpg’: Operation not permitted

Comment 1 Dmitry Chagin freebsd_committer

2023-09-02 11:40:02 UTC

This has already been fixed by https://cgit.freebsd.org/src/commit/?id=1bfc4574f78653e4b64ac9dd31518c96a17fe52b
Will be merged to stable/14 in a week's time

Comment 2 Joe Mullally 2023-09-08 10:33:00 UTC

Confirmed working without issue on latest FreeBSD 15.0-CURRENT build:

root@freebsd15:~ # uname -a
FreeBSD freebsd15 15.0-CURRENT FreeBSD 15.0-CURRENT amd64 1500000 #0 main-n265205-03a7c36ddbc0: Thu Sep  7 03:10:34 UTC 2023     root@releng3.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
root@freebsd15:~ # debootstrap bullseye debian_build http://deb.debian.org/debian
root@freebsd15:~ # chroot debian_build /bin/bash

root@freebsd15:/# apt update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian bullseye/main amd64 Packages [8183 kB]
Get:3 http://deb.debian.org/debian bullseye/main Translation-en [6240 kB]
Fetched 14.5 MB in 5s (2821 kB/s)                                
Reading package lists... Done
Building dependency tree... Done
All packages are up to date.

root@freebsd15:/# su someguy
someguy@freebsd15:~$ strace cp --preserve=mode hello hello2 2>&1 | grep xattr
fgetxattr(3, "system.posix_acl_access", 0x7fffffffbd30, 132) = -1 ENODATA (No data available)
fsetxattr(4, "system.posix_acl_access", "\2\0\0\0\1\0\6\0\377\377\377\377\4\0\4\0\377\377\377\377 \0\4\0\377\377\377\377", 28, 0) = -1 EOPNOTSUPP (Operation not supported)
+++ exited with 0 +++

Comment 3 commit-hook freebsd_committer

2023-09-11 12:00:46 UTC

A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=a9b8a0ced46efe72ec118a749d191b29ce47712b

commit a9b8a0ced46efe72ec118a749d191b29ce47712b
Author:     Dmitry Chagin <dchagin@FreeBSD.org>
AuthorDate: 2023-09-01 08:10:12 +0000
Commit:     Dmitry Chagin <dchagin@FreeBSD.org>
CommitDate: 2023-09-11 11:58:50 +0000

    linux(4): Return ENODATA from getxattr syscalls instead of EPERM

    On Linux ENODATA mean the named attribute does not exist, or the
    process has no access to this attribute.

    Reported by:            zirias
    PR:                     273517
    Tested by:              zirias
    MFC after:              1 week

    (cherry picked from commit 4d59b790553ef75b9a4b6a673eab3354f3d012b3)

 sys/compat/linux/linux_xattr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 4 commit-hook freebsd_committer

2023-09-12 16:44:26 UTC

A commit in branch releng/14.0 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=01d9f0eebf8dceddc465fecac919c1e9d7a586a2

commit 01d9f0eebf8dceddc465fecac919c1e9d7a586a2
Author:     Dmitry Chagin <dchagin@FreeBSD.org>
AuthorDate: 2023-09-01 08:10:12 +0000
Commit:     Dmitry Chagin <dchagin@FreeBSD.org>
CommitDate: 2023-09-12 16:42:31 +0000

    linux(4): Return ENODATA from getxattr syscalls instead of EPERM

    On Linux ENODATA mean the named attribute does not exist, or the
    process has no access to this attribute.

    Approved by:            re (gjb)
    Reported by:            zirias
    PR:                     273517
    Tested by:              zirias
    MFC after:              1 week

    (cherry picked from commit 4d59b790553ef75b9a4b6a673eab3354f3d012b3)
    (cherry picked from commit a9b8a0ced46efe72ec118a749d191b29ce47712b)

 sys/compat/linux/linux_xattr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)