The mystery of mac_vnode_check_getattrlist()
The mystery of mac_vnode_check_getattrlist()
- Subject: The mystery of mac_vnode_check_getattrlist()
- From: Jorgen Lundman <email@hidden>
- Date: Thu, 15 Dec 2016 11:49:22 +0900
- Dkim-filter: OpenDKIM Filter v2.10.3 mail.lundman.net D6423740C3
Hello list,
Recently we started playing around with booting on ZFS instead of HFS.
I do not think that will win me any sympathizers with people, but it is
certainly a fun experiment, and a great way to check compatibility with HFS.
So generally I have ignored everything to do with the XNU compile define
"MACF", the security layer and Sandbox.kext, since it has "just worked" in
the past. We've both been happy. However, booting ZFS has lead me down a
dark hole.
It all started with that, once you are booted, Fonts do not appear to work
correctly. With messages about LastResort font being unavailable. But
that's just the tip of the iceberg.
Load up Font Book, and click on "validate font" will return with "system
validation failed". At first I thought maybe ZFS returns some query
different to HFS, but it appears to be related to security checks.
dtracing "FontValidator" (on ZFS boot) will show;
2980/0x6fc82: getattrlist("/Users\0", 0x7FFF592A2490, 0x7FFF592A22B0,
0x128 0x5) <commonattr 0x6040A, volattr 0x0, dirattr 0x4, fileattr 0x0,
forkattr 0x0> = -1 Err#1
ATTR_CMN_DEVID,ATTR_CMN_OBJTYPE,ATTR_CMN_MODTIME,ATTR_CMN_ACCESSMASK,ATTR_CMN_FLAGS,
ATTR_DIR_MOUNTSTATUS,
which is curious. Looking at sources for XNU, the first test it does is to
call mac_vnode_check_getattrlist(). Which dtrace confirms;
0 148745 mac_vnode_check_getattrlist:return FontValidator 1
Why is it failing something so trivial as a metadata lookup on /Users? The
function is not passed much information;
mac_vnode_check_getattrlist(vfs_context_t ctx, struct vnode *vp,
struct attrlist *alist);
And the hook for it appears to be in Sandbox.kext. Not much information on
this "blackbox", and that is probably how it should be. The call itself
doesn't do much more than sb_evaluate, derive_vnode, and getpath.
However, it is interesting to note that validating a font on ZFS (boot HFS)
will work fine. So it is something specific about booting ZFS, not the
filesystem compatibility itself.
vfs_mountroot() does the same for HFS as ZFS, calls mountroot (or rather,
VFS_MOUNT if vfc_mountroot is NULL), then calls VFS_ROOT() to setup calls
to call vnode_label(); which in turn calls mac_mount_label_init()
mac_mount_label_associate().
There are no special MACF calls in the HFS sources, and NFS simply calls
mac_mount_label_init() mac_mount_label_associate() directly.
In theory, it should be initialized the same regardless of what format is
booting..
and yet I have angered Sandbox.kext somehow.
Is there some way to get more information out of
mac_vnode_check_getattrlist()? Debug logs? That vtrace call?
At the moment it is a vast problem due to the unknown nature. I'm not
entirely sure what vnode "labels" are for, or is it something wrong in the
context struct (opaque to us) or the vnode names we set? Or a hundred other
things...
Unfortunately, it seems setting security.mac.vnode_enforce = 0 no longer
disables vnode checking, so I can't confirm that this is the problem.
(Since SECURITY_MAC_CHECK_ENFORCE was added). But I assume it is since
mac_vnode_check_getattrlist() is returning failure.
I do not know if anyone has tried booting something else in the past, so I
might be alone at the front line, but perhaps there is knowledge on how to
please the security layer out there?
Lund
ps. Ever since HFS went into a kext, and all the hfs_vnop_* calls went
static, I can no longer dtrace HFS calls. (For comparison). Is this
intentional? Since the sources are released for HFS I hope maybe dtrace
hooks could be brought back...
--
Jorgen Lundman | <email@hidden>
Unix Administrator | +81 (0)90-5578-8500
Shibuya-ku, Tokyo | Japan
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Filesystem-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden