Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] - enable acl for btrfs - BTRFS_FS_POSIX_ACL #793

Open
daniejstriata opened this issue Sep 9, 2024 · 3 comments
Open

Comments

@daniejstriata
Copy link

Is your feature request related to a problem? Please describe.
I am creating some mounts using btrfs to ensure that /var/log is off the root volume. I also harden access to /var/log and need acl enabled for services like chronyd to access /var/log/chronyd but the Amazon Linux default is not to enable BTRFS ACL.
[23036.735024] BTRFS error (device nvme4n1: state M): support for ACL not compiled in!

Describe the solution you'd like
Would it be possible to review and revert if the kernel can be compiled with ACLs enabled for btrfs? Enabled ACL is the default value and there was a decision made to disable a security control.

→ grep BTRFS_FS_POSIX_ACL /boot/config-$(uname -r)
# CONFIG_BTRFS_FS_POSIX_ACL is not set

/dev/nvme4n1 on /var/log type btrfs (rw,relatime,seclabel,compress=zstd:3,ssd,noacl,space_cache=v2,subvolid=259,subvol=/var_log)
/dev/nvme4n1 on /var/log/audit type btrfs (rw,relatime,seclabel,compress=zstd:3,ssd,noacl,space_cache=v2,subvolid=260,subvol=/var_log_audit)

I can't mount the volumes with ACL.

mount -o remount /var/log
mount: /var/log: mount point not mounted or bad option.

The error for instance with setfacl:
setfacl: /var/log/: Operation not supported

@daniejstriata daniejstriata changed the title [Feature Request] - enable acl for BTRFS_FS_POSIX_ACL [Feature Request] - enable acl for btrfs - BTRFS_FS_POSIX_ACL Sep 9, 2024
@elsaco
Copy link

elsaco commented Sep 9, 2024

@daniejstriata AL2023 is using XFS and it supports ACL by default. Is there any advantage in using brtfs instead of xfs, besides the I want it!?

@daniejstriata
Copy link
Author

daniejstriata commented Sep 10, 2024

@elsaco I can add multiple subvolumes to one volume. I can create /home. /root, /var/log, /var/log/audit, /tmp and /var/tmp on one volume. Rather than 3. If I use XFS I have to use multiple volumes with most of the volumes more than 90% empty.
I enable compression so I get better mileage.
BTRFS is already complied/active for the current AL2023 kernel. It's not a big ask.
I'm asking to enable ACLs for BTRFS which is already there but not configured with the default value. I want to be able to granularity configure who has access to directories on the host.

So no, I want it to improve my configuration's security.

https://btrfs.readthedocs.io/en/latest/Administration.html#mount-options
(default: on)

@bjoernd
Copy link

bjoernd commented Oct 2, 2024

As AL2023 is compiled with BTRFS support, this is a fair ask. I'm relaying this to the AL kernel team. Cannot give an ETA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants