You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
I am creating some mounts using btrfs to ensure that /var/log is off the root volume. I also harden access to /var/log and need acl enabled for services like chronyd to access /var/log/chronyd but the Amazon Linux default is not to enable BTRFS ACL. [23036.735024] BTRFS error (device nvme4n1: state M): support for ACL not compiled in!
Describe the solution you'd like
Would it be possible to review and revert if the kernel can be compiled with ACLs enabled for btrfs? Enabled ACL is the default value and there was a decision made to disable a security control.
→ grep BTRFS_FS_POSIX_ACL /boot/config-$(uname -r)
# CONFIG_BTRFS_FS_POSIX_ACL is not set
/dev/nvme4n1 on /var/log type btrfs (rw,relatime,seclabel,compress=zstd:3,ssd,noacl,space_cache=v2,subvolid=259,subvol=/var_log)
/dev/nvme4n1 on /var/log/audit type btrfs (rw,relatime,seclabel,compress=zstd:3,ssd,noacl,space_cache=v2,subvolid=260,subvol=/var_log_audit)
I can't mount the volumes with ACL.
mount -o remount /var/log
mount: /var/log: mount point not mounted or bad option.
The error for instance with setfacl: setfacl: /var/log/: Operation not supported
The text was updated successfully, but these errors were encountered:
daniejstriata
changed the title
[Feature Request] - enable acl for BTRFS_FS_POSIX_ACL
[Feature Request] - enable acl for btrfs - BTRFS_FS_POSIX_ACL
Sep 9, 2024
@elsaco I can add multiple subvolumes to one volume. I can create /home. /root, /var/log, /var/log/audit, /tmp and /var/tmp on one volume. Rather than 3. If I use XFS I have to use multiple volumes with most of the volumes more than 90% empty.
I enable compression so I get better mileage.
BTRFS is already complied/active for the current AL2023 kernel. It's not a big ask.
I'm asking to enable ACLs for BTRFS which is already there but not configured with the default value. I want to be able to granularity configure who has access to directories on the host.
So no, I want it to improve my configuration's security.
Is your feature request related to a problem? Please describe.
I am creating some mounts using btrfs to ensure that /var/log is off the root volume. I also harden access to
/var/log
and need acl enabled for services like chronyd to access/var/log/chronyd
but the Amazon Linux default is not to enable BTRFS ACL.[23036.735024] BTRFS error (device nvme4n1: state M): support for ACL not compiled in!
Describe the solution you'd like
Would it be possible to review and revert if the kernel can be compiled with ACLs enabled for btrfs? Enabled ACL is the default value and there was a decision made to disable a security control.
I can't mount the volumes with ACL.
The error for instance with setfacl:
setfacl: /var/log/: Operation not supported
The text was updated successfully, but these errors were encountered: