OpenZFS on OS X

[Arne]

Copying a file with finder from hfs to zfs (2.2.0) it has an extended attribute that is unknown to google or chatGPT.

com.apple.system.Security

Code: Select all

[~]$ ls -al@ /Volumes/zfs/sa
total 3462
drwxr-xr-x@ 5 arne  staff        6 22 Nov 14:24 .
   com.apple.FinderInfo        32
drwxr-xr-x@ 6 arne  wheel        7 22 Nov 13:52 ..
   com.apple.FinderInfo        32
drwx------  4 arne  staff        5 18 Nov 12:22 .Spotlight-V100
-rw-r--r--  1 arne  staff  1753264 18 Nov 12:22 .VolumeIcon.icns
drwx------  2 arne  staff        3 18 Nov 12:22 .fseventsd
drwxr-xr-x@ 3 arne  staff        3 21 Sep  2018 Mounty.app
   com.apple.system.Security        -1

[~]$ sudo xattr -l /Volumes/zfs/sa/Mounty.app
com.apple.system.Security:
00000000  01 2C C1 6D 00 00 00 00 00 00 00 00 00 00 00 00  |.,.m............|
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00                                      |....|
00000024

I cannot delete it.
And rsync complains that it cannot set it on the target when I try to copy such a file/folder.
I can only copy it with rsync when I don't copy xattr at all ("rsync -a" instead of "rsync -Xa") or setting a filter ("rsync -Xa ... -f '-x com.apple.system.Security').

When I copy it with finder back from zfs to hfs the extended attribute is gone.

So either I don't copy something with finder from hfs to zfs or I live with the risk of a complaing rsync in the future.

With 1.9.4 finder did not set this extended attribute.

[lundman]

./bsd/sys/kauth.h:#define KAUTH_FILESEC_XATTR "com.apple.system.Security"

But hmm well, we call xnu and ask if we should hide it, so it is surprising it doesn't. I wonder if I
accidentally ask if we should hide "macOS:com.apple.system.Security". This is controlled by the xattr_compat setting.

Access is controlled by xnu;

* get: root and tasks with FILESEC_ACCESS_ENTITLEMENT.
* set: only tasks with FILESEC_ACCESS_ENTITLEMENT.

and delete:

if ((facl->acl_entrycount == KAUTH_FILESEC_NOACL) &&
kauth_guid_equal(&fsec->fsec_owner, &kauth_null_guid) &&
kauth_guid_equal(&fsec->fsec_group, &kauth_null_guid)) {
error = vn_removexattr(vp, KAUTH_FILESEC_XATTR, XATTR_NOSECURITY, ctx);
/* no attribute is ok, nothing to delete */

[Arne]

Setting compat=1 solved the problem.

Finder copy does not set com.apple.system.Security anymore when copying a file from hfs to zfs.

[lundman]

Ah thanks for chasing that down, I will add it to my list of curiosities - in case one day I get a chance to look at that