With the recent #OpenZFS import into #FreeBSD main, Solaris-style named attributes are now supported. This means, for #ZFS datasets configured for this new feature, developers would call open(2) to open the named attribute (aka, filesystem extended attribute) as a file descriptor. One can use normal syscalls like read(2), write(2), lseek(2), etc. to interact with the attribute.
This provides a unique venue for stealthy code injection techniques. By combining Solaris-style named attributes with fdlopen(3), attackers can inject shared objects that are difficult to inspect via normal methods.
We have mitigated this kind of technique in #HardenedBSD by hardening the RTLD, teaching it to disallow any attempt to call fdlopen(3) on a named attribute file descriptor: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/4fec880a91e389a5bf6d5849c2b27e0f31a7d3ed
The FreeBSD commit that introduced the plumbing for Solaris-style named attributes: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/2ec2ba7e232dd126df0617194fd07be78c7a2ab9
The FreeBSD commit merging in the latest OpenZFS code with the Solaris-style named attribute feature implemented: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/df58e8b1506f241670be86a560fb6e8432043aee