Skip to content

Commit f8f7b4f

Browse files
milantracygvisor-bot
milantracy
authored and
gvisor-bot
committed
Make setting security.capability attribute a no-op in tmpfs.
PiperOrigin-RevId: 742832245
1 parent 6b2bcc4 commit f8f7b4f

File tree

3 files changed

+18
-2
lines changed

3 files changed

+18
-2
lines changed

pkg/sentry/fsimpl/overlay/filesystem.go

+5
Original file line numberDiff line numberDiff line change
@@ -1825,6 +1825,11 @@ func (fs *filesystem) SetXattrAt(ctx context.Context, rp *vfs.ResolvingPath, opt
18251825

18261826
// Precondition: fs.renameMu must be locked.
18271827
func (fs *filesystem) setXattrLocked(ctx context.Context, d *dentry, mnt *vfs.Mount, creds *auth.Credentials, opts *vfs.SetXattrOptions) error {
1828+
if strings.HasPrefix(opts.Name, linux.XATTR_SECURITY_PREFIX) {
1829+
// TODO(b/301323819): support security extended attributes in overlayfs.
1830+
// Setting security extended attributes in overlayfs is a no-op.
1831+
return nil
1832+
}
18281833
if err := d.checkXattrPermissions(creds, opts.Name, vfs.MayWrite); err != nil {
18291834
return err
18301835
}

pkg/sentry/fsimpl/tmpfs/tmpfs.go

+5
Original file line numberDiff line numberDiff line change
@@ -870,6 +870,11 @@ func (i *inode) setXattr(creds *auth.Credentials, opts *vfs.SetXattrOptions) err
870870
if err := i.checkXattrPrefix(opts.Name); err != nil {
871871
return err
872872
}
873+
if strings.HasPrefix(opts.Name, linux.XATTR_SECURITY_PREFIX) {
874+
// TODO(b/301323819): support security extended attributes in tmpfs.
875+
// Setting security extended attributes in tmpfs is a no-op.
876+
return nil
877+
}
873878
mode := linux.FileMode(i.mode.Load())
874879
kuid := auth.KUID(i.uid.Load())
875880
kgid := auth.KGID(i.gid.Load())

test/syscalls/linux/xattr.cc

+8-2
Original file line numberDiff line numberDiff line change
@@ -111,8 +111,14 @@ TEST_F(XattrTest, SecurityCapacityXattr) {
111111
const char* path = test_file_name_.c_str();
112112
const char name[] = "security.capacity";
113113
const std::string val = "";
114-
EXPECT_THAT(lsetxattr(path, name, &val, val.size(), 0),
115-
SyscallFailsWithErrno(EOPNOTSUPP));
114+
if (ASSERT_NO_ERRNO_AND_VALUE(IsTmpfs(test_file_name_)) ||
115+
ASSERT_NO_ERRNO_AND_VALUE(IsOverlayfs(test_file_name_))) {
116+
EXPECT_THAT(lsetxattr(path, name, &val, val.size(), 0), SyscallSucceeds());
117+
} else {
118+
EXPECT_THAT(lsetxattr(path, name, &val, val.size(), 0),
119+
SyscallFailsWithErrno(EOPNOTSUPP));
120+
}
121+
116122
int buf = 0;
117123
EXPECT_THAT(lgetxattr(path, name, &buf, /*size=*/128),
118124
SyscallFailsWithErrno(AnyOf(ENODATA, EOPNOTSUPP)));

0 commit comments

Comments
 (0)