From f8f7b4f74997b4c17960d35a2ba3451cd05cf03c Mon Sep 17 00:00:00 2001
From: Jing Chen <chjing@google.com>
Date: Tue, 1 Apr 2025 14:03:03 -0700
Subject: [PATCH] Make setting security.capability attribute a no-op in tmpfs.

PiperOrigin-RevId: 742832245
---
 pkg/sentry/fsimpl/overlay/filesystem.go |  5 +++++
 pkg/sentry/fsimpl/tmpfs/tmpfs.go        |  5 +++++
 test/syscalls/linux/xattr.cc            | 10 ++++++++--
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/pkg/sentry/fsimpl/overlay/filesystem.go b/pkg/sentry/fsimpl/overlay/filesystem.go
index 1d8d12ebc3..30daf87ab6 100644
--- a/pkg/sentry/fsimpl/overlay/filesystem.go
+++ b/pkg/sentry/fsimpl/overlay/filesystem.go
@@ -1825,6 +1825,11 @@ func (fs *filesystem) SetXattrAt(ctx context.Context, rp *vfs.ResolvingPath, opt
 
 // Precondition: fs.renameMu must be locked.
 func (fs *filesystem) setXattrLocked(ctx context.Context, d *dentry, mnt *vfs.Mount, creds *auth.Credentials, opts *vfs.SetXattrOptions) error {
+	if strings.HasPrefix(opts.Name, linux.XATTR_SECURITY_PREFIX) {
+		// TODO(b/301323819): support security extended attributes in overlayfs.
+		// Setting security extended attributes in overlayfs is a no-op.
+		return nil
+	}
 	if err := d.checkXattrPermissions(creds, opts.Name, vfs.MayWrite); err != nil {
 		return err
 	}
diff --git a/pkg/sentry/fsimpl/tmpfs/tmpfs.go b/pkg/sentry/fsimpl/tmpfs/tmpfs.go
index bbe1d8709d..14dedfdecd 100644
--- a/pkg/sentry/fsimpl/tmpfs/tmpfs.go
+++ b/pkg/sentry/fsimpl/tmpfs/tmpfs.go
@@ -870,6 +870,11 @@ func (i *inode) setXattr(creds *auth.Credentials, opts *vfs.SetXattrOptions) err
 	if err := i.checkXattrPrefix(opts.Name); err != nil {
 		return err
 	}
+	if strings.HasPrefix(opts.Name, linux.XATTR_SECURITY_PREFIX) {
+		// TODO(b/301323819): support security extended attributes in tmpfs.
+		// Setting security extended attributes in tmpfs is a no-op.
+		return nil
+	}
 	mode := linux.FileMode(i.mode.Load())
 	kuid := auth.KUID(i.uid.Load())
 	kgid := auth.KGID(i.gid.Load())
diff --git a/test/syscalls/linux/xattr.cc b/test/syscalls/linux/xattr.cc
index 11b48819aa..2da5a8cf27 100644
--- a/test/syscalls/linux/xattr.cc
+++ b/test/syscalls/linux/xattr.cc
@@ -111,8 +111,14 @@ TEST_F(XattrTest, SecurityCapacityXattr) {
   const char* path = test_file_name_.c_str();
   const char name[] = "security.capacity";
   const std::string val = "";
-  EXPECT_THAT(lsetxattr(path, name, &val, val.size(), 0),
-              SyscallFailsWithErrno(EOPNOTSUPP));
+  if (ASSERT_NO_ERRNO_AND_VALUE(IsTmpfs(test_file_name_)) ||
+      ASSERT_NO_ERRNO_AND_VALUE(IsOverlayfs(test_file_name_))) {
+    EXPECT_THAT(lsetxattr(path, name, &val, val.size(), 0), SyscallSucceeds());
+  } else {
+    EXPECT_THAT(lsetxattr(path, name, &val, val.size(), 0),
+                SyscallFailsWithErrno(EOPNOTSUPP));
+  }
+
   int buf = 0;
   EXPECT_THAT(lgetxattr(path, name, &buf, /*size=*/128),
               SyscallFailsWithErrno(AnyOf(ENODATA, EOPNOTSUPP)));