tmpfs: Clear security.capability xattr on write#13072
Merged
copybara-service[bot] merged 1 commit intogoogle:masterfrom May 7, 2026
Merged
tmpfs: Clear security.capability xattr on write#13072copybara-service[bot] merged 1 commit intogoogle:masterfrom
copybara-service[bot] merged 1 commit intogoogle:masterfrom
Conversation
ayushr2
reviewed
May 4, 2026
shayonj
force-pushed
the
fix-cap-survive-write
branch
from
47d878d to
2878793
Compare
shailend-g
reviewed
May 5, 2026
shailend-g
reviewed
May 5, 2026
Contributor
shailend-g
left a comment
shailend-g
left a comment
There was a problem hiding this comment.
Thanks for the patch! Please consider removing the file caps in the chown() and truncate() paths as well, see ClearPrivs in vfs.SetStatOptions.
shayonj
force-pushed
the
fix-cap-survive-write
branch
from
2878793 to
197b5ef
Compare
When a non-privileged user writes to a file on tmpfs, Linux clears both the setuid/setgid mode bits and the security.capability xattr via file_remove_privs. The mode bit clearing was already implemented through ClearSUIDAndSGID, but the xattr removal was missing, so file capabilities survived content replacement. An unprivileged user could overwrite a capability-bearing binary and execute it with the retained privileges. Fixes google#13063
shayonj
force-pushed
the
fix-cap-survive-write
branch
from
197b5ef to
72063bf
Compare
copybara-service Bot
pushed a commit
that referenced
this pull request
May 7, 2026
When a non-privileged user writes to a file on tmpfs, Linux clears both the setuid/setgid mode bits and the `security.capability` xattr via `file_remove_privs`. The mode bit clearing was already implemented through `ClearSUIDAndSGID` in the pwrite path, but the xattr removal was missing, so file capabilities survived content replacement. An unprivileged user could overwrite a capability-bearing binary and execute it with the retained privileges. The fix adds a `KillPriv` method on `SimpleExtendedAttributes` that removes `security.capability` without permission checks (matching Linux's `cap_inode_killpriv`, where the kernel is the actor), and calls it from the tmpfs pwrite path alongside the existing `ClearSUIDAndSGID`. The gofer filesystem is not affected because it explicitly blocks `security.*` xattr writes to the host filesystem. Fixes #13063 FUTURE_COPYBARA_INTEGRATE_REVIEW=#13072 from shayonj:fix-cap-survive-write 72063bf PiperOrigin-RevId: 911628845
copybara-service Bot
pushed a commit
that referenced
this pull request
May 7, 2026
When a non-privileged user writes to a file on tmpfs, Linux clears both the setuid/setgid mode bits and the `security.capability` xattr via `file_remove_privs`. The mode bit clearing was already implemented through `ClearSUIDAndSGID` in the pwrite path, but the xattr removal was missing, so file capabilities survived content replacement. An unprivileged user could overwrite a capability-bearing binary and execute it with the retained privileges. The fix adds a `KillPriv` method on `SimpleExtendedAttributes` that removes `security.capability` without permission checks (matching Linux's `cap_inode_killpriv`, where the kernel is the actor), and calls it from the tmpfs pwrite path alongside the existing `ClearSUIDAndSGID`. The gofer filesystem is not affected because it explicitly blocks `security.*` xattr writes to the host filesystem. Fixes #13063 FUTURE_COPYBARA_INTEGRATE_REVIEW=#13072 from shayonj:fix-cap-survive-write 72063bf PiperOrigin-RevId: 911628845
copybara-service Bot
pushed a commit
that referenced
this pull request
May 7, 2026
When a non-privileged user writes to a file on tmpfs, Linux clears both the setuid/setgid mode bits and the `security.capability` xattr via `file_remove_privs`. The mode bit clearing was already implemented through `ClearSUIDAndSGID` in the pwrite path, but the xattr removal was missing, so file capabilities survived content replacement. An unprivileged user could overwrite a capability-bearing binary and execute it with the retained privileges. The fix adds a `KillPriv` method on `SimpleExtendedAttributes` that removes `security.capability` without permission checks (matching Linux's `cap_inode_killpriv`, where the kernel is the actor), and calls it from the tmpfs pwrite path alongside the existing `ClearSUIDAndSGID`. The gofer filesystem is not affected because it explicitly blocks `security.*` xattr writes to the host filesystem. Fixes #13063 FUTURE_COPYBARA_INTEGRATE_REVIEW=#13072 from shayonj:fix-cap-survive-write 72063bf PiperOrigin-RevId: 911628845
ayushr2
reviewed
May 7, 2026
copybara-service Bot
pushed a commit
that referenced
this pull request
May 7, 2026
When a non-privileged user writes to a file on tmpfs, Linux clears both the setuid/setgid mode bits and the `security.capability` xattr via `file_remove_privs`. The mode bit clearing was already implemented through `ClearSUIDAndSGID` in the pwrite path, but the xattr removal was missing, so file capabilities survived content replacement. An unprivileged user could overwrite a capability-bearing binary and execute it with the retained privileges. The fix adds a `KillPriv` method on `SimpleExtendedAttributes` that removes `security.capability` without permission checks (matching Linux's `cap_inode_killpriv`, where the kernel is the actor), and calls it from the tmpfs pwrite path alongside the existing `ClearSUIDAndSGID`. The gofer filesystem is not affected because it explicitly blocks `security.*` xattr writes to the host filesystem. Fixes #13063 FUTURE_COPYBARA_INTEGRATE_REVIEW=#13072 from shayonj:fix-cap-survive-write 72063bf PiperOrigin-RevId: 911628845
copybara-service Bot
pushed a commit
that referenced
this pull request
May 7, 2026
Follow-up to #13072. The internal linter was blocking submit because chown.cc uses std::string without directly including <string>, and ayushr2 flagged that both test files were defining VFS_CAP_REVISION_2 and VFS_CAP_FLAGS_EFFECTIVE as raw hex literals instead of using the constants from linux/capability.h. This adds the missing include and replaces the magic numbers in both chown.cc and xattr.cc. FUTURE_COPYBARA_INTEGRATE_REVIEW=#13115 from shayonj:fix-cap-constants f6bb91b PiperOrigin-RevId: 912098808
copybara-service Bot
pushed a commit
that referenced
this pull request
May 7, 2026
Follow-up to #13072. The internal linter was blocking submit because chown.cc uses std::string without directly including <string>, and ayushr2 flagged that both test files were defining VFS_CAP_REVISION_2 and VFS_CAP_FLAGS_EFFECTIVE as raw hex literals instead of using the constants from linux/capability.h. This adds the missing include and replaces the magic numbers in both chown.cc and xattr.cc. FUTURE_COPYBARA_INTEGRATE_REVIEW=#13115 from shayonj:fix-cap-constants f6bb91b PiperOrigin-RevId: 912098808
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When a non-privileged user writes to a file on tmpfs, Linux clears both the setuid/setgid mode bits and the
security.capabilityxattr viafile_remove_privs. The mode bit clearing was already implemented throughClearSUIDAndSGIDin the pwrite path, but the xattr removal was missing, so file capabilities survived content replacement. An unprivileged user could overwrite a capability-bearing binary and execute it with the retained privileges.The fix adds a
KillPrivmethod onSimpleExtendedAttributesthat removessecurity.capabilitywithout permission checks (matching Linux'scap_inode_killpriv, where the kernel is the actor), and calls it from the tmpfs pwrite path alongside the existingClearSUIDAndSGID.The gofer filesystem is not affected because it explicitly blocks
security.*xattr writes to the host filesystem.Fixes #13063