setgid directories for VFS1 tmpfs, overlayfs, and goferfs

PiperOrigin-RevId: 375780659
author: Kevin Krakauer <krakauer@google.com> 2021-05-25 13:19:23 -0700
committer: gVisor bot <gvisor-bot@google.com> 2021-05-25 13:21:52 -0700
commit: f7bc60603e32d630598eca4663dfd9d03be5802f (patch)
tree: 899fc93bffc5ecee7297dfaecb7eaff2ee924b4d /pkg/sentry/fs/fsutil
parent: 4f2439fb0ed4a6efda2637417c7137d27e4c4d26 (diff)
2 files changed, 38 insertions, 10 deletions
diff --git a/pkg/sentry/fs/fsutil/host_mappable.go b/pkg/sentry/fs/fsutil/host_mappable.go
index e1e38b498..8ac3738e9 100644
--- a/pkg/sentry/fs/fsutil/host_mappable.go
+++ b/pkg/sentry/fs/fsutil/host_mappable.go
@@ -155,12 +155,20 @@ func (h *HostMappable) DecRef(fr memmap.FileRange) {
 //   T2: Appends to file causing it to grow
 //   T2: Writes to mapped pages and COW happens
 //   T1: Continues and wronly invalidates the page mapped in step above.
-func (h *HostMappable) Truncate(ctx context.Context, newSize int64) error {
+func (h *HostMappable) Truncate(ctx context.Context, newSize int64, uattr fs.UnstableAttr) error {
 	h.truncateMu.Lock()
 	defer h.truncateMu.Unlock()
 
 	mask := fs.AttrMask{Size: true}
 	attr := fs.UnstableAttr{Size: newSize}
+
+	// Truncating a file clears privilege bits.
+	if uattr.Perms.HasSetUIDOrGID() {
+		mask.Perms = true
+		attr.Perms = uattr.Perms
+		attr.Perms.DropSetUIDAndMaybeGID()
+	}
+
 	if err := h.backingFile.SetMaskedAttributes(ctx, mask, attr, false); err != nil {
 		return err
 	}
@@ -193,10 +201,17 @@ func (h *HostMappable) Allocate(ctx context.Context, offset int64, length int64)
 }
 
 // Write writes to the file backing this mappable.
-func (h *HostMappable) Write(ctx context.Context, src usermem.IOSequence, offset int64) (int64, error) {
+func (h *HostMappable) Write(ctx context.Context, src usermem.IOSequence, offset int64, uattr fs.UnstableAttr) (int64, error) {
 	h.truncateMu.RLock()
+	defer h.truncateMu.RUnlock()
 	n, err := src.CopyInTo(ctx, &writer{ctx: ctx, hostMappable: h, off: offset})
-	h.truncateMu.RUnlock()
+	if n > 0 && uattr.Perms.HasSetUIDOrGID() {
+		mask := fs.AttrMask{Perms: true}
+		uattr.Perms.DropSetUIDAndMaybeGID()
+		if err := h.backingFile.SetMaskedAttributes(ctx, mask, uattr, false); err != nil {
+			return n, err
+		}
+	}
 	return n, err
 }
 
diff --git a/pkg/sentry/fs/fsutil/inode_cached.go b/pkg/sentry/fs/fsutil/inode_cached.go
index 7856b354b..855029b84 100644
--- a/pkg/sentry/fs/fsutil/inode_cached.go
+++ b/pkg/sentry/fs/fsutil/inode_cached.go
@@ -310,6 +310,12 @@ func (c *CachingInodeOperations) Truncate(ctx context.Context, inode *fs.Inode,
 	now := ktime.NowFromContext(ctx)
 	masked := fs.AttrMask{Size: true}
 	attr := fs.UnstableAttr{Size: size}
+	if c.attr.Perms.HasSetUIDOrGID() {
+		masked.Perms = true
+		attr.Perms = c.attr.Perms
+		attr.Perms.DropSetUIDAndMaybeGID()
+		c.attr.Perms = attr.Perms
+	}
 	if err := c.backingFile.SetMaskedAttributes(ctx, masked, attr, false); err != nil {
 		c.dataMu.Unlock()
 		return err
@@ -685,13 +691,14 @@ func (rw *inodeReadWriter) ReadToBlocks(dsts safemem.BlockSeq) (uint64, error) {
 	return done, nil
 }
 
-// maybeGrowFile grows the file's size if data has been written past the old
-// size.
+// maybeUpdateAttrs updates the file's attributes after a write. It updates
+// size if data has been written past the old size, and setuid/setgid if any
+// bytes were written.
 //
 // Preconditions:
 // * rw.c.attrMu must be locked.
 // * rw.c.dataMu must be locked.
-func (rw *inodeReadWriter) maybeGrowFile() {
+func (rw *inodeReadWriter) maybeUpdateAttrs(nwritten uint64) {
 	// If the write ends beyond the file's previous size, it causes the
 	// file to grow.
 	if rw.offset > rw.c.attr.Size {
@@ -705,6 +712,12 @@ func (rw *inodeReadWriter) maybeGrowFile() {
 		rw.c.attr.Usage = rw.offset
 		rw.c.dirtyAttr.Usage = true
 	}
+
+	// If bytes were written, ensure setuid and setgid are cleared.
+	if nwritten > 0 && rw.c.attr.Perms.HasSetUIDOrGID() {
+		rw.c.dirtyAttr.Perms = true
+		rw.c.attr.Perms.DropSetUIDAndMaybeGID()
+	}
 }
 
 // WriteFromBlocks implements safemem.Writer.WriteFromBlocks.
@@ -732,7 +745,7 @@ func (rw *inodeReadWriter) WriteFromBlocks(srcs safemem.BlockSeq) (uint64, error
 			segMR := seg.Range().Intersect(mr)
 			ims, err := mf.MapInternal(seg.FileRangeOf(segMR), hostarch.Write)
 			if err != nil {
-				rw.maybeGrowFile()
+				rw.maybeUpdateAttrs(done)
 				rw.c.dataMu.Unlock()
 				return done, err
 			}
@@ -744,7 +757,7 @@ func (rw *inodeReadWriter) WriteFromBlocks(srcs safemem.BlockSeq) (uint64, error
 			srcs = srcs.DropFirst64(n)
 			rw.c.dirty.MarkDirty(segMR)
 			if err != nil {
-				rw.maybeGrowFile()
+				rw.maybeUpdateAttrs(done)
 				rw.c.dataMu.Unlock()
 				return done, err
 			}
@@ -765,7 +778,7 @@ func (rw *inodeReadWriter) WriteFromBlocks(srcs safemem.BlockSeq) (uint64, error
 			srcs = srcs.DropFirst64(n)
 			// Partial writes are fine. But we must stop writing.
 			if n != src.NumBytes() || err != nil {
-				rw.maybeGrowFile()
+				rw.maybeUpdateAttrs(done)
 				rw.c.dataMu.Unlock()
 				return done, err
 			}
@@ -774,7 +787,7 @@ func (rw *inodeReadWriter) WriteFromBlocks(srcs safemem.BlockSeq) (uint64, error
 			seg, gap = gap.NextSegment(), FileRangeGapIterator{}
 		}
 	}
-	rw.maybeGrowFile()
+	rw.maybeUpdateAttrs(done)
 	rw.c.dataMu.Unlock()
 	return done, nil
 }
author	Kevin Krakauer <krakauer@google.com>	2021-05-25 13:19:23 -0700
committer	gVisor bot <gvisor-bot@google.com>	2021-05-25 13:21:52 -0700
commit	f7bc60603e32d630598eca4663dfd9d03be5802f (patch)
tree	899fc93bffc5ecee7297dfaecb7eaff2ee924b4d /pkg/sentry/fs/fsutil
parent	4f2439fb0ed4a6efda2637417c7137d27e4c4d26 (diff)