Merge release-20210201.0-84-g81ea0016e (automated)

author: gVisor bot <gvisor-bot@google.com> 2021-02-11 01:49:51 +0000
committer: gVisor bot <gvisor-bot@google.com> 2021-02-11 01:49:51 +0000
commit: 03d099577c93e3e4098c85a570e41664a0d72bc0 (patch)
tree: ff0bb5597b26cd68a7f7b433b3e9bccba0051121 /pkg/sentry/vfs
parent: 9994360861f68e806d4c1e2ad949015cc55d130f (diff)
parent: 81ea0016e62318053f97ec714967047e6191fb2b (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/pkg/sentry/vfs/permissions.go b/pkg/sentry/vfs/permissions.go
index db6146fd2..b7704874f 100644
--- a/pkg/sentry/vfs/permissions.go
+++ b/pkg/sentry/vfs/permissions.go
@@ -326,3 +326,20 @@ func CheckXattrPermissions(creds *auth.Credentials, ats AccessTypes, mode linux.
 	}
 	return nil
 }
+
+// ClearSUIDAndSGID clears the setuid and/or setgid bits after a chown or write.
+// Depending on the mode, neither bit, only the setuid bit, or both are cleared.
+func ClearSUIDAndSGID(mode uint32) uint32 {
+	// Directories don't have their bits changed.
+	if mode&linux.ModeDirectory == linux.ModeDirectory {
+		return mode
+	}
+
+	// Changing owners always disables the setuid bit. It disables
+	// the setgid bit when the file is executable.
+	mode &= ^uint32(linux.ModeSetUID)
+	if sgid := uint32(linux.ModeSetGID | linux.ModeGroupExec); mode&sgid == sgid {
+		mode &= ^uint32(linux.ModeSetGID)
+	}
+	return mode
+}
author	gVisor bot <gvisor-bot@google.com>	2021-02-11 01:49:51 +0000
committer	gVisor bot <gvisor-bot@google.com>	2021-02-11 01:49:51 +0000
commit	03d099577c93e3e4098c85a570e41664a0d72bc0 (patch)
tree	ff0bb5597b26cd68a7f7b433b3e9bccba0051121 /pkg/sentry/vfs
parent	9994360861f68e806d4c1e2ad949015cc55d130f (diff)
parent	81ea0016e62318053f97ec714967047e6191fb2b (diff)