fuse: add a flag FUSE_SETXATTR_ACL_KILL_SGID to kill SGID

When posix access ACL is set, it can have an effect on file mode and it can
also need to clear SGID if.

- None of caller's group/supplementary groups match file owner group.
AND
- Caller is not priviliged (No CAP_FSETID).

As of now fuser server is responsible for changing the file mode as
well. But it does not know whether to clear SGID or not.

So add a flag FUSE_SETXATTR_ACL_KILL_SGID and send this info with SETXATTR
to let file server know that sgid needs to be cleared as well.

Reported-by: Luis Henriques <lhenriques@suse.de>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

diff --git a/fs/fuse/acl.c b/fs/fuse/acl.c
index d31260a139d46906a9925c645f8952a31a4d9abf..52b165319be1fd26c610ca1f5017e6e1fe903b6f 100644 (file)
--- a/fs/fuse/acl.c
+++ b/fs/fuse/acl.c
@@ -71,6 +71,7 @@ int fuse_set_acl(struct user_namespace *mnt_userns, struct inode *inode,
                return -EINVAL;
 
        if (acl) {
+               unsigned int extra_flags = 0;
                /*
                 * Fuse userspace is responsible for updating access
                 * permissions in the inode, if needed. fuse_setxattr
@@ -94,7 +95,11 @@ int fuse_set_acl(struct user_namespace *mnt_userns, struct inode *inode,
                        return ret;
                }
 
-               ret = fuse_setxattr(inode, name, value, size, 0, 0);
+               if (!in_group_p(i_gid_into_mnt(&init_user_ns, inode)) &&
+                   !capable_wrt_inode_uidgid(&init_user_ns, inode, CAP_FSETID))
+                       extra_flags |= FUSE_SETXATTR_ACL_KILL_SGID;
+
+               ret = fuse_setxattr(inode, name, value, size, 0, extra_flags);
                kfree(value);
        } else {
                ret = fuse_removexattr(inode, name);

diff --git a/include/uapi/linux/fuse.h b/include/uapi/linux/fuse.h
index 390f7b4c889d5db161aa364963314749f3a477a8..271ae90a9bb7d728d89e27eb9ff48c0a484f9320 100644 (file)
--- a/include/uapi/linux/fuse.h
+++ b/include/uapi/linux/fuse.h
@@ -180,6 +180,7 @@
  *  - add FUSE_HANDLE_KILLPRIV_V2, FUSE_WRITE_KILL_SUIDGID, FATTR_KILL_SUIDGID
  *  - add FUSE_OPEN_KILL_SUIDGID
  *  - extend fuse_setxattr_in, add FUSE_SETXATTR_EXT
+ *  - add FUSE_SETXATTR_ACL_KILL_SGID
  */
 
 #ifndef _LINUX_FUSE_H
@@ -454,6 +455,12 @@ struct fuse_file_lock {
  */
 #define FUSE_OPEN_KILL_SUIDGID (1 << 0)
 
+/**
+ * setxattr flags
+ * FUSE_SETXATTR_ACL_KILL_SGID: Clear SGID when system.posix_acl_access is set
+ */
+#define FUSE_SETXATTR_ACL_KILL_SGID    (1 << 0)
+
 enum fuse_opcode {
        FUSE_LOOKUP             = 1,
        FUSE_FORGET             = 2,  /* no reply */