mirror of
https://chromium.googlesource.com/crosvm/crosvm
synced 2025-02-06 10:32:10 +00:00
7b98502972
Set the SECBIT_NO_SETUID_FIXUP securebit so that we don't lose
capabilities when changing the thread uid/gid. This allows us to
simplify the create and mkdir functions so that all the checks we
currently carry out are only done once by the host kernel.
To ensure that the setuid and setgid bits still get dropped when a file
is modified by a process that doesn't hold CAP_FSETID, check for
WRITE_KILL_PRIV in the write flags and temporarily drop CAP_FSETID when
it is set.
BUG=none
TEST=Check that default posix acls, setgid bits, and file/directory
creation via membership of a supplementary group all work as
expected.
Change-Id: I420484e357a970e997cb3e968a433278e82d8ad4
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crosvm/+/2684067
Auto-Submit: Chirantan Ekbote <chirantan@chromium.org>
Tested-by: kokoro <noreply+kokoro@google.com>
Commit-Queue: Chirantan Ekbote <chirantan@chromium.org>
Reviewed-by: Daniel Verkamp <dverkamp@chromium.org>
|
||
|---|---|---|
| .. | ||
| 9p_device.policy | ||
| balloon_device.policy | ||
| battery.policy | ||
| block_device.policy | ||
| common_device.policy | ||
| cras_audio_device.policy | ||
| fs_device.policy | ||
| gpu_device.policy | ||
| input_device.policy | ||
| net_device.policy | ||
| null_audio_device.policy | ||
| pmem_device.policy | ||
| rng_device.policy | ||
| serial.policy | ||
| tpm_device.policy | ||
| vhost_net_device.policy | ||
| vhost_vsock_device.policy | ||
| vios_audio_device.policy | ||
| wl_device.policy | ||
| xhci.policy | ||