Re: [PATCH] xfs: remove file privileges after XFS_IOC_SWAPEXT

Next message: Christoph Hellwig: "Re: [PATCH v2] dma-buf: set SB_I_NOEXEC and SB_I_NODEV on the pseudo filesystem"
Previous message: Taniya Das: "Re: [PATCH v8 2/9] clk: qcom: gcc-msm8939: mark Venus core GDSCs as hardware controlled"
In reply to: Qing Ming: "[PATCH] xfs: remove file privileges after XFS_IOC_SWAPEXT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Christoph Hellwig

Date: Mon May 25 2026 - 01:53:40 EST

On Sun, May 24, 2026 at 02:38:20PM +0800, Qing Ming wrote:
> XFS_IOC_SWAPEXT exchanges the data forks of two regular files. This
> changes file contents and therefore needs the same privilege stripping
> that ordinary write paths apply.
>
> The legacy ioctl currently completes the exchange without removing
> SUID/SGID bits or file capabilities. As a result, a privileged inode can
> retain those attributes after its data fork has been replaced.
>
> Pass the file objects into xfs_swap_extents() and call file_remove_privs()
> for both files after the exchange commits, before dropping the outer
> inode and mapping locks. This matches the XFS_IOC_EXCHANGE_RANGE finish
> path.

Not sure this makes much sense, as xfs_swap_extents is used for
defragmentation, including system-wide one, and this would drop the
suid bit from existing suid bit files and break the system.

I don't think there is a security issue as the target file needs to
be writable to the user performing the operation, and the owning uid/gid
has to match as well.

I think the issue is more that XFS_IOC_COMMIT_RANGE drops the suid
and could thus cause problems when used by fsr.