If caller does not have CAP_FSETID, we set FUSE_WRITE_KILL_PRIV in direct I/O path but not in cached write path. Set it there as well so that server can clear suid/sgid/caps as needed. Set it only if fc->handle_killpriv_v2 is set. Otherwise client is responsible for kill suid/sgid. We do it direct I/O path anyway because we do't call file_remove_privs() there (with cache=none option). Signed-off-by: Vivek Goyal <vgoyal@xxxxxxxxxx> --- fs/fuse/file.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 83d917f7e542..57899afc7cba 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -1083,6 +1083,8 @@ static ssize_t fuse_send_write_pages(struct fuse_io_args *ia, fuse_write_args_fill(ia, ff, pos, count); ia->write.in.flags = fuse_write_flags(iocb); + if (fc->handle_killpriv_v2 && !capable(CAP_FSETID)) + ia->write.in.write_flags |= FUSE_WRITE_KILL_PRIV; err = fuse_simple_request(fc, &ap->args); if (!err && ia->write.out.size > count) -- 2.25.4
