Implement S_ISGID clearing behavior in chmod.

When a non-privileged process (lacking `CAP_FSETID`) attempts to set the
`S_ISGID` bit on a file, and the file's group does not match the process's
effective or supplementary group IDs, the `S_ISGID` bit is silently cleared.

PiperOrigin-RevId: 797579605

Author: shailend-g

pkg/sentry/vfs/permissions.go

@@ -185,7 +185,7 @@ func MayWriteFileWithOpenFlags(flags uint32) bool {
 
 // CheckSetStat checks that creds has permission to change the metadata of a
 // file with the given permissions, UID, and GID as specified by stat, subject
-// to the rules of Linux's fs/attr.c:setattr_prepare().
+// to the rules of Linux's fs/attr.c:setattr_prepare(). Might mutate `opts`.
 func CheckSetStat(ctx context.Context, creds *auth.Credentials, opts *SetStatOptions, mode linux.FileMode, kuid auth.KUID, kgid auth.KGID) error {
 	stat := &opts.Stat
 	if stat.Mask&linux.STATX_SIZE != 0 {
@@ -201,11 +201,13 @@ func CheckSetStat(ctx context.Context, creds *auth.Credentials, opts *SetStatOpt
 		if !CanActAsOwner(creds, kuid) {
 			return linuxerr.EPERM
 		}
-		// TODO(b/30815691): "If the calling process is not privileged (Linux:
-		// does not have the CAP_FSETID capability), and the group of the file
-		// does not match the effective group ID of the process or one of its
-		// supplementary group IDs, the S_ISGID bit will be turned off, but
-		// this will not cause an error to be returned." - chmod(2)
+		// "If the calling process is not privileged (Linux: does not have the CAP_FSETID capability),
+		// and the group of the file does not match the effective group ID of the process or one of its
+		// supplementary group IDs, the S_ISGID bit will be turned off, but this will not cause an error
+		// to be returned." - chmod(2)
+		if stat.Mode&linux.S_ISGID != 0 && !creds.HasCapabilityOnFile(linux.CAP_FSETID, kuid, kgid) && !creds.InGroup(kgid) {
+			stat.Mode &^= linux.S_ISGID
+		}
 	}
 	if stat.Mask&linux.STATX_UID != 0 {
 		if !((creds.EffectiveKUID == kuid && auth.KUID(stat.UID) == kuid) ||

test/syscalls/linux/chown.cc

@@ -23,9 +23,9 @@
 #include "gtest/gtest.h"
 #include "absl/flags/flag.h"
 #include "absl/synchronization/notification.h"
-#include "test/util/capability_util.h"
 #include "test/util/file_descriptor.h"
 #include "test/util/fs_util.h"
+#include "test/util/linux_capability_util.h"
 #include "test/util/posix_error.h"
 #include "test/util/temp_path.h"
 #include "test/util/test_util.h"
@@ -127,6 +127,59 @@ TEST(ChownTest, FchownatEmptyPath) {
   ASSERT_THAT(fchownat(fd.get(), "", 0, 0, 0), SyscallFailsWithErrno(ENOENT));
 }
 
+TEST(ChownTest, SetGroupIdBitDeniedWithoutCapFsetIdOrRelevantGroup) {
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_SETGID)));
+  const auto file = ASSERT_NO_ERRNO_AND_VALUE(TempPath::CreateFile());
+  AutoCapability cap(CAP_FSETID, false);
+
+  // Changing task creds in the main thread can mess with other tests.
+  ScopedThread([&] {
+    const mode_t chown_mode = 0755 | S_ISGID;
+    const gid_t oddGid = 12345;
+    struct stat stats;
+    mode_t stat_mode;
+
+    // 1) Without CAP_FSETID, and no relevant group, S_ISGID is not applied.
+    ASSERT_THAT(syscall(SYS_setresgid, oddGid, oddGid, oddGid),
+                SyscallSucceeds());
+    std::vector<gid_t> no_extra_groups;
+    ASSERT_THAT(
+        syscall(SYS_setgroups, no_extra_groups.size(), no_extra_groups.data()),
+        SyscallSucceeds());
+
+    ASSERT_THAT(chmod(file.path().c_str(), chown_mode), SyscallSucceeds());
+    ASSERT_THAT(stat(file.path().c_str(), &stats), SyscallSucceeds());
+    stat_mode = stats.st_mode & ~S_IFMT;
+
+    EXPECT_EQ(stat_mode & S_ISGID, 0);            // S_ISGID is not applied.
+    EXPECT_EQ(stat_mode, chown_mode & ~S_ISGID);  // but the rest is.
+
+    // 2) Without CAP_FSETID, but with a relevant group, S_ISGID is applied.
+    gid_t file_gid = stats.st_gid;
+    ASSERT_THAT(syscall(SYS_setresgid, file_gid, file_gid, file_gid),
+                SyscallSucceeds());
+
+    ASSERT_THAT(chmod(file.path().c_str(), chown_mode), SyscallSucceeds());
+    ASSERT_THAT(stat(file.path().c_str(), &stats), SyscallSucceeds());
+    stat_mode = stats.st_mode & ~S_IFMT;
+
+    EXPECT_EQ(stat_mode & S_ISGID, S_ISGID);  // S_ISGID is applied.
+    EXPECT_EQ(stat_mode, chown_mode);         // as is the rest.
+
+    // 3) With CAP_FSETID, but without a relevant group, S_ISGID is applied.
+    AutoCapability cap_inner(CAP_FSETID, true);
+    ASSERT_THAT(syscall(SYS_setresgid, oddGid, oddGid, oddGid),
+                SyscallSucceeds());
+
+    ASSERT_THAT(chmod(file.path().c_str(), chown_mode), SyscallSucceeds());
+    ASSERT_THAT(stat(file.path().c_str(), &stats), SyscallSucceeds());
+    stat_mode = stats.st_mode & ~S_IFMT;
+
+    EXPECT_EQ(stat_mode & S_ISGID, S_ISGID);  // S_ISGID is applied.
+    EXPECT_EQ(stat_mode, chown_mode);         // as is the rest.
+  });
+}
+
 using Chown =
     std::function<PosixError(const std::string&, uid_t owner, gid_t group)>;