Make setting security.capability attribute a no-op in tmpfs.

PiperOrigin-RevId: 742832245

Author: milantracy

pkg/sentry/fsimpl/tmpfs/tmpfs.go

@@ -870,6 +870,11 @@ func (i *inode) setXattr(creds *auth.Credentials, opts *vfs.SetXattrOptions) err
 	if err := i.checkXattrPrefix(opts.Name); err != nil {
 		return err
 	}
+	if strings.HasPrefix(opts.Name, linux.XATTR_SECURITY_PREFIX) {
+		// TODO(b/301323819): support security extended attributes in tmpfs.
+		// Setting security.capacity extended attributes in tmpfs is a no-op.
+		return nil
+	}
 	mode := linux.FileMode(i.mode.Load())
 	kuid := auth.KUID(i.uid.Load())
 	kgid := auth.KGID(i.gid.Load())

test/syscalls/linux/xattr.cc

@@ -111,8 +111,13 @@ TEST_F(XattrTest, SecurityCapacityXattr) {
   const char* path = test_file_name_.c_str();
   const char name[] = "security.capacity";
   const std::string val = "";
-  EXPECT_THAT(lsetxattr(path, name, &val, val.size(), 0),
-              SyscallFailsWithErrno(EOPNOTSUPP));
+  if (ASSERT_NO_ERRNO_AND_VALUE(IsTmpfs(test_file_name_))) {
+    EXPECT_THAT(lsetxattr(path, name, &val, val.size(), 0), SyscallSucceeds());
+  } else {
+    EXPECT_THAT(lsetxattr(path, name, &val, val.size(), 0),
+                SyscallFailsWithErrno(EOPNOTSUPP));
+  }
+
   int buf = 0;
   EXPECT_THAT(lgetxattr(path, name, &buf, /*size=*/128),
               SyscallFailsWithErrno(AnyOf(ENODATA, EOPNOTSUPP)));