mv xattr preservation TOCTOU on cross-device moves

[sylvestre]

Component

mv (cross-device fallback) and uucore::fsxattr

Description

When moving files across filesystem boundaries, mv falls back to copy-then-delete. During this fallback, extended attribute preservation uses path-based operations (xattr::list, xattr::get, xattr::set) that repeatedly re-resolve source and destination paths with each syscall. This means the xattrs copied are not an atomic snapshot, and concurrent path manipulation (renames, replacements) can redirect individual syscalls to different inodes mid-operation.

The implementation is not inode-stable. Each xattr operation walks the path again instead of operating on a pinned file descriptor. For regular files, copy_xattrs(source, dest) iterates attributes and performs separate path lookups per get/set. For directories, retrieve_xattrs and apply_xattrs similarly resolve paths multiple times.

Test / Reproduction Steps

# Observe non-atomic snapshot behavior
touch /tmp/src
setfattr -n user.test -v original /tmp/src
while true; do setfattr -n user.test -v modified /tmp/src 2>/dev/null; done &
mv /tmp/src /mnt/otherfs/dst  # Cross-device move
getfattr -n user.test /mnt/otherfs/dst

Impact

This is primarily a correctness issue, but becomes security-relevant when privileged processes move files carrying security xattrs (SELinux labels, capabilities). Content and metadata can be observed or manipulated at different times during the operation.