summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorZach Koopmans <zkoopmans@google.com>2018-12-05 10:52:44 -0800
committerShentubot <shentubot@google.com>2018-12-05 10:53:51 -0800
commit06131fe749e3715534f9d551528d89048ae1398b (patch)
tree90bdce3e8502bdc0bfb04f2fae589fc09ff1863d
parentfab029c50b445e06ba770c9ccd7d6d0a06e15057 (diff)
Check for CAP_SYS_RESOURCE in prctl(PR_SET_MM, ...)
If sys_prctl is called with PR_SET_MM without CAP_SYS_RESOURCE, the syscall should return failure with errno set to EPERM. See: http://man7.org/linux/man-pages/man2/prctl.2.html PiperOrigin-RevId: 224182874 Change-Id: I630d1dd44af8b444dd16e8e58a0764a0cf1ad9a3
-rw-r--r--pkg/sentry/syscalls/linux/sys_prctl.go4
1 files changed, 4 insertions, 0 deletions
diff --git a/pkg/sentry/syscalls/linux/sys_prctl.go b/pkg/sentry/syscalls/linux/sys_prctl.go
index 91e852049..4938f27bd 100644
--- a/pkg/sentry/syscalls/linux/sys_prctl.go
+++ b/pkg/sentry/syscalls/linux/sys_prctl.go
@@ -87,6 +87,10 @@ func Prctl(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall
}
case linux.PR_SET_MM:
+ if !t.HasCapability(linux.CAP_SYS_RESOURCE) {
+ return 0, nil, syscall.EPERM
+ }
+
switch args[1].Int() {
case linux.PR_SET_MM_EXE_FILE:
fd := kdefs.FD(args[2].Int())