diff options
author | Andrei Vagin <avagin@google.com> | 2019-03-20 18:39:57 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2019-03-20 18:41:00 -0700 |
commit | 064fda1a759fa3e73d25da3fd535d256ac8ccfb0 (patch) | |
tree | 29fa8cffbe6f74f6e89b9d2664ba9b90baf7869a | |
parent | 81f4829d1195276d037f8bd23a2ef69e88f5ae6c (diff) |
gvisor: don't allocate a new credential object on fork
A credential object is immutable, so we don't need to copy it for a new
task.
PiperOrigin-RevId: 239519266
Change-Id: I0632f641fdea9554779ac25d84bee4231d0d18f2
-rw-r--r-- | pkg/sentry/kernel/task_clone.go | 2 | ||||
-rw-r--r-- | pkg/sentry/kernel/task_identity.go | 1 |
2 files changed, 2 insertions, 1 deletions
diff --git a/pkg/sentry/kernel/task_clone.go b/pkg/sentry/kernel/task_clone.go index 114e7f858..daf974920 100644 --- a/pkg/sentry/kernel/task_clone.go +++ b/pkg/sentry/kernel/task_clone.go @@ -252,7 +252,7 @@ func (t *Task) Clone(opts *CloneOptions) (ThreadID, *SyscallControl, error) { TaskContext: tc, FSContext: fsc, FDMap: fds, - Credentials: creds.Fork(), + Credentials: creds, Niceness: t.Niceness(), NetworkNamespaced: t.netns, AllowedCPUMask: t.CPUMask(), diff --git a/pkg/sentry/kernel/task_identity.go b/pkg/sentry/kernel/task_identity.go index 8f90ed786..e105eba13 100644 --- a/pkg/sentry/kernel/task_identity.go +++ b/pkg/sentry/kernel/task_identity.go @@ -372,6 +372,7 @@ func (t *Task) DropBoundingCapability(cp linux.Capability) error { if !t.creds.HasCapability(linux.CAP_SETPCAP) { return syserror.EPERM } + t.creds = t.creds.Fork() // See doc for creds. t.creds.BoundingCaps &^= auth.CapabilitySetOf(cp) return nil } |