summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorAndrei Vagin <avagin@google.com>2019-03-20 18:39:57 -0700
committerShentubot <shentubot@google.com>2019-03-20 18:41:00 -0700
commit064fda1a759fa3e73d25da3fd535d256ac8ccfb0 (patch)
tree29fa8cffbe6f74f6e89b9d2664ba9b90baf7869a
parent81f4829d1195276d037f8bd23a2ef69e88f5ae6c (diff)
gvisor: don't allocate a new credential object on fork
A credential object is immutable, so we don't need to copy it for a new task. PiperOrigin-RevId: 239519266 Change-Id: I0632f641fdea9554779ac25d84bee4231d0d18f2
-rw-r--r--pkg/sentry/kernel/task_clone.go2
-rw-r--r--pkg/sentry/kernel/task_identity.go1
2 files changed, 2 insertions, 1 deletions
diff --git a/pkg/sentry/kernel/task_clone.go b/pkg/sentry/kernel/task_clone.go
index 114e7f858..daf974920 100644
--- a/pkg/sentry/kernel/task_clone.go
+++ b/pkg/sentry/kernel/task_clone.go
@@ -252,7 +252,7 @@ func (t *Task) Clone(opts *CloneOptions) (ThreadID, *SyscallControl, error) {
TaskContext: tc,
FSContext: fsc,
FDMap: fds,
- Credentials: creds.Fork(),
+ Credentials: creds,
Niceness: t.Niceness(),
NetworkNamespaced: t.netns,
AllowedCPUMask: t.CPUMask(),
diff --git a/pkg/sentry/kernel/task_identity.go b/pkg/sentry/kernel/task_identity.go
index 8f90ed786..e105eba13 100644
--- a/pkg/sentry/kernel/task_identity.go
+++ b/pkg/sentry/kernel/task_identity.go
@@ -372,6 +372,7 @@ func (t *Task) DropBoundingCapability(cp linux.Capability) error {
if !t.creds.HasCapability(linux.CAP_SETPCAP) {
return syserror.EPERM
}
+ t.creds = t.creds.Fork() // See doc for creds.
t.creds.BoundingCaps &^= auth.CapabilitySetOf(cp)
return nil
}