diff options
author | gVisor bot <gvisor-bot@google.com> | 2020-04-17 22:36:36 +0000 |
---|---|---|
committer | gVisor bot <gvisor-bot@google.com> | 2020-04-17 22:36:36 +0000 |
commit | ab3c0e685e9abe2138562d3b837840458a48a57d (patch) | |
tree | c991973f992204a869c0f54f5efb0529b845802c | |
parent | 887eaf44a83f1961867879d825f951f32447266c (diff) | |
parent | e838290e671c9d72dbaa3aba13bf0c35f1147de4 (diff) |
Merge release-20200323.0-182-ge838290 (automated)
-rw-r--r-- | pkg/sentry/syscalls/linux/sys_rlimit.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/pkg/sentry/syscalls/linux/sys_rlimit.go b/pkg/sentry/syscalls/linux/sys_rlimit.go index e08c333d6..d5d5b6959 100644 --- a/pkg/sentry/syscalls/linux/sys_rlimit.go +++ b/pkg/sentry/syscalls/linux/sys_rlimit.go @@ -197,7 +197,7 @@ func Prlimit64(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Sys // saved set user IDs of the target process must match the real user ID of // the caller and the real, effective, and saved set group IDs of the // target process must match the real group ID of the caller." - if !t.HasCapabilityIn(linux.CAP_SYS_RESOURCE, t.PIDNamespace().UserNamespace()) { + if ot != t && !t.HasCapabilityIn(linux.CAP_SYS_RESOURCE, t.PIDNamespace().UserNamespace()) { cred, tcred := t.Credentials(), ot.Credentials() if cred.RealKUID != tcred.RealKUID || cred.RealKUID != tcred.EffectiveKUID || |