summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/control
diff options
context:
space:
mode:
authorFabricio Voznika <fvoznika@google.com>2021-07-12 16:52:53 -0700
committergVisor bot <gvisor-bot@google.com>2021-07-12 16:55:40 -0700
commitf51e0486d4f3bd25371c9449de27a3d966b813e3 (patch)
treef80560cef9ddf213035fec07f710035fc6933fb0 /pkg/sentry/control
parent7132b9a07b55b1c2944f19bb938878d147785a72 (diff)
Fix stdios ownership
Set stdio ownership based on the container's user to ensure the user can open/read/write to/from stdios. 1. stdios in the host are changed to have the owner be the same uid/gid of the process running the sandbox. This ensures that the sandbox has full control over it. 2. stdios owner owner inside the sandbox is changed to match the container's user to give access inside the container and make it behave the same as runc. Fixes #6180 PiperOrigin-RevId: 384347009
Diffstat (limited to 'pkg/sentry/control')
-rw-r--r--pkg/sentry/control/proc.go2
1 files changed, 1 insertions, 1 deletions
diff --git a/pkg/sentry/control/proc.go b/pkg/sentry/control/proc.go
index b7ee5425d..6352ea71a 100644
--- a/pkg/sentry/control/proc.go
+++ b/pkg/sentry/control/proc.go
@@ -223,7 +223,7 @@ func (proc *Proc) execAsync(args *ExecArgs) (*kernel.ThreadGroup, kernel.ThreadI
_ = fd.Close()
}
}()
- ttyFile, ttyFileVFS2, err := fdimport.Import(ctx, fdTable, args.StdioIsPty, fds)
+ ttyFile, ttyFileVFS2, err := fdimport.Import(ctx, fdTable, args.StdioIsPty, args.KUID, args.KGID, fds)
if err != nil {
return nil, 0, nil, nil, err
}