diff options
author | Rahat Mahmood <rahat@google.com> | 2018-05-17 15:37:19 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2018-05-17 15:38:11 -0700 |
commit | b904250b862c5c14da84e08b6a5400c7bf2458b0 (patch) | |
tree | c6365aa58237dda6602b358acdc11f39c4eecb67 /pkg/sentry/kernel/ipc_namespace.go | |
parent | 8878a66a565733493e702199b284cd7855f80bf0 (diff) |
Fix capability check for sysv semaphores.
Capabilities for sysv sem operations were being checked against the
current task's user namespace. They should be checked against the user
namespace owning the ipc namespace for the sems instead, per
ipc/util.c:ipcperms().
PiperOrigin-RevId: 197063111
Change-Id: Iba29486b316f2e01ee331dda4e48a6ab7960d589
Diffstat (limited to 'pkg/sentry/kernel/ipc_namespace.go')
-rw-r--r-- | pkg/sentry/kernel/ipc_namespace.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/pkg/sentry/kernel/ipc_namespace.go b/pkg/sentry/kernel/ipc_namespace.go index 3049fead4..a86bda77b 100644 --- a/pkg/sentry/kernel/ipc_namespace.go +++ b/pkg/sentry/kernel/ipc_namespace.go @@ -33,7 +33,7 @@ type IPCNamespace struct { func NewIPCNamespace(userNS *auth.UserNamespace) *IPCNamespace { return &IPCNamespace{ userNS: userNS, - semaphores: semaphore.NewRegistry(), + semaphores: semaphore.NewRegistry(userNS), shms: shm.NewRegistry(userNS), } } |