diff options
| author | gVisor bot <gvisor-bot@google.com> | 2019-06-25 17:00:56 +0000 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2019-06-25 17:00:56 +0000 |
| commit | 47eed32a5f43f9f17420f44d68bf251135f77ce6 (patch) | |
| tree | bf36188dd241f5718f750e1e8ec6915c63a5699c /pkg/sentry/kernel/task_clone.go | |
| parent | 97b3e461d427c10537f58755bc1b307a5548b092 (diff) | |
| parent | 03ae91c662869a37ba71dd2577d4e218a3aa4669 (diff) | |
Merge 03ae91c6 (automated)
Diffstat (limited to 'pkg/sentry/kernel/task_clone.go')
| -rw-r--r-- | pkg/sentry/kernel/task_clone.go | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/pkg/sentry/kernel/task_clone.go b/pkg/sentry/kernel/task_clone.go index 0e621f0d1..b5cc3860d 100644 --- a/pkg/sentry/kernel/task_clone.go +++ b/pkg/sentry/kernel/task_clone.go @@ -425,6 +425,7 @@ func (t *Task) Unshare(opts *SharingOptions) error { if opts.NewAddressSpace || opts.NewSignalHandlers { return syserror.EINVAL } + creds := t.Credentials() if opts.NewThreadGroup { t.tg.signalHandlers.mu.Lock() if t.tg.tasksCount != 1 { @@ -439,8 +440,6 @@ func (t *Task) Unshare(opts *SharingOptions) error { if t.IsChrooted() { return syserror.EPERM } - // This temporary is needed because Go. - creds := t.Credentials() newUserNS, err := creds.NewChildUserNamespace() if err != nil { return err @@ -449,6 +448,8 @@ func (t *Task) Unshare(opts *SharingOptions) error { if err != nil { return err } + // Need to reload creds, becaue t.SetUserNamespace() changed task credentials. + creds = t.Credentials() } haveCapSysAdmin := t.HasCapability(linux.CAP_SYS_ADMIN) if opts.NewPIDNamespace { @@ -473,7 +474,7 @@ func (t *Task) Unshare(opts *SharingOptions) error { } // Note that this must happen after NewUserNamespace, so the // new user namespace is used if there is one. - t.utsns = t.utsns.Clone(t.creds.UserNamespace) + t.utsns = t.utsns.Clone(creds.UserNamespace) } if opts.NewIPCNamespace { if !haveCapSysAdmin { @@ -482,7 +483,7 @@ func (t *Task) Unshare(opts *SharingOptions) error { } // Note that "If CLONE_NEWIPC is set, then create the process in a new IPC // namespace" - t.ipcns = NewIPCNamespace(t.creds.UserNamespace) + t.ipcns = NewIPCNamespace(creds.UserNamespace) } var oldfds *FDMap if opts.NewFiles { |