Merge a00157cc (automated)

author: gVisor bot <gvisor-bot@google.com> 2019-06-10 22:42:41 +0000
committer: gVisor bot <gvisor-bot@google.com> 2019-06-10 22:42:41 +0000
commit: 8390a8227b571e82c42e3e90aa28a7b86f7e3f9b (patch)
tree: 8bfad5169182b7ba1c6ed5f3df0279729cc200b0 /pkg/sentry/kernel/task_exec.go
parent: 4f56f1bf2248bb17da8b269b4191218d85ce6587 (diff)
parent: a00157cc0e216a9829f2659ce35c856a22aa5ba2 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/pkg/sentry/kernel/task_exec.go b/pkg/sentry/kernel/task_exec.go
index 5d1425d5c..35d5cb90c 100644
--- a/pkg/sentry/kernel/task_exec.go
+++ b/pkg/sentry/kernel/task_exec.go
@@ -68,6 +68,7 @@ import (
 	"gvisor.googlesource.com/gvisor/pkg/abi/linux"
 	"gvisor.googlesource.com/gvisor/pkg/sentry/arch"
 	"gvisor.googlesource.com/gvisor/pkg/sentry/fs"
+	"gvisor.googlesource.com/gvisor/pkg/sentry/mm"
 	"gvisor.googlesource.com/gvisor/pkg/syserror"
 )
 
@@ -198,6 +199,12 @@ func (r *runSyscallAfterExecStop) execute(t *Task) taskRunState {
 		return flags.CloseOnExec
 	})
 
+	// NOTE(b/30815691): We currently do not implement privileged
+	// executables (set-user/group-ID bits and file capabilities). This
+	// allows us to unconditionally enable user dumpability on the new mm.
+	// See fs/exec.c:setup_new_exec.
+	r.tc.MemoryManager.SetDumpability(mm.UserDumpable)
+
 	// Switch to the new process.
 	t.MemoryManager().Deactivate()
 	t.mu.Lock()
author	gVisor bot <gvisor-bot@google.com>	2019-06-10 22:42:41 +0000
committer	gVisor bot <gvisor-bot@google.com>	2019-06-10 22:42:41 +0000
commit	8390a8227b571e82c42e3e90aa28a7b86f7e3f9b (patch)
tree	8bfad5169182b7ba1c6ed5f3df0279729cc200b0 /pkg/sentry/kernel/task_exec.go
parent	4f56f1bf2248bb17da8b269b4191218d85ce6587 (diff)
parent	a00157cc0e216a9829f2659ce35c856a22aa5ba2 (diff)