summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/kernel/task_identity.go
diff options
context:
space:
mode:
authorAndrei Vagin <avagin@google.com>2019-03-20 18:39:57 -0700
committerShentubot <shentubot@google.com>2019-03-20 18:41:00 -0700
commit064fda1a759fa3e73d25da3fd535d256ac8ccfb0 (patch)
tree29fa8cffbe6f74f6e89b9d2664ba9b90baf7869a /pkg/sentry/kernel/task_identity.go
parent81f4829d1195276d037f8bd23a2ef69e88f5ae6c (diff)
gvisor: don't allocate a new credential object on fork
A credential object is immutable, so we don't need to copy it for a new task. PiperOrigin-RevId: 239519266 Change-Id: I0632f641fdea9554779ac25d84bee4231d0d18f2
Diffstat (limited to 'pkg/sentry/kernel/task_identity.go')
-rw-r--r--pkg/sentry/kernel/task_identity.go1
1 files changed, 1 insertions, 0 deletions
diff --git a/pkg/sentry/kernel/task_identity.go b/pkg/sentry/kernel/task_identity.go
index 8f90ed786..e105eba13 100644
--- a/pkg/sentry/kernel/task_identity.go
+++ b/pkg/sentry/kernel/task_identity.go
@@ -372,6 +372,7 @@ func (t *Task) DropBoundingCapability(cp linux.Capability) error {
if !t.creds.HasCapability(linux.CAP_SETPCAP) {
return syserror.EPERM
}
+ t.creds = t.creds.Fork() // See doc for creds.
t.creds.BoundingCaps &^= auth.CapabilitySetOf(cp)
return nil
}