diff options
author | Andrei Vagin <avagin@google.com> | 2019-03-20 18:39:57 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2019-03-20 18:41:00 -0700 |
commit | 064fda1a759fa3e73d25da3fd535d256ac8ccfb0 (patch) | |
tree | 29fa8cffbe6f74f6e89b9d2664ba9b90baf7869a /pkg/sentry/kernel/task_identity.go | |
parent | 81f4829d1195276d037f8bd23a2ef69e88f5ae6c (diff) |
gvisor: don't allocate a new credential object on fork
A credential object is immutable, so we don't need to copy it for a new
task.
PiperOrigin-RevId: 239519266
Change-Id: I0632f641fdea9554779ac25d84bee4231d0d18f2
Diffstat (limited to 'pkg/sentry/kernel/task_identity.go')
-rw-r--r-- | pkg/sentry/kernel/task_identity.go | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/pkg/sentry/kernel/task_identity.go b/pkg/sentry/kernel/task_identity.go index 8f90ed786..e105eba13 100644 --- a/pkg/sentry/kernel/task_identity.go +++ b/pkg/sentry/kernel/task_identity.go @@ -372,6 +372,7 @@ func (t *Task) DropBoundingCapability(cp linux.Capability) error { if !t.creds.HasCapability(linux.CAP_SETPCAP) { return syserror.EPERM } + t.creds = t.creds.Fork() // See doc for creds. t.creds.BoundingCaps &^= auth.CapabilitySetOf(cp) return nil } |