summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/kernel/thread_group.go
diff options
context:
space:
mode:
authorgVisor bot <gvisor-bot@google.com>2020-06-26 23:27:49 +0000
committergVisor bot <gvisor-bot@google.com>2020-06-26 23:27:49 +0000
commit460b8e67595833f8d17844fd205f0edeaed4fe69 (patch)
treede1799ad6de97debd7de90cfb9bca4cfe6a2efa5 /pkg/sentry/kernel/thread_group.go
parent7be2118abeba07f362d67d9074169e0eb559e59d (diff)
parent9cfc15497581824f1c6ba2b9f9ee653d0be0bc5a (diff)
Merge release-20200622.1-31-g9cfc15497 (automated)
Diffstat (limited to 'pkg/sentry/kernel/thread_group.go')
-rw-r--r--pkg/sentry/kernel/thread_group.go3
1 files changed, 2 insertions, 1 deletions
diff --git a/pkg/sentry/kernel/thread_group.go b/pkg/sentry/kernel/thread_group.go
index 52849f5b3..4dfd2c990 100644
--- a/pkg/sentry/kernel/thread_group.go
+++ b/pkg/sentry/kernel/thread_group.go
@@ -366,7 +366,8 @@ func (tg *ThreadGroup) SetControllingTTY(tty *TTY, arg int32) error {
// terminal is stolen, and all processes that had it as controlling
// terminal lose it." - tty_ioctl(4)
if tty.tg != nil && tg.processGroup.session != tty.tg.processGroup.session {
- if !auth.CredentialsFromContext(tg.leader).HasCapability(linux.CAP_SYS_ADMIN) || arg != 1 {
+ // Stealing requires CAP_SYS_ADMIN in the root user namespace.
+ if creds := auth.CredentialsFromContext(tg.leader); !creds.HasCapabilityIn(linux.CAP_SYS_ADMIN, creds.UserNamespace.Root()) || arg != 1 {
return syserror.EPERM
}
// Steal the TTY away. Unlike TIOCNOTTY, don't send signals.