diff options
author | Kevin Krakauer <krakauer@google.com> | 2019-04-10 12:35:43 -0700 |
---|---|---|
committer | Shentubot <shentubot@google.com> | 2019-04-10 12:36:45 -0700 |
commit | f7aff0aaa4320505933df838cf5b551b69d5e513 (patch) | |
tree | f773a8942f4f025d370ee0d8c0e711944f168f4c /pkg/sentry/syscalls | |
parent | 0a0619216ec9ca96c181dd69d9bf31e7762090cb (diff) |
Allow threads with CAP_SYS_RESOURCE to raise hard rlimits.
PiperOrigin-RevId: 242919489
Change-Id: Ie3267b3bcd8a54b54bc16a6556369a19e843376f
Diffstat (limited to 'pkg/sentry/syscalls')
-rw-r--r-- | pkg/sentry/syscalls/linux/sys_rlimit.go | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/pkg/sentry/syscalls/linux/sys_rlimit.go b/pkg/sentry/syscalls/linux/sys_rlimit.go index b0b216045..443334693 100644 --- a/pkg/sentry/syscalls/linux/sys_rlimit.go +++ b/pkg/sentry/syscalls/linux/sys_rlimit.go @@ -106,7 +106,13 @@ func prlimit64(t *kernel.Task, resource limits.LimitType, newLim *limits.Limit) if _, ok := setableLimits[resource]; !ok { return limits.Limit{}, syserror.EPERM } - oldLim, err := t.ThreadGroup().Limits().Set(resource, *newLim) + + // "A privileged process (under Linux: one with the CAP_SYS_RESOURCE + // capability in the initial user namespace) may make arbitrary changes + // to either limit value." + privileged := t.HasCapabilityIn(linux.CAP_SYS_RESOURCE, t.Kernel().RootUserNamespace()) + + oldLim, err := t.ThreadGroup().Limits().Set(resource, *newLim, privileged) if err != nil { return limits.Limit{}, err } |