summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/syscalls
diff options
context:
space:
mode:
authorKevin Krakauer <krakauer@google.com>2019-04-10 12:35:43 -0700
committerShentubot <shentubot@google.com>2019-04-10 12:36:45 -0700
commitf7aff0aaa4320505933df838cf5b551b69d5e513 (patch)
treef773a8942f4f025d370ee0d8c0e711944f168f4c /pkg/sentry/syscalls
parent0a0619216ec9ca96c181dd69d9bf31e7762090cb (diff)
Allow threads with CAP_SYS_RESOURCE to raise hard rlimits.
PiperOrigin-RevId: 242919489 Change-Id: Ie3267b3bcd8a54b54bc16a6556369a19e843376f
Diffstat (limited to 'pkg/sentry/syscalls')
-rw-r--r--pkg/sentry/syscalls/linux/sys_rlimit.go8
1 files changed, 7 insertions, 1 deletions
diff --git a/pkg/sentry/syscalls/linux/sys_rlimit.go b/pkg/sentry/syscalls/linux/sys_rlimit.go
index b0b216045..443334693 100644
--- a/pkg/sentry/syscalls/linux/sys_rlimit.go
+++ b/pkg/sentry/syscalls/linux/sys_rlimit.go
@@ -106,7 +106,13 @@ func prlimit64(t *kernel.Task, resource limits.LimitType, newLim *limits.Limit)
if _, ok := setableLimits[resource]; !ok {
return limits.Limit{}, syserror.EPERM
}
- oldLim, err := t.ThreadGroup().Limits().Set(resource, *newLim)
+
+ // "A privileged process (under Linux: one with the CAP_SYS_RESOURCE
+ // capability in the initial user namespace) may make arbitrary changes
+ // to either limit value."
+ privileged := t.HasCapabilityIn(linux.CAP_SYS_RESOURCE, t.Kernel().RootUserNamespace())
+
+ oldLim, err := t.ThreadGroup().Limits().Set(resource, *newLim, privileged)
if err != nil {
return limits.Limit{}, err
}