Merge release-20210125.0-79-gf2c881f68 (automated)

author: gVisor bot <gvisor-bot@google.com> 2021-02-04 06:49:28 +0000
committer: gVisor bot <gvisor-bot@google.com> 2021-02-04 06:49:28 +0000
commit: e0e83d6055eafbdd2956290a67b75fe57ce38e84 (patch)
tree: c6b9565c304a49bb50d7022aeeaffde226881b8b /pkg/sentry/vfs
parent: 95371271f68597001f9c38f2a09c7483f7340a14 (diff)
parent: f2c881f68498b542f21288559e3cb218673484f0 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/pkg/sentry/vfs/permissions.go b/pkg/sentry/vfs/permissions.go
index d48520d58..db6146fd2 100644
--- a/pkg/sentry/vfs/permissions.go
+++ b/pkg/sentry/vfs/permissions.go
@@ -243,11 +243,13 @@ func CheckSetStat(ctx context.Context, creds *auth.Credentials, opts *SetStatOpt
 // the given file mode, and if so, checks whether creds has permission to
 // remove a file owned by childKUID from a directory with the given mode.
 // CheckDeleteSticky is consistent with fs/linux.h:check_sticky().
-func CheckDeleteSticky(creds *auth.Credentials, parentMode linux.FileMode, childKUID auth.KUID) error {
+func CheckDeleteSticky(creds *auth.Credentials, parentMode linux.FileMode, parentKUID auth.KUID, childKUID auth.KUID, childKGID auth.KGID) error {
 	if parentMode&linux.ModeSticky == 0 {
 		return nil
 	}
-	if CanActAsOwner(creds, childKUID) {
+	if creds.EffectiveKUID == childKUID ||
+		creds.EffectiveKUID == parentKUID ||
+		HasCapabilityOnFile(creds, linux.CAP_FOWNER, childKUID, childKGID) {
 		return nil
 	}
 	return syserror.EPERM
author	gVisor bot <gvisor-bot@google.com>	2021-02-04 06:49:28 +0000
committer	gVisor bot <gvisor-bot@google.com>	2021-02-04 06:49:28 +0000
commit	e0e83d6055eafbdd2956290a67b75fe57ce38e84 (patch)
tree	c6b9565c304a49bb50d7022aeeaffde226881b8b /pkg/sentry/vfs
parent	95371271f68597001f9c38f2a09c7483f7340a14 (diff)
parent	f2c881f68498b542f21288559e3cb218673484f0 (diff)