2 files changed, 14 insertions, 2 deletions

diff --git a/pkg/sentry/control/proc.go b/pkg/sentry/control/proc.go
index 367849e75..221e98a01 100644
--- a/pkg/sentry/control/proc.go
+++ b/pkg/sentry/control/proc.go
@@ -99,6 +99,9 @@ type ExecArgs struct {
 
 	// PIDNamespace is the pid namespace for the process being executed.
 	PIDNamespace *kernel.PIDNamespace
+
+	// Limits is the limit set for the process being executed.
+	Limits *limits.LimitSet
 }
 
 // String prints the arguments as a string.
@@ -151,6 +154,10 @@ func (proc *Proc) execAsync(args *ExecArgs) (*kernel.ThreadGroup, kernel.ThreadI
 	if pidns == nil {
 		pidns = proc.Kernel.RootPIDNamespace()
 	}
+	limitSet := args.Limits
+	if limitSet == nil {
+		limitSet = limits.NewLimitSet()
+	}
 	initArgs := kernel.CreateProcessArgs{
 		Filename:                args.Filename,
 		Argv:                    args.Argv,
@@ -161,7 +168,7 @@ func (proc *Proc) execAsync(args *ExecArgs) (*kernel.ThreadGroup, kernel.ThreadI
 		Credentials:             creds,
 		FDTable:                 fdTable,
 		Umask:                   0022,
-		Limits:                  limits.NewLimitSet(),
+		Limits:                  limitSet,
 		MaxSymlinkTraversals:    linux.MaxSymlinkTraversals,
 		UTSNamespace:            proc.Kernel.RootUTSNamespace(),
 		IPCNamespace:            proc.Kernel.RootIPCNamespace(),
diff --git a/runsc/boot/loader.go b/runsc/boot/loader.go
index 111d30154..ad4d50008 100644
--- a/runsc/boot/loader.go
+++ b/runsc/boot/loader.go
@@ -963,10 +963,15 @@ func (l *Loader) executeAsync(args *control.ExecArgs) (kernel.ThreadID, error) {
 		}
 		args.Envv = envv
 	}
+	args.PIDNamespace = tg.PIDNamespace()
+
+	args.Limits, err = createLimitSet(l.root.spec)
+	if err != nil {
+		return 0, fmt.Errorf("creating limits: %w", err)
+	}
 
 	// Start the process.
 	proc := control.Proc{Kernel: l.k}
-	args.PIDNamespace = tg.PIDNamespace()
 	newTG, tgid, ttyFile, ttyFileVFS2, err := control.ExecAsync(&proc, args)
 	if err != nil {
 		return 0, err