3 files changed, 13 insertions, 0 deletions

diff --git a/pkg/sentry/kernel/ipc_namespace.go b/pkg/sentry/kernel/ipc_namespace.go
index 11b4545c6..429a4b983 100644
--- a/pkg/sentry/kernel/ipc_namespace.go
+++ b/pkg/sentry/kernel/ipc_namespace.go
@@ -92,6 +92,8 @@ func (i *IPCNamespace) InitPosixQueues(ctx context.Context, vfsObj *vfs.VirtualF
 }
 
 // PosixQueues returns the posix message queue registry for this namespace.
+//
+// Precondition: i.InitPosixQueues must have been called.
 func (i *IPCNamespace) PosixQueues() *mq.Registry {
 	return i.posixQueues
 }
diff --git a/pkg/sentry/kernel/kernel.go b/pkg/sentry/kernel/kernel.go
index 6ce3625d4..04b24369a 100644
--- a/pkg/sentry/kernel/kernel.go
+++ b/pkg/sentry/kernel/kernel.go
@@ -401,6 +401,11 @@ func (k *Kernel) Init(args InitKernelArgs) error {
 			return fmt.Errorf("failed to initialize VFS: %v", err)
 		}
 
+		err := k.rootIPCNamespace.InitPosixQueues(ctx, &k.vfs, auth.CredentialsFromContext(ctx))
+		if err != nil {
+			return fmt.Errorf("failed to create mqfs filesystem: %v", err)
+		}
+
 		pipeFilesystem, err := pipefs.NewFilesystem(&k.vfs)
 		if err != nil {
 			return fmt.Errorf("failed to create pipefs filesystem: %v", err)
diff --git a/pkg/sentry/kernel/task_clone.go b/pkg/sentry/kernel/task_clone.go
index 26a981f36..e174913d1 100644
--- a/pkg/sentry/kernel/task_clone.go
+++ b/pkg/sentry/kernel/task_clone.go
@@ -103,6 +103,9 @@ func (t *Task) Clone(args *linux.CloneArgs) (ThreadID, *SyscallControl, error) {
 	ipcns := t.IPCNamespace()
 	if args.Flags&linux.CLONE_NEWIPC != 0 {
 		ipcns = NewIPCNamespace(userns)
+		if VFS2Enabled {
+			ipcns.InitPosixQueues(t, t.k.VFS(), creds)
+		}
 	} else {
 		ipcns.IncRef()
 	}
@@ -464,6 +467,9 @@ func (t *Task) Unshare(flags int32) error {
 		// namespace"
 		t.ipcns.DecRef(t)
 		t.ipcns = NewIPCNamespace(creds.UserNamespace)
+		if VFS2Enabled {
+			t.ipcns.InitPosixQueues(t, t.k.VFS(), creds)
+		}
 	}
 	var oldFDTable *FDTable
 	if flags&linux.CLONE_FILES != 0 {