diff options
-rw-r--r-- | pkg/sentry/syscalls/linux/sys_prctl.go | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/pkg/sentry/syscalls/linux/sys_prctl.go b/pkg/sentry/syscalls/linux/sys_prctl.go index 91e852049..4938f27bd 100644 --- a/pkg/sentry/syscalls/linux/sys_prctl.go +++ b/pkg/sentry/syscalls/linux/sys_prctl.go @@ -87,6 +87,10 @@ func Prctl(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall } case linux.PR_SET_MM: + if !t.HasCapability(linux.CAP_SYS_RESOURCE) { + return 0, nil, syscall.EPERM + } + switch args[1].Int() { case linux.PR_SET_MM_EXE_FILE: fd := kdefs.FD(args[2].Int()) |