summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/kernel/task_clone.go
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/sentry/kernel/task_clone.go')
-rw-r--r--pkg/sentry/kernel/task_clone.go5
1 files changed, 4 insertions, 1 deletions
diff --git a/pkg/sentry/kernel/task_clone.go b/pkg/sentry/kernel/task_clone.go
index a61283267..3b77a4965 100644
--- a/pkg/sentry/kernel/task_clone.go
+++ b/pkg/sentry/kernel/task_clone.go
@@ -280,7 +280,10 @@ func (t *Task) Clone(opts *CloneOptions) (ThreadID, *SyscallControl, error) {
// "If fork/clone and execve are allowed by @prog, any child processes will
// be constrained to the same filters and system call ABI as the parent." -
// Documentation/prctl/seccomp_filter.txt
- nt.syscallFilters = append([]bpf.Program(nil), t.syscallFilters...)
+ if f := t.syscallFilters.Load(); f != nil {
+ copiedFilters := append([]bpf.Program(nil), f.([]bpf.Program)...)
+ nt.syscallFilters.Store(copiedFilters)
+ }
if opts.Vfork {
nt.vforkParent = t
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-02 00:35:59 +0000