1 files changed, 17 insertions, 6 deletions

diff --git a/pkg/sentry/kernel/thread_group.go b/pkg/sentry/kernel/thread_group.go
index 8bd53928e..2a97e3e8e 100644
--- a/pkg/sentry/kernel/thread_group.go
+++ b/pkg/sentry/kernel/thread_group.go
@@ -18,10 +18,11 @@ import (
 	"sync"
 	"sync/atomic"
 
-	"gvisor.googlesource.com/gvisor/pkg/abi/linux"
-	ktime "gvisor.googlesource.com/gvisor/pkg/sentry/kernel/time"
-	"gvisor.googlesource.com/gvisor/pkg/sentry/limits"
-	"gvisor.googlesource.com/gvisor/pkg/sentry/usage"
+	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/sentry/fs"
+	ktime "gvisor.dev/gvisor/pkg/sentry/kernel/time"
+	"gvisor.dev/gvisor/pkg/sentry/limits"
+	"gvisor.dev/gvisor/pkg/sentry/usage"
 )
 
 // A ThreadGroup is a logical grouping of tasks that has widespread
@@ -236,13 +237,21 @@ type ThreadGroup struct {
 
 	// rscr is the thread group's RSEQ critical region.
 	rscr atomic.Value `state:".(*RSEQCriticalRegion)"`
+
+	// mounts is the thread group's mount namespace. This does not really
+	// correspond to a "mount namespace" in Linux, but is more like a
+	// complete VFS that need not be shared between processes. See the
+	// comment in mounts.go  for more information.
+	//
+	// mounts is immutable.
+	mounts *fs.MountNamespace
 }
 
 // newThreadGroup returns a new, empty thread group in PID namespace ns. The
 // thread group leader will send its parent terminationSignal when it exits.
 // The new thread group isn't visible to the system until a task has been
 // created inside of it by a successful call to TaskSet.NewTask.
-func (k *Kernel) newThreadGroup(ns *PIDNamespace, sh *SignalHandlers, terminationSignal linux.Signal, limits *limits.LimitSet, monotonicClock *timekeeperClock) *ThreadGroup {
+func (k *Kernel) newThreadGroup(mounts *fs.MountNamespace, ns *PIDNamespace, sh *SignalHandlers, terminationSignal linux.Signal, limits *limits.LimitSet, monotonicClock *timekeeperClock) *ThreadGroup {
 	tg := &ThreadGroup{
 		threadGroupNode: threadGroupNode{
 			pidns: ns,
@@ -251,6 +260,7 @@ func (k *Kernel) newThreadGroup(ns *PIDNamespace, sh *SignalHandlers, terminatio
 		terminationSignal: terminationSignal,
 		ioUsage:           &usage.IO{},
 		limits:            limits,
+		mounts:            mounts,
 	}
 	tg.itimerRealTimer = ktime.NewTimer(k.monotonicClock, &itimerRealListener{tg: tg})
 	tg.timers = make(map[linux.TimerID]*IntervalTimer)
@@ -258,7 +268,7 @@ func (k *Kernel) newThreadGroup(ns *PIDNamespace, sh *SignalHandlers, terminatio
 	return tg
 }
 
-// saveRscr is invopked by stateify.
+// saveRscr is invoked by stateify.
 func (tg *ThreadGroup) saveRscr() *RSEQCriticalRegion {
 	return tg.rscr.Load().(*RSEQCriticalRegion)
 }
@@ -298,6 +308,7 @@ func (tg *ThreadGroup) release() {
 	for _, it := range its {
 		it.DestroyTimer()
 	}
+	tg.mounts.DecRef()
 }
 
 // forEachChildThreadGroupLocked indicates over all child ThreadGroups.