summaryrefslogtreecommitdiffhomepage
path: root/pkg/sentry/limits/limits.go
diff options
context:
space:
mode:
Diffstat (limited to 'pkg/sentry/limits/limits.go')
-rw-r--r--pkg/sentry/limits/limits.go8
1 files changed, 6 insertions, 2 deletions
diff --git a/pkg/sentry/limits/limits.go b/pkg/sentry/limits/limits.go
index eeca01876..b0571739f 100644
--- a/pkg/sentry/limits/limits.go
+++ b/pkg/sentry/limits/limits.go
@@ -113,13 +113,17 @@ func (l *LimitSet) SetUnchecked(t LimitType, v Limit) {
}
// Set assigns value v to resource of LimitType t and returns the old value.
-func (l *LimitSet) Set(t LimitType, v Limit) (Limit, error) {
+// privileged should be true only when either the caller has CAP_SYS_RESOURCE
+// or when creating limits for a new kernel.
+func (l *LimitSet) Set(t LimitType, v Limit, privileged bool) (Limit, error) {
l.mu.Lock()
defer l.mu.Unlock()
+
// If a limit is already set, make sure the new limit doesn't
// exceed the previous max limit.
if _, ok := l.data[t]; ok {
- if l.data[t].Max < v.Max {
+ // Unprivileged users can only lower their hard limits.
+ if l.data[t].Max < v.Max && !privileged {
return Limit{}, syscall.EPERM
}
if v.Cur > v.Max {
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-15 15:19:04 +0000