From 064fda1a759fa3e73d25da3fd535d256ac8ccfb0 Mon Sep 17 00:00:00 2001 From: Andrei Vagin Date: Wed, 20 Mar 2019 18:39:57 -0700 Subject: gvisor: don't allocate a new credential object on fork A credential object is immutable, so we don't need to copy it for a new task. PiperOrigin-RevId: 239519266 Change-Id: I0632f641fdea9554779ac25d84bee4231d0d18f2 --- pkg/sentry/kernel/task_clone.go | 2 +- pkg/sentry/kernel/task_identity.go | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) (limited to 'pkg/sentry/kernel') diff --git a/pkg/sentry/kernel/task_clone.go b/pkg/sentry/kernel/task_clone.go index 114e7f858..daf974920 100644 --- a/pkg/sentry/kernel/task_clone.go +++ b/pkg/sentry/kernel/task_clone.go @@ -252,7 +252,7 @@ func (t *Task) Clone(opts *CloneOptions) (ThreadID, *SyscallControl, error) { TaskContext: tc, FSContext: fsc, FDMap: fds, - Credentials: creds.Fork(), + Credentials: creds, Niceness: t.Niceness(), NetworkNamespaced: t.netns, AllowedCPUMask: t.CPUMask(), diff --git a/pkg/sentry/kernel/task_identity.go b/pkg/sentry/kernel/task_identity.go index 8f90ed786..e105eba13 100644 --- a/pkg/sentry/kernel/task_identity.go +++ b/pkg/sentry/kernel/task_identity.go @@ -372,6 +372,7 @@ func (t *Task) DropBoundingCapability(cp linux.Capability) error { if !t.creds.HasCapability(linux.CAP_SETPCAP) { return syserror.EPERM } + t.creds = t.creds.Fork() // See doc for creds. t.creds.BoundingCaps &^= auth.CapabilitySetOf(cp) return nil } -- cgit v1.2.3