From f7aff0aaa4320505933df838cf5b551b69d5e513 Mon Sep 17 00:00:00 2001
From: Kevin Krakauer <krakauer@google.com>
Date: Wed, 10 Apr 2019 12:35:43 -0700
Subject: Allow threads with CAP_SYS_RESOURCE to raise hard rlimits.

PiperOrigin-RevId: 242919489
Change-Id: Ie3267b3bcd8a54b54bc16a6556369a19e843376f
---
 pkg/sentry/limits/limits.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'pkg/sentry/limits/limits.go')

diff --git a/pkg/sentry/limits/limits.go b/pkg/sentry/limits/limits.go
index eeca01876..b0571739f 100644
--- a/pkg/sentry/limits/limits.go
+++ b/pkg/sentry/limits/limits.go
@@ -113,13 +113,17 @@ func (l *LimitSet) SetUnchecked(t LimitType, v Limit) {
 }
 
 // Set assigns value v to resource of LimitType t and returns the old value.
-func (l *LimitSet) Set(t LimitType, v Limit) (Limit, error) {
+// privileged should be true only when either the caller has CAP_SYS_RESOURCE
+// or when creating limits for a new kernel.
+func (l *LimitSet) Set(t LimitType, v Limit, privileged bool) (Limit, error) {
 	l.mu.Lock()
 	defer l.mu.Unlock()
+
 	// If a limit is already set, make sure the new limit doesn't
 	// exceed the previous max limit.
 	if _, ok := l.data[t]; ok {
-		if l.data[t].Max < v.Max {
+		// Unprivileged users can only lower their hard limits.
+		if l.data[t].Max < v.Max && !privileged {
 			return Limit{}, syscall.EPERM
 		}
 		if v.Cur > v.Max {
-- 
cgit v1.2.3