From 06131fe749e3715534f9d551528d89048ae1398b Mon Sep 17 00:00:00 2001
From: Zach Koopmans <zkoopmans@google.com>
Date: Wed, 5 Dec 2018 10:52:44 -0800
Subject: Check for CAP_SYS_RESOURCE in prctl(PR_SET_MM, ...)

If sys_prctl is called with PR_SET_MM without CAP_SYS_RESOURCE,
the syscall should return failure with errno set to EPERM.
See: http://man7.org/linux/man-pages/man2/prctl.2.html
PiperOrigin-RevId: 224182874
Change-Id: I630d1dd44af8b444dd16e8e58a0764a0cf1ad9a3
---
 pkg/sentry/syscalls/linux/sys_prctl.go | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'pkg/sentry')

diff --git a/pkg/sentry/syscalls/linux/sys_prctl.go b/pkg/sentry/syscalls/linux/sys_prctl.go
index 91e852049..4938f27bd 100644
--- a/pkg/sentry/syscalls/linux/sys_prctl.go
+++ b/pkg/sentry/syscalls/linux/sys_prctl.go
@@ -87,6 +87,10 @@ func Prctl(t *kernel.Task, args arch.SyscallArguments) (uintptr, *kernel.Syscall
 		}
 
 	case linux.PR_SET_MM:
+		if !t.HasCapability(linux.CAP_SYS_RESOURCE) {
+			return 0, nil, syscall.EPERM
+		}
+
 		switch args[1].Int() {
 		case linux.PR_SET_MM_EXE_FILE:
 			fd := kdefs.FD(args[2].Int())
-- 
cgit v1.2.3