1 files changed, 24 insertions, 0 deletions

diff --git a/usr/src/uts/common/os/exit.c b/usr/src/uts/common/os/exit.c
index 5563c0f4ab..46e588c926 100644
--- a/usr/src/uts/common/os/exit.c
+++ b/usr/src/uts/common/os/exit.c
@@ -23,6 +23,7 @@
  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2018 Joyent, Inc.
  * Copyright 2020 Oxide Computer Company
+ * Copyright 2021 OmniOS Community Edition (OmniOSce) Association.
  */
 
 /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
@@ -178,6 +179,7 @@ restart_init(int what, int why)
 	kthread_t *t = curthread;
 	klwp_t *lwp = ttolwp(t);
 	proc_t *p = ttoproc(t);
+	proc_t *pp = p->p_zone->zone_zsched;
 	user_t *up = PTOU(p);
 
 	vnode_t *oldcd, *oldrd;
@@ -272,6 +274,11 @@ restart_init(int what, int why)
 		up->u_cwd = NULL;
 	}
 
+	/* Reset security flags */
+	mutex_enter(&pp->p_lock);
+	p->p_secflags = pp->p_secflags;
+	mutex_exit(&pp->p_lock);
+
 	mutex_exit(&p->p_lock);
 
 	if (oldrd != NULL)
@@ -279,6 +286,23 @@ restart_init(int what, int why)
 	if (oldcd != NULL)
 		VN_RELE(oldcd);
 
+	/*
+	 * It's possible that a zone's init will have become privilege aware
+	 * and modified privilege sets; reset them.
+	 */
+	cred_t *oldcr, *newcr;
+
+	mutex_enter(&p->p_crlock);
+	oldcr = p->p_cred;
+	mutex_enter(&pp->p_crlock);
+	crhold(newcr = p->p_cred = pp->p_cred);
+	mutex_exit(&pp->p_crlock);
+	mutex_exit(&p->p_crlock);
+	crfree(oldcr);
+	/* Additional hold for the current thread - expected by crset() */
+	crhold(newcr);
+	crset(p, newcr);
+
 	/* Free the controlling tty.  (freectty() always assumes curproc.) */
 	ASSERT(p == curproc);
 	(void) freectty(B_TRUE);