From bb94c3575c0ee3eee68da896d824a1c0ee750d90 Mon Sep 17 00:00:00 2001
From: Daniel Canter <dcanter@microsoft.com>
Date: Wed, 24 Mar 2021 17:02:57 -0700
Subject: [PATCH] Set CREATE_BREAKAWAY_FROM_JOB flag for job container
 processes

We don't want to inherit the job object of whatever process is running the job container code (the containerd-shim
generally but this would apply for any process). Set the CREATE_BREAKAWAY_FROM_JOB flag on job container processes
to prevent this from happening. The job object itself will also need to have the JOB_OBJECT_LIMIT_BREAKAWAY_OK limit
set for this to take affect.

Signed-off-by: Daniel Canter <dcanter@microsoft.com>
---
 internal/jobcontainers/jobcontainer.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/internal/jobcontainers/jobcontainer.go b/internal/jobcontainers/jobcontainer.go
index c4f589357b..2492b19ef9 100644
--- a/internal/jobcontainers/jobcontainer.go
+++ b/internal/jobcontainers/jobcontainer.go
@@ -218,7 +218,9 @@ func (c *JobContainer) CreateProcess(ctx context.Context, config interface{}) (_
 		Path: absPath,
 		Args: splitArgs(commandLine),
 		SysProcAttr: &syscall.SysProcAttr{
-			CreationFlags: windows.CREATE_NEW_PROCESS_GROUP,
+			// CREATE_BREAKAWAY_FROM_JOB to make sure that we're not inheriting the job object (and by extension its limits)
+			// from whatever process is running this code.
+			CreationFlags: windows.CREATE_NEW_PROCESS_GROUP | windows.CREATE_BREAKAWAY_FROM_JOB,
 			Token:         syscall.Token(token),
 		},
 	}