Patchwork [09/13] AppArmor: Relax the restrictions on setting rlimits

login
register
mail settings
Submitter John Johansen
Date Aug. 11, 2011, 5:02 a.m.
Message ID <1313038967-19941-10-git-send-email-john.johansen@canonical.com>
Download mbox | patch
Permalink /patch/109526/
State New
Headers show

Comments

John Johansen - Aug. 11, 2011, 5:02 a.m.
Instead of limiting the setting of the processes limits to current,
relax this to tasks confined by the same profile, as the apparmor
controls for rlimits are at a profile level granularity.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 security/apparmor/resource.c |   11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

Patch

diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index a4136c1..c0fa2b4 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -15,6 +15,7 @@ 
 #include <linux/audit.h>
 
 #include "include/audit.h"
+#include "include/context.h"
 #include "include/resource.h"
 #include "include/policy.h"
 
@@ -83,17 +84,21 @@  int aa_map_resource(int resource)
 int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
 		      unsigned int resource, struct rlimit *new_rlim)
 {
+	struct aa_profile *task_profile = aa_get_task_profile(task);
 	int error = 0;
 
 	/* TODO: extend resource control to handle other (non current)
-	 * processes.  AppArmor rules currently have the implicit assumption
-	 * that the task is setting the resource of the current process
+	 * profiles.  AppArmor rules currently have the implicit assumption
+	 * that the task is setting the resource of a task confined with
+	 * the same profile.
 	 */
-	if ((task != current->group_leader) ||
+	if (profile != task_profile ||
 	    (profile->rlimits.mask & (1 << resource) &&
 	     new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
 		error = -EACCES;
 
+	aa_put_profile(task_profile);
+
 	return audit_resource(profile, resource, new_rlim->rlim_max, error);
 }