apparmor: fix mediation of prlimit · tjh.dev/kernel@11c92f1

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

apparmor: fix mediation of prlimit

For primit apparmor requires that if target confinement does not match
the setting task's confinement, the setting task requires CAP_SYS_RESOURCE.

Unfortunately this was broken when rlimit enforcement was reworked to
support labels.

Fixes: 86b92cb782b3 ("apparmor: move resource checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>

John Johansen 7 years ago 11c92f14 a4c3f89c

+1 -1

1 changed file

expand all

security

apparmor

resource.c

+1 -1

security/apparmor/resource.c

··· 124 124 */ 125 125 126 126 if (label != peer && 127 - !aa_capable(label, CAP_SYS_RESOURCE, SECURITY_CAP_NOAUDIT)) 127 + aa_capable(label, CAP_SYS_RESOURCE, SECURITY_CAP_NOAUDIT) != 0) 128 128 error = fn_for_each(label, profile, 129 129 audit_resource(profile, resource, 130 130 new_rlim->rlim_max, peer,