diff options
| author | John Johansen <john.johansen@canonical.com> | 2018-04-11 05:03:26 -0400 |
|---|---|---|
| committer | John Johansen <john.johansen@canonical.com> | 2018-06-07 04:51:01 -0400 |
| commit | 11c92f144bf39f448f65202cccba672097a1100b (patch) | |
| tree | 1a436194bef21b5333ca330ff4a6100561d0c710 /security | |
| parent | a4c3f89c9b5a9fab5a8e4ea05399acd6e23072df (diff) | |
apparmor: fix mediation of prlimit
For primit apparmor requires that if target confinement does not match
the setting task's confinement, the setting task requires CAP_SYS_RESOURCE.
Unfortunately this was broken when rlimit enforcement was reworked to
support labels.
Fixes: 86b92cb782b3 ("apparmor: move resource checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/apparmor/resource.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c index d022137143b9..95fd26d09757 100644 --- a/security/apparmor/resource.c +++ b/security/apparmor/resource.c | |||
| @@ -124,7 +124,7 @@ int aa_task_setrlimit(struct aa_label *label, struct task_struct *task, | |||
| 124 | */ | 124 | */ |
| 125 | 125 | ||
| 126 | if (label != peer && | 126 | if (label != peer && |
| 127 | !aa_capable(label, CAP_SYS_RESOURCE, SECURITY_CAP_NOAUDIT)) | 127 | aa_capable(label, CAP_SYS_RESOURCE, SECURITY_CAP_NOAUDIT) != 0) |
| 128 | error = fn_for_each(label, profile, | 128 | error = fn_for_each(label, profile, |
| 129 | audit_resource(profile, resource, | 129 | audit_resource(profile, resource, |
| 130 | new_rlim->rlim_max, peer, | 130 | new_rlim->rlim_max, peer, |