Merge branch 'tip/perf/core' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-2.6-trace into perf/core

1 files changed, 12 insertions, 8 deletions

diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index 4a368f1fd36d..a4136c10b1c6 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -72,6 +72,7 @@ int aa_map_resource(int resource)
 /**
  * aa_task_setrlimit - test permission to set an rlimit
  * @profile - profile confining the task  (NOT NULL)
+ * @task - task the resource is being set on
  * @resource - the resource being set
  * @new_rlim - the new resource limit  (NOT NULL)
  *
@@ -79,18 +80,21 @@ int aa_map_resource(int resource)
  *
  * Returns: 0 or error code if setting resource failed
  */
-int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
-                      struct rlimit *new_rlim)
+int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
+                      unsigned int resource, struct rlimit *new_rlim)
 {
         int error = 0;
 
-        if (profile->rlimits.mask & (1 << resource) &&
-            new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)
-
-                error = audit_resource(profile, resource, new_rlim->rlim_max,
-                        -EACCES);
+        /* TODO: extend resource control to handle other (non current)
+         * processes.  AppArmor rules currently have the implicit assumption
+         * that the task is setting the resource of the current process
+         */
+        if ((task != current->group_leader) ||
+            (profile->rlimits.mask & (1 << resource) &&
+             new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
+                error = -EACCES;
 
-        return error;
+        return audit_resource(profile, resource, new_rlim->rlim_max, error);
 }
 
 /**