3 files changed, 15 insertions, 11 deletions
diff --git a/security/apparmor/include/resource.h b/security/apparmor/include/resource.h
index 3c88be946494..02baec732bb5 100644
--- a/security/apparmor/include/resource.h
+++ b/security/apparmor/include/resource.h
@@ -33,8 +33,8 @@ struct aa_rlimit {
 };
 int aa_map_resource(int resource);
-int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
+int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *,
-                      struct rlimit *new_rlim);
+                      unsigned int resource, struct rlimit *new_rlim);
 void __aa_transition_rlimits(struct aa_profile *old, struct aa_profile *new);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index f73e2c204218..cf1de4462ccd 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -614,7 +614,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
        int error = 0;
        if (!unconfined(profile))
-                error = aa_task_setrlimit(profile, resource, new_rlim);
+                error = aa_task_setrlimit(profile, task, resource, new_rlim);
        return error;
 }
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index 4a368f1fd36d..a4136c10b1c6 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -72,6 +72,7 @@ int aa_map_resource(int resource)
 /**
 * aa_task_setrlimit - test permission to set an rlimit
 * @profile - profile confining the task  (NOT NULL)
+ * @task - task the resource is being set on
 * @resource - the resource being set
 * @new_rlim - the new resource limit  (NOT NULL)
 *
@@ -79,18 +80,21 @@ int aa_map_resource(int resource)
 *
 * Returns: 0 or error code if setting resource failed
 */
-int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
+int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
-                      struct rlimit *new_rlim)
+                      unsigned int resource, struct rlimit *new_rlim)
 {
        int error = 0;
-        if (profile->rlimits.mask & (1 << resource) &&
+        /* TODO: extend resource control to handle other (non current)
-            new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)
+         * processes.  AppArmor rules currently have the implicit assumption
+         * that the task is setting the resource of the current process
-                error = audit_resource(profile, resource, new_rlim->rlim_max,
+         */
-                        -EACCES);
+        if ((task != current->group_leader) ||
+            (profile->rlimits.mask & (1 << resource) &&
+             new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
+                error = -EACCES;
-        return error;
+        return audit_resource(profile, resource, new_rlim->rlim_max, error);
 }
 /**

diff --git a/security/apparmor/include/resource.h b/security/apparmor/include/resource.h index 3c88be946494..02baec732bb5 100644 --- a/security/apparmor/include/resource.h +++ b/security/apparmor/include/resource.h
@@ -33,8 +33,8 @@ struct aa_rlimit {
33	};	33	};
34		34
35	int aa_map_resource(int resource);	35	int aa_map_resource(int resource);
36	int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,	36	int aa_task_setrlimit(struct aa_profile profile, struct task_struct ,
37	struct rlimit *new_rlim);	37	unsigned int resource, struct rlimit *new_rlim);
38		38
39	void __aa_transition_rlimits(struct aa_profile old, struct aa_profile new);	39	void __aa_transition_rlimits(struct aa_profile old, struct aa_profile new);
40		40


diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index f73e2c204218..cf1de4462ccd 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c
@@ -614,7 +614,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
614	int error = 0;	614	int error = 0;
615		615
616	if (!unconfined(profile))	616	if (!unconfined(profile))
617	error = aa_task_setrlimit(profile, resource, new_rlim);	617	error = aa_task_setrlimit(profile, task, resource, new_rlim);
618		618
619	return error;	619	return error;
620	}	620	}


diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c index 4a368f1fd36d..a4136c10b1c6 100644 --- a/security/apparmor/resource.c +++ b/security/apparmor/resource.c
@@ -72,6 +72,7 @@ int aa_map_resource(int resource)
72	/**	72	/**
73	* aa_task_setrlimit - test permission to set an rlimit	73	* aa_task_setrlimit - test permission to set an rlimit
74	* @profile - profile confining the task (NOT NULL)	74	* @profile - profile confining the task (NOT NULL)
		75	* @task - task the resource is being set on
75	* @resource - the resource being set	76	* @resource - the resource being set
76	* @new_rlim - the new resource limit (NOT NULL)	77	* @new_rlim - the new resource limit (NOT NULL)
77	*	78	*
@@ -79,18 +80,21 @@ int aa_map_resource(int resource)
79	*	80	*
80	* Returns: 0 or error code if setting resource failed	81	* Returns: 0 or error code if setting resource failed
81	*/	82	*/
82	int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,	83	int aa_task_setrlimit(struct aa_profile profile, struct task_struct task,
83	struct rlimit *new_rlim)	84	unsigned int resource, struct rlimit *new_rlim)
84	{	85	{
85	int error = 0;	86	int error = 0;
86		87
87	if (profile->rlimits.mask & (1 << resource) &&	88	/* TODO: extend resource control to handle other (non current)
88	new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)	89	* processes. AppArmor rules currently have the implicit assumption
89		90	* that the task is setting the resource of the current process
90	error = audit_resource(profile, resource, new_rlim->rlim_max,	91	*/
91	-EACCES);	92	if ((task != current->group_leader) \|\|
		93	(profile->rlimits.mask & (1 << resource) &&
		94	new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
		95	error = -EACCES;
92		96
93	return error;	97	return audit_resource(profile, resource, new_rlim->rlim_max, error);
94	}	98	}
95		99
96	/**	100	/**