aboutsummaryrefslogtreecommitdiffstats
path: root/security/apparmor/resource.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/apparmor/resource.c')
-rw-r--r--security/apparmor/resource.c15
1 files changed, 12 insertions, 3 deletions
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index e1f3d7ef2c54..748bf0ca6c9f 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -15,6 +15,7 @@
15#include <linux/audit.h> 15#include <linux/audit.h>
16 16
17#include "include/audit.h" 17#include "include/audit.h"
18#include "include/context.h"
18#include "include/resource.h" 19#include "include/resource.h"
19#include "include/policy.h" 20#include "include/policy.h"
20 21
@@ -90,17 +91,25 @@ int aa_map_resource(int resource)
90int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task, 91int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
91 unsigned int resource, struct rlimit *new_rlim) 92 unsigned int resource, struct rlimit *new_rlim)
92{ 93{
94 struct aa_profile *task_profile;
93 int error = 0; 95 int error = 0;
94 96
97 rcu_read_lock();
98 task_profile = aa_get_profile(aa_cred_profile(__task_cred(task)));
99 rcu_read_unlock();
100
95 /* TODO: extend resource control to handle other (non current) 101 /* TODO: extend resource control to handle other (non current)
96 * processes. AppArmor rules currently have the implicit assumption 102 * profiles. AppArmor rules currently have the implicit assumption
97 * that the task is setting the resource of the current process 103 * that the task is setting the resource of a task confined with
104 * the same profile.
98 */ 105 */
99 if ((task != current->group_leader) || 106 if (profile != task_profile ||
100 (profile->rlimits.mask & (1 << resource) && 107 (profile->rlimits.mask & (1 << resource) &&
101 new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)) 108 new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
102 error = -EACCES; 109 error = -EACCES;
103 110
111 aa_put_profile(task_profile);
112
104 return audit_resource(profile, resource, new_rlim->rlim_max, error); 113 return audit_resource(profile, resource, new_rlim->rlim_max, error);
105} 114}
106 115