diff options
Diffstat (limited to 'security/apparmor/resource.c')
-rw-r--r-- | security/apparmor/resource.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c index e1f3d7ef2c54..748bf0ca6c9f 100644 --- a/security/apparmor/resource.c +++ b/security/apparmor/resource.c | |||
@@ -15,6 +15,7 @@ | |||
15 | #include <linux/audit.h> | 15 | #include <linux/audit.h> |
16 | 16 | ||
17 | #include "include/audit.h" | 17 | #include "include/audit.h" |
18 | #include "include/context.h" | ||
18 | #include "include/resource.h" | 19 | #include "include/resource.h" |
19 | #include "include/policy.h" | 20 | #include "include/policy.h" |
20 | 21 | ||
@@ -90,17 +91,25 @@ int aa_map_resource(int resource) | |||
90 | int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task, | 91 | int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task, |
91 | unsigned int resource, struct rlimit *new_rlim) | 92 | unsigned int resource, struct rlimit *new_rlim) |
92 | { | 93 | { |
94 | struct aa_profile *task_profile; | ||
93 | int error = 0; | 95 | int error = 0; |
94 | 96 | ||
97 | rcu_read_lock(); | ||
98 | task_profile = aa_get_profile(aa_cred_profile(__task_cred(task))); | ||
99 | rcu_read_unlock(); | ||
100 | |||
95 | /* TODO: extend resource control to handle other (non current) | 101 | /* TODO: extend resource control to handle other (non current) |
96 | * processes. AppArmor rules currently have the implicit assumption | 102 | * profiles. AppArmor rules currently have the implicit assumption |
97 | * that the task is setting the resource of the current process | 103 | * that the task is setting the resource of a task confined with |
104 | * the same profile. | ||
98 | */ | 105 | */ |
99 | if ((task != current->group_leader) || | 106 | if (profile != task_profile || |
100 | (profile->rlimits.mask & (1 << resource) && | 107 | (profile->rlimits.mask & (1 << resource) && |
101 | new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)) | 108 | new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)) |
102 | error = -EACCES; | 109 | error = -EACCES; |
103 | 110 | ||
111 | aa_put_profile(task_profile); | ||
112 | |||
104 | return audit_resource(profile, resource, new_rlim->rlim_max, error); | 113 | return audit_resource(profile, resource, new_rlim->rlim_max, error); |
105 | } | 114 | } |
106 | 115 | ||