diff options
author | Jeff Mahoney <jeffm@suse.com> | 2015-11-06 15:17:30 -0500 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2016-07-12 08:43:10 -0700 |
commit | ff118479a76dbece9ae1c65c7c6a3ebe9cfa73e0 (patch) | |
tree | f3c092146e85c89ed03b3cc708af9ad428593025 /security | |
parent | 38dbd7d8be36b5e68c96a24b406f3653180c1c03 (diff) | |
download | lwn-ff118479a76dbece9ae1c65c7c6a3ebe9cfa73e0.tar.gz lwn-ff118479a76dbece9ae1c65c7c6a3ebe9cfa73e0.zip |
apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task
While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit
on another task. The only other example of a AppArmor mediating access to
another, already running, task (ignoring fork+exec) is ptrace.
The AppArmor model for ptrace is that one of the following must be true:
1) The tracer is unconfined
2) The tracer is in complain mode
3) The tracer and tracee are confined by the same profile
4) The tracer is confined but has SYS_CAP_PTRACE
1), 2, and 3) are already true for setrlimit.
We can match the ptrace model just by allowing CAP_SYS_RESOURCE.
We still test the values of the rlimit since it can always be overridden
using a value that means unlimited for a particular resource.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/apparmor/resource.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c index 748bf0ca6c9f..67a6072ead4b 100644 --- a/security/apparmor/resource.c +++ b/security/apparmor/resource.c @@ -101,9 +101,11 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task, /* TODO: extend resource control to handle other (non current) * profiles. AppArmor rules currently have the implicit assumption * that the task is setting the resource of a task confined with - * the same profile. + * the same profile or that the task setting the resource of another + * task has CAP_SYS_RESOURCE. */ - if (profile != task_profile || + if ((profile != task_profile && + aa_capable(profile, CAP_SYS_RESOURCE, 1)) || (profile->rlimits.mask & (1 << resource) && new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)) error = -EACCES; |