mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/kernel-patches/4.7/0016-apparmor-allow-SYS_CAP_RESOURCE-to-be-sufficient-to-.patch
John Johansen dafcbfb4b6 Add patches for 4.7 upstream kernel 
patches
0001-0022 are backports of fixes from the 4.8 pull-request
0023-0025 are the out of tree feature patches

Signed-off-by: John Johansen <john.johansen@canonical.com>
2016-07-28 19:31:34 -07:00

50 lines
2 KiB
Diff
Raw Blame History

From 645801f1ddd183109c011e5ecee23ed3fdcae244 Mon Sep 17 00:00:00 2001
From: Jeff Mahoney <jeffm@suse.com>
Date: Fri, 6 Nov 2015 15:17:30 -0500
Subject: [PATCH 16/25] apparmor: allow SYS_CAP_RESOURCE to be sufficient to
prlimit another task
While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit
on another task. The only other example of a AppArmor mediating access to
another, already running, task (ignoring fork+exec) is ptrace.
The AppArmor model for ptrace is that one of the following must be true:
1) The tracer is unconfined
2) The tracer is in complain mode
3) The tracer and tracee are confined by the same profile
4) The tracer is confined but has SYS_CAP_PTRACE
1), 2, and 3) are already true for setrlimit.
We can match the ptrace model just by allowing CAP_SYS_RESOURCE.
We still test the values of the rlimit since it can always be overridden
using a value that means unlimited for a particular resource.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
security/apparmor/resource.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index 748bf0c..67a6072 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -101,9 +101,11 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
/* TODO: extend resource control to handle other (non current)
* profiles. AppArmor rules currently have the implicit assumption
* that the task is setting the resource of a task confined with
- * the same profile.
+ * the same profile or that the task setting the resource of another
+ * task has CAP_SYS_RESOURCE.
*/
- if (profile != task_profile ||
+ if ((profile != task_profile &&
+ aa_capable(profile, CAP_SYS_RESOURCE, 1)) ||
(profile->rlimits.mask & (1 << resource) &&
new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
error = -EACCES;
--
2.7.4
Reference in a new issue View git blame Copy permalink