• Jeff Mahoney's avatar
    apparmor: allow SYS_CAP_RESOURCE to be sufficient to prlimit another task · ff118479
    Jeff Mahoney authored
    While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit
    on another task. The only other example of a AppArmor mediating access to
    another, already running, task (ignoring fork+exec) is ptrace.
    
    The AppArmor model for ptrace is that one of the following must be true:
    1) The tracer is unconfined
    2) The tracer is in complain mode
    3) The tracer and tracee are confined by the same profile
    4) The tracer is confined but has SYS_CAP_PTRACE
    
    1), 2, and 3) are already true for setrlimit.
    
    We can match the ptrace model just by allowing CAP_SYS_RESOURCE.
    
    We still test the values of the rlimit since it can always be overridden
    using a value that means unlimited for a particular resource.
    Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
    Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
    ff118479
resource.c 4.37 KB