diff options
| author | Jens Axboe <jaxboe@fusionio.com> | 2010-10-19 09:13:04 +0200 |
|---|---|---|
| committer | Jens Axboe <jaxboe@fusionio.com> | 2010-10-19 09:13:04 +0200 |
| commit | fa251f89903d73989e2f63e13d0eaed1e07ce0da (patch) | |
| tree | 3f7fe779941e3b6d67754dd7c44a32f48ea47c74 /security/apparmor/resource.c | |
| parent | dd3932eddf428571762596e17b65f5dc92ca361b (diff) | |
| parent | cd07202cc8262e1669edff0d97715f3dd9260917 (diff) | |
Merge branch 'v2.6.36-rc8' into for-2.6.37/barrier
Conflicts:
block/blk-core.c
drivers/block/loop.c
mm/swapfile.c
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Diffstat (limited to 'security/apparmor/resource.c')
| -rw-r--r-- | security/apparmor/resource.c | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c index 4a368f1fd36..a4136c10b1c 100644 --- a/security/apparmor/resource.c +++ b/security/apparmor/resource.c @@ -72,6 +72,7 @@ int aa_map_resource(int resource) /** * aa_task_setrlimit - test permission to set an rlimit * @profile - profile confining the task (NOT NULL) + * @task - task the resource is being set on * @resource - the resource being set * @new_rlim - the new resource limit (NOT NULL) * @@ -79,18 +80,21 @@ int aa_map_resource(int resource) * * Returns: 0 or error code if setting resource failed */ -int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource, - struct rlimit *new_rlim) +int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task, + unsigned int resource, struct rlimit *new_rlim) { int error = 0; - if (profile->rlimits.mask & (1 << resource) && - new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max) - - error = audit_resource(profile, resource, new_rlim->rlim_max, - -EACCES); + /* TODO: extend resource control to handle other (non current) + * processes. AppArmor rules currently have the implicit assumption + * that the task is setting the resource of the current process + */ + if ((task != current->group_leader) || + (profile->rlimits.mask & (1 << resource) && + new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)) + error = -EACCES; - return error; + return audit_resource(profile, resource, new_rlim->rlim_max, error); } /** |