diff options
author | John Johansen <john.johansen@canonical.com> | 2018-04-11 11:03:26 +0200 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2018-06-07 10:51:01 +0200 |
commit | 11c92f144bf39f448f65202cccba672097a1100b (patch) | |
tree | 1a436194bef21b5333ca330ff4a6100561d0c710 | |
parent | apparmor: fixup secid map conversion to using IDR (diff) | |
download | linux-11c92f144bf39f448f65202cccba672097a1100b.tar.xz linux-11c92f144bf39f448f65202cccba672097a1100b.zip |
apparmor: fix mediation of prlimit
For primit apparmor requires that if target confinement does not match
the setting task's confinement, the setting task requires CAP_SYS_RESOURCE.
Unfortunately this was broken when rlimit enforcement was reworked to
support labels.
Fixes: 86b92cb782b3 ("apparmor: move resource checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
-rw-r--r-- | security/apparmor/resource.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c index d022137143b9..95fd26d09757 100644 --- a/security/apparmor/resource.c +++ b/security/apparmor/resource.c @@ -124,7 +124,7 @@ int aa_task_setrlimit(struct aa_label *label, struct task_struct *task, */ if (label != peer && - !aa_capable(label, CAP_SYS_RESOURCE, SECURITY_CAP_NOAUDIT)) + aa_capable(label, CAP_SYS_RESOURCE, SECURITY_CAP_NOAUDIT) != 0) error = fn_for_each(label, profile, audit_resource(profile, resource, new_rlim->rlim_max, peer, |