mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-25 12:04:46 +08:00
ff118479a7
While using AppArmor, SYS_CAP_RESOURCE is insufficient to call prlimit on another task. The only other example of a AppArmor mediating access to another, already running, task (ignoring fork+exec) is ptrace. The AppArmor model for ptrace is that one of the following must be true: 1) The tracer is unconfined 2) The tracer is in complain mode 3) The tracer and tracee are confined by the same profile 4) The tracer is confined but has SYS_CAP_PTRACE 1), 2, and 3) are already true for setrlimit. We can match the ptrace model just by allowing CAP_SYS_RESOURCE. We still test the values of the rlimit since it can always be overridden using a value that means unlimited for a particular resource. Signed-off-by: Jeff Mahoney <jeffm@suse.com> Signed-off-by: John Johansen <john.johansen@canonical.com> |
||
---|---|---|
.. | ||
include | ||
.gitignore | ||
apparmorfs.c | ||
audit.c | ||
capability.c | ||
context.c | ||
crypto.c | ||
domain.c | ||
file.c | ||
ipc.c | ||
Kconfig | ||
lib.c | ||
lsm.c | ||
Makefile | ||
match.c | ||
path.c | ||
policy_unpack.c | ||
policy.c | ||
procattr.c | ||
resource.c | ||
sid.c |