diff options
Diffstat (limited to 'security/apparmor/resource.c')
| -rw-r--r-- | security/apparmor/resource.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c index 748bf0ca6c9f..67a6072ead4b 100644 --- a/security/apparmor/resource.c +++ b/security/apparmor/resource.c @@ -101,9 +101,11 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task, /* TODO: extend resource control to handle other (non current) * profiles. AppArmor rules currently have the implicit assumption * that the task is setting the resource of a task confined with - * the same profile. + * the same profile or that the task setting the resource of another + * task has CAP_SYS_RESOURCE. */ - if (profile != task_profile || + if ((profile != task_profile && + aa_capable(profile, CAP_SYS_RESOURCE, 1)) || (profile->rlimits.mask & (1 << resource) && new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)) error = -EACCES; |