From: John Johansen <john.johansen@canonical.com>
To: John Johansen <john.johansen@canonical.com>
Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [PATCH 2/4] AppArmor: Fix security_task_setrlimit logic for 2.6.36 changes
Date: Sat, 28 Aug 2010 10:10:40 -0700 [thread overview]
Message-ID: <4C794310.1020801@canonical.com> (raw)
In-Reply-To: <1282959209-5431-3-git-send-email-john.johansen@canonical.com>
On 08/27/2010 06:33 PM, John Johansen wrote:
> 2.6.36 introduced the abilitiy to specify the task that is having its
> rlimits set. Update mediation to ensure that confined tasks can only
> set their own group_leader as expected by current policy.
>
> Add TODO note about extending policy to support setting other tasks
> rlimits.
>
the change to security/apparmor/include/resource.h is missing from the
previous patch.
find the corrected patch below
---
>From f09ade4027dc55b3c41f0dffa587789c43395610 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Wed, 25 Aug 2010 16:13:07 -0700
Subject: [PATCH] AppArmor: Fix security_task_setrlimit logic for 2.6.36 changes
2.6.36 introduced the abilitiy to specify the task that is having its
rlimits set. Update mediation to ensure that confined tasks can only
set their own group_leader as expected by current policy.
Add TODO note about extending policy to support setting other tasks
rlimits.
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
security/apparmor/include/resource.h | 4 ++--
security/apparmor/lsm.c | 2 +-
security/apparmor/resource.c | 20 ++++++++++++--------
3 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/security/apparmor/include/resource.h b/security/apparmor/include/resource.h
index 3c88be9..02baec7 100644
--- a/security/apparmor/include/resource.h
+++ b/security/apparmor/include/resource.h
@@ -33,8 +33,8 @@ struct aa_rlimit {
};
int aa_map_resource(int resource);
-int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
- struct rlimit *new_rlim);
+int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *,
+ unsigned int resource, struct rlimit *new_rlim);
void __aa_transition_rlimits(struct aa_profile *old, struct aa_profile *new);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index f73e2c2..cf1de44 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -614,7 +614,7 @@ static int apparmor_task_setrlimit(struct task_struct *task,
int error = 0;
if (!unconfined(profile))
- error = aa_task_setrlimit(profile, resource, new_rlim);
+ error = aa_task_setrlimit(profile, task, resource, new_rlim);
return error;
}
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index 4a368f1..5bc46e5 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -72,6 +72,7 @@ int aa_map_resource(int resource)
/**
* aa_task_setrlimit - test permission to set an rlimit
* @profile - profile confining the task (NOT NULL)
+ * @task - task the resource is being set on
* @resource - the resource being set
* @new_rlim - the new resource limit (NOT NULL)
*
@@ -79,18 +80,21 @@ int aa_map_resource(int resource)
*
* Returns: 0 or error code if setting resource failed
*/
-int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
- struct rlimit *new_rlim)
+int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
+ unsigned int resource, struct rlimit *new_rlim)
{
int error = 0;
- if (profile->rlimits.mask & (1 << resource) &&
- new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)
-
- error = audit_resource(profile, resource, new_rlim->rlim_max,
- -EACCES);
+ /* TODO: extend resource control to handle non group leader tasks.
+ * AppArmor rules currently have the implicit assumption that
+ * the task having its resource set is the group leader.
+ */
+ if ((task != current->group_leader) ||
+ (profile->rlimits.mask & (1 << resource) &&
+ new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
+ error = -EACCES;
- return error;
+ return audit_resource(profile, resource, new_rlim->rlim_max, error);
}
/**
next prev parent reply other threads:[~2010-08-28 17:10 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-28 1:33 [Patch 0/4] AppArmor post 2.6.36 merge fixups John Johansen
2010-08-28 1:33 ` [PATCH 1/4] AppArmor: Drop hack to remove appended " (deleted)" string John Johansen
2010-08-28 1:33 ` [PATCH 2/4] AppArmor: Fix security_task_setrlimit logic for 2.6.36 changes John Johansen
2010-08-28 17:10 ` John Johansen [this message]
2010-08-28 18:15 ` Jiri Slaby
2010-08-28 20:35 ` John Johansen
2010-08-28 20:48 ` Jiri Slaby
2010-08-30 16:53 ` John Johansen
2010-08-30 21:33 ` Jiri Slaby
2010-09-06 17:10 ` John Johansen
2010-08-28 1:33 ` [PATCH 3/4] AppArmor: Fix splitting an fqname into separate namespace and profile names John Johansen
2010-08-28 1:33 ` [PATCH 4/4] AppArmor: Fix locking from removal of profile namespace John Johansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C794310.1020801@canonical.com \
--to=john.johansen@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).