From: John Johansen <john.johansen@canonical.com>
Date: Wed, 11 Apr 2018 09:03:26 +0000 (-0700)
Subject: apparmor: fix mediation of prlimit
X-Git-Tag: v4.18-rc1~28^2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=11c92f144bf39f448f65202cccba672097a1100b;p=thirdparty%2Fkernel%2Flinux.git

apparmor: fix mediation of prlimit

For primit apparmor requires that if target confinement does not match
the setting task's confinement, the setting task requires CAP_SYS_RESOURCE.

Unfortunately this was broken when rlimit enforcement was reworked to
support labels.

Fixes: 86b92cb782b3 ("apparmor: move resource checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
---

diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index d022137143b9e..95fd26d09757f 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -124,7 +124,7 @@ int aa_task_setrlimit(struct aa_label *label, struct task_struct *task,
 	 */
 
 	if (label != peer &&
-	    !aa_capable(label, CAP_SYS_RESOURCE, SECURITY_CAP_NOAUDIT))
+	    aa_capable(label, CAP_SYS_RESOURCE, SECURITY_CAP_NOAUDIT) != 0)
 		error = fn_for_each(label, profile,
 				audit_resource(profile, resource,
 					       new_rlim->rlim_max, peer,