[people/pmueller/ipfire-2.x.git] / src / patches / suse-2.6.27.31 / patches.apparmor / apparmor-rlimits.diff

From: John Johansen <jjohansen@suse.de>
Subject: AppArmor: per profile controls for system rlimits

Provide contol of rlimits on a per profile basis.  Each profile provides
a per limit contol and corresponding hard limit value, such that when a
profile becomes attached to a task it sets the tasks limits to be <= to
the profiles specified limits.  Note: the profile limit value will not
raise a tasks limit if it is already less than the profile mandates.

In addition to setting a tasks limits, the ability to set limits on
a confined task are controlled.  AppArmor only controls the raising
of a tasks limits Tasks with CAP_SYS_RESOURCE can have their hard limits
raised up to the value specified by the profile.  AppArmor does not
prevent a task for lowering its hard limits, nor does it provide
additional control on soft limits.

AppArmor only controls the limits specified in a profile so that
any limit not specified is free to be modified subject to standard
linux limitations.

---
 security/apparmor/apparmor.h         |   23 ++++++
 security/apparmor/apparmorfs.c       |    2 
 security/apparmor/lsm.c              |   16 ++++
 security/apparmor/main.c             |  132 +++++++++++++++++++++++++++++++----
 security/apparmor/module_interface.c |   56 ++++++++++++++
 5 files changed, 215 insertions(+), 14 deletions(-)

--- a/security/apparmor/apparmor.h
+++ b/security/apparmor/apparmor.h
@@ -16,6 +16,7 @@
 #include <linux/fs.h>
 #include <linux/binfmts.h>
 #include <linux/rcupdate.h>
+#include <linux/resource.h>
 #include <linux/socket.h>
 #include <net/sock.h>
 
@@ -139,6 +140,18 @@ extern unsigned int apparmor_path_max;
 
 #define AA_ERROR(fmt, args...)	printk(KERN_ERR "AppArmor: " fmt, ##args)
 
+/* struct aa_rlimit - rlimits settings for the profile
+ * @mask: which hard limits to set
+ * @limits: rlimit values that override task limits
+ *
+ * AppArmor rlimits are used to set confined task rlimits.  Only the
+ * limits specified in @mask will be controlled by apparmor.
+ */
+struct aa_rlimit {
+	unsigned int mask;
+	struct rlimit limits[RLIM_NLIMITS];
+};
+
 struct aa_profile;
 
 /* struct aa_namespace - namespace for a set of profiles
@@ -173,6 +186,8 @@ struct aa_namespace {
  * @audit_caps: caps that are to be audited
  * @quiet_caps: caps that should not be audited
  * @capabilities: capabilities granted by the process
+ * @rlimits: rlimits for the profile
+ * @task_count: how many tasks the profile is attached to
  * @count: reference count of the profile
  * @task_contexts: list of tasks confined by profile
  * @lock: lock for the task_contexts list
@@ -210,6 +225,9 @@ struct aa_profile {
 	kernel_cap_t audit_caps;
 	kernel_cap_t quiet_caps;
 
+	struct aa_rlimit rlimits;
+	unsigned int task_count;
+
 	struct kref count;
 	struct list_head task_contexts;
 	spinlock_t lock;
@@ -261,6 +279,7 @@ struct aa_audit {
 	const char *name2;
 	const char *name3;
 	int request_mask, denied_mask, audit_mask;
+	int rlimit;
 	struct iattr *iattr;
 	pid_t task, parent;
 	int family, type, protocol;
@@ -328,6 +347,10 @@ extern int aa_may_ptrace(struct aa_task_
 extern int aa_net_perm(struct aa_profile *profile, char *operation,
 			int family, int type, int protocol);
 extern int aa_revalidate_sk(struct sock *sk, char *operation);
+extern int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
+			     struct rlimit *new_rlim);
+extern void aa_set_rlimits(struct task_struct *task, struct aa_profile *profile);
+
 
 /* lsm.c */
 extern int apparmor_initialized;
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -106,7 +106,7 @@ static ssize_t aa_features_read(struct f
 {
 	const char *features = "file=3.0 capability=2.0 network=1.0 "
 			       "change_hat=1.5 change_profile=1.0 "
-			       "aanamespaces=1.0";
+			       "aanamespaces=1.0 rlimit=1.0";
 
 	return simple_read_from_buffer(buf, size, ppos, features,
 				       strlen(features));
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -883,6 +883,21 @@ static int apparmor_setprocattr(struct t
 	return error;
 }
 
+static int apparmor_task_setrlimit(unsigned int resource,
+				   struct rlimit *new_rlim)
+{
+	struct aa_profile *profile;
+	int error = 0;
+
+	profile = aa_get_profile(current);
+	if (profile) {
+		error = aa_task_setrlimit(profile, resource, new_rlim);
+	}
+	aa_put_profile(profile);
+
+	return error;
+}
+
 struct security_operations apparmor_ops = {
 	.ptrace =			apparmor_ptrace,
 	.capget =			cap_capget,
@@ -926,6 +941,7 @@ struct security_operations apparmor_ops
 	.task_free_security =		apparmor_task_free_security,
 	.task_post_setuid =		cap_task_post_setuid,
 	.task_reparent_to_init =	cap_task_reparent_to_init,
+	.task_setrlimit =		apparmor_task_setrlimit,
 
 	.getprocattr =			apparmor_getprocattr,
 	.setprocattr =			apparmor_setprocattr,
--- a/security/apparmor/main.c
+++ b/security/apparmor/main.c
@@ -177,6 +177,9 @@ static int aa_audit_base(struct aa_profi
 	if (sa->request_mask)
 		audit_log_format(ab, " fsuid=%d", current->fsuid);
 
+	if (sa->rlimit)
+		audit_log_format(ab, " rlimit=%d", sa->rlimit - 1);
+
 	if (sa->iattr) {
 		struct iattr *iattr = sa->iattr;
 
@@ -872,6 +875,79 @@ int aa_revalidate_sk(struct sock *sk, ch
 
 	return error;
 }
+/**
+ * aa_task_setrlimit - test permission to set an rlimit
+ * @profile - profile confining the task
+ * @resource - the resource being set
+ * @new_rlim - the new resource limit
+ *
+ * Control raising the processes hard limit.
+ */
+int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
+		      struct rlimit *new_rlim)
+{
+	struct aa_audit sa;
+	int error = 0;
+
+	memset(&sa, 0, sizeof(sa));
+	sa.operation = "setrlimit";
+	sa.gfp_mask = GFP_KERNEL;
+	sa.rlimit = resource + 1;
+
+	if (profile->rlimits.mask & (1 << resource) &&
+	    new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max) {
+		sa.error_code = -EACCES;
+
+		error = aa_audit(profile, &sa);
+	}
+
+	return error;
+}
+
+static int aa_rlimit_nproc(struct aa_profile *profile) {
+	if (profile && (profile->rlimits.mask & (1 << RLIMIT_NPROC)) &&
+	    profile->task_count >= profile->rlimits.limits[RLIMIT_NPROC].rlim_max)
+		return -EAGAIN;
+	return 0;
+}
+
+void aa_set_rlimits(struct task_struct *task, struct aa_profile *profile)
+{
+	int i, mask;
+
+	if (!profile)
+		return;
+
+	if (!profile->rlimits.mask)
+		return;
+
+	task_lock(task->group_leader);
+	mask = 1;
+	for (i = 0; i < RLIM_NLIMITS; i++, mask <<= 1) {
+		struct rlimit new_rlim, *old_rlim;
+
+		/* check to see if NPROC which is per profile and handled
+		 * in clone/exec or whether this is a limit to be set
+		 * can't set cpu limit either right now
+		 */
+		if (i == RLIMIT_NPROC || i == RLIMIT_CPU)
+			continue;
+
+		old_rlim = task->signal->rlim + i;
+		new_rlim = *old_rlim;
+
+		if (mask & profile->rlimits.mask &&
+		    profile->rlimits.limits[i].rlim_max < new_rlim.rlim_max) {
+			new_rlim.rlim_max = profile->rlimits.limits[i].rlim_max;
+			/* soft limit should not exceed hard limit */
+			if (new_rlim.rlim_cur > new_rlim.rlim_max)
+				new_rlim.rlim_cur = new_rlim.rlim_max;
+		}
+
+		*old_rlim = new_rlim;
+	}
+	task_unlock(task->group_leader);
+}
 
 /*******************************
  * Global task related functions
@@ -885,6 +961,7 @@ int aa_revalidate_sk(struct sock *sk, ch
  */
 int aa_clone(struct task_struct *child)
 {
+	struct aa_audit sa;
 	struct aa_task_context *cxt, *child_cxt;
 	struct aa_profile *profile;
 
@@ -894,6 +971,11 @@ int aa_clone(struct task_struct *child)
 	if (!child_cxt)
 		return -ENOMEM;
 
+	memset(&sa, 0, sizeof(sa));
+	sa.operation = "clone";
+	sa.task = child->pid;
+	sa.gfp_mask = GFP_KERNEL;
+
 repeat:
 	profile = aa_get_profile(current);
 	if (profile) {
@@ -910,18 +992,22 @@ repeat:
 			goto repeat;
 		}
 
+		if (aa_rlimit_nproc(profile)) {
+			sa.info = "rlimit nproc limit exceeded";
+			unlock_profile(profile);
+			aa_audit_reject(profile, &sa);
+			aa_put_profile(profile);
+			return -EAGAIN;
+		}
+
 		/* No need to grab the child's task lock here. */
 		aa_change_task_context(child, child_cxt, profile,
 				       cxt->cookie, cxt->previous_profile);
+
 		unlock_profile(profile);
 
 		if (APPARMOR_COMPLAIN(child_cxt) &&
 		    profile == profile->ns->null_complain_profile) {
-			struct aa_audit sa;
-			memset(&sa, 0, sizeof(sa));
-			sa.operation = "clone";
-			sa.gfp_mask = GFP_KERNEL;
-			sa.task = child->pid;
 			aa_audit_hint(profile, &sa);
 		}
 		aa_put_profile(profile);
@@ -1156,6 +1242,10 @@ repeat:
 			sa.task = current->parent->pid;
 			aa_audit_reject(profile, &sa);
 		}
+		if (PTR_ERR(old_profile) == -EAGAIN) {
+			sa.info = "rlimit nproc limit exceeded";
+			aa_audit_reject(profile, &sa);
+		}
 		new_profile = old_profile;
 		goto cleanup;
 	}
@@ -1303,6 +1393,12 @@ static int do_change_profile(struct aa_p
 		goto out;
 	}
 
+	if ((error = aa_rlimit_nproc(new_profile))) {
+		sa->info = "rlimit nproc limit exceeded";
+		aa_audit_reject(cxt->profile, sa);
+		goto out;
+	}
+
 	if (new_profile == ns->null_complain_profile)
 		aa_audit_hint(cxt->profile, sa);
 
@@ -1481,17 +1577,18 @@ struct aa_profile *__aa_replace_profile(
 
 	cxt = lock_task_and_profiles(task, profile);
 	if (unlikely(profile && profile->isstale)) {
-		task_unlock(task);
-		unlock_both_profiles(profile, cxt ? cxt->profile : NULL);
-		aa_free_task_context(new_cxt);
-		return ERR_PTR(-ESTALE);
+		old_profile = ERR_PTR(-ESTALE);
+		goto error;
 	}
 
 	if ((current->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, profile)) {
-		task_unlock(task);
-		unlock_both_profiles(profile, cxt ? cxt->profile : NULL);
-		aa_free_task_context(new_cxt);
-		return ERR_PTR(-EPERM);
+		old_profile = ERR_PTR(-EPERM);
+		goto error;
+	}
+
+	if (aa_rlimit_nproc(profile)) {
+		old_profile = ERR_PTR(-EAGAIN);
+		goto error;
 	}
 
 	if (cxt)
@@ -1499,8 +1596,15 @@ struct aa_profile *__aa_replace_profile(
 	aa_change_task_context(task, new_cxt, profile, 0, NULL);
 
 	task_unlock(task);
+	aa_set_rlimits(task, profile);
 	unlock_both_profiles(profile, old_profile);
 	return old_profile;
+
+error:
+	task_unlock(task);
+	unlock_both_profiles(profile, cxt ? cxt->profile : NULL);
+	aa_free_task_context(new_cxt);
+	return old_profile;
 }
 
 /**
@@ -1565,6 +1669,7 @@ void aa_change_task_context(struct task_
 
 	if (old_cxt) {
 		list_del_init(&old_cxt->list);
+		old_cxt->profile->task_count--;
 		call_rcu(&old_cxt->rcu, free_aa_task_context_rcu_callback);
 	}
 	if (new_cxt) {
@@ -1576,6 +1681,7 @@ void aa_change_task_context(struct task_
 		new_cxt->cookie = cookie;
 		new_cxt->task = task;
 		new_cxt->profile = aa_dup_profile(profile);
+		profile->task_count++;
 		new_cxt->previous_profile = aa_dup_profile(previous_profile);
 		list_move(&new_cxt->list, &profile->task_contexts);
 	}
--- a/security/apparmor/module_interface.c
+++ b/security/apparmor/module_interface.c
@@ -177,6 +177,22 @@ fail:
 	return 0;
 }
 
+static int aa_is_u64(struct aa_ext *e, u64 *data, const char *name)
+{
+	void *pos = e->pos;
+	if (aa_is_nameX(e, AA_U64, name)) {
+		if (!aa_inbounds(e, sizeof(u64)))
+			goto fail;
+		if (data)
+			*data = le64_to_cpu(get_unaligned((u64 *)e->pos));
+		e->pos += sizeof(u64);
+		return 1;
+	}
+fail:
+	e->pos = pos;
+	return 0;
+}
+
 static size_t aa_is_array(struct aa_ext *e, const char *name)
 {
 	void *pos = e->pos;
@@ -312,6 +328,39 @@ fail:
 	return 0;
 }
 
+int aa_unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
+{
+	void *pos = e->pos;
+
+	/* rlimits are optional */
+	if (aa_is_nameX(e, AA_STRUCT, "rlimits")) {
+		int i, size;
+		u32 tmp = 0;
+		if (!aa_is_u32(e, &tmp, NULL))
+			goto fail;
+		profile->rlimits.mask = tmp;
+
+		size = aa_is_array(e, NULL);
+		if (size > RLIM_NLIMITS)
+			goto fail;
+		for (i = 0; i < size; i++) {
+			u64 tmp = 0;
+			if (!aa_is_u64(e, &tmp, NULL))
+				goto fail;
+			profile->rlimits.limits[i].rlim_max = tmp;
+		}
+		if (!aa_is_nameX(e, AA_ARRAYEND, NULL))
+			goto fail;
+		if (!aa_is_nameX(e, AA_STRUCTEND, NULL))
+			goto fail;
+	}
+	return 1;
+
+fail:
+	e->pos = pos;
+	return 0;
+}
+
 /**
  * aa_unpack_profile - unpack a serialized profile
  * @e: serialized data extent information
@@ -355,6 +404,9 @@ static struct aa_profile *aa_unpack_prof
 	if (!aa_is_u32(e, &(profile->set_caps), NULL))
 		goto fail;
 
+	if (!aa_unpack_rlimits(e, profile))
+		goto fail;
+
 	size = aa_is_array(e, "net_allowed_af");
 	if (size) {
 		if (size > AF_MAX)
@@ -614,6 +666,8 @@ ssize_t aa_replace_profile(void *udata,
 		sa.operation = "profile_load";
 		goto out;
 	}
+	/* do not fail replacement based off of profile's NPROC rlimit */
+
 	/*
 	 * Replacement needs to allocate a new aa_task_context for each
 	 * task confined by old_profile.  To do this the profile locks
@@ -634,6 +688,7 @@ ssize_t aa_replace_profile(void *udata,
 			task_lock(task);
 			task_replace(task, new_cxt, new_profile);
 			task_unlock(task);
+			aa_set_rlimits(task, new_profile);
 			new_cxt = NULL;
 		}
 		unlock_both_profiles(old_profile, new_profile);
@@ -656,6 +711,7 @@ out:
  *
  * remove a profile from the profile list and all aa_task_context references
  * to said profile.
+ * NOTE: removing confinement does not restore rlimits to preconfinemnet values
  */
 ssize_t aa_remove_profile(char *name, size_t size)
 {
Commit	Line	Data
6a930a95 BS	1	From: John Johansen <jjohansen@suse.de>
	2	Subject: AppArmor: per profile controls for system rlimits
	3
	4	Provide contol of rlimits on a per profile basis. Each profile provides
	5	a per limit contol and corresponding hard limit value, such that when a
	6	profile becomes attached to a task it sets the tasks limits to be <= to
	7	the profiles specified limits. Note: the profile limit value will not
	8	raise a tasks limit if it is already less than the profile mandates.
	9
	10	In addition to setting a tasks limits, the ability to set limits on
	11	a confined task are controlled. AppArmor only controls the raising
	12	of a tasks limits Tasks with CAP_SYS_RESOURCE can have their hard limits
	13	raised up to the value specified by the profile. AppArmor does not
	14	prevent a task for lowering its hard limits, nor does it provide
	15	additional control on soft limits.
	16
	17	AppArmor only controls the limits specified in a profile so that
	18	any limit not specified is free to be modified subject to standard
	19	linux limitations.
	20
	21	---
	22	security/apparmor/apparmor.h \| 23 ++++++
	23	security/apparmor/apparmorfs.c \| 2
	24	security/apparmor/lsm.c \| 16 ++++
	25	security/apparmor/main.c \| 132 +++++++++++++++++++++++++++++++----
	26	security/apparmor/module_interface.c \| 56 ++++++++++++++
	27	5 files changed, 215 insertions(+), 14 deletions(-)
	28
	29	--- a/security/apparmor/apparmor.h
	30	+++ b/security/apparmor/apparmor.h
	31	@@ -16,6 +16,7 @@
	32	#include <linux/fs.h>
	33	#include <linux/binfmts.h>
	34	#include <linux/rcupdate.h>
	35	+#include <linux/resource.h>
	36	#include <linux/socket.h>
	37	#include <net/sock.h>
	38
	39	@@ -139,6 +140,18 @@ extern unsigned int apparmor_path_max;
	40
	41	#define AA_ERROR(fmt, args...) printk(KERN_ERR "AppArmor: " fmt, ##args)
	42
	43	+/* struct aa_rlimit - rlimits settings for the profile
	44	+ * @mask: which hard limits to set
	45	+ * @limits: rlimit values that override task limits
	46	+ *
	47	+ * AppArmor rlimits are used to set confined task rlimits. Only the
	48	+ * limits specified in @mask will be controlled by apparmor.
	49	+ */
	50	+struct aa_rlimit {
	51	+ unsigned int mask;
	52	+ struct rlimit limits[RLIM_NLIMITS];
	53	+};
	54	+
	55	struct aa_profile;
	56
	57	/* struct aa_namespace - namespace for a set of profiles
	58	@@ -173,6 +186,8 @@ struct aa_namespace {
	59	* @audit_caps: caps that are to be audited
	60	* @quiet_caps: caps that should not be audited
	61	* @capabilities: capabilities granted by the process
	62	+ * @rlimits: rlimits for the profile
	63	+ * @task_count: how many tasks the profile is attached to
	64	* @count: reference count of the profile
65	* @task_contexts: list of tasks confined by profile
66	* @lock: lock for the task_contexts list
67	@@ -210,6 +225,9 @@ struct aa_profile {
68	kernel_cap_t audit_caps;
69	kernel_cap_t quiet_caps;
70
71	+ struct aa_rlimit rlimits;
72	+ unsigned int task_count;
73	+
74	struct kref count;
75	struct list_head task_contexts;
76	spinlock_t lock;
77	@@ -261,6 +279,7 @@ struct aa_audit {
78	const char *name2;
79	const char *name3;
80	int request_mask, denied_mask, audit_mask;
81	+ int rlimit;
82	struct iattr *iattr;
83	pid_t task, parent;
84	int family, type, protocol;
85	@@ -328,6 +347,10 @@ extern int aa_may_ptrace(struct aa_task_
86	extern int aa_net_perm(struct aa_profile profile, char operation,
87	int family, int type, int protocol);
88	extern int aa_revalidate_sk(struct sock sk, char operation);
89	+extern int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
90	+ struct rlimit *new_rlim);
91	+extern void aa_set_rlimits(struct task_struct task, struct aa_profile profile);
92	+
93
94	/* lsm.c */
95	extern int apparmor_initialized;
96	--- a/security/apparmor/apparmorfs.c
97	+++ b/security/apparmor/apparmorfs.c
98	@@ -106,7 +106,7 @@ static ssize_t aa_features_read(struct f
99	{
100	const char *features = "file=3.0 capability=2.0 network=1.0 "
101	"change_hat=1.5 change_profile=1.0 "
102	- "aanamespaces=1.0";
103	+ "aanamespaces=1.0 rlimit=1.0";
104
105	return simple_read_from_buffer(buf, size, ppos, features,
106	strlen(features));
107	--- a/security/apparmor/lsm.c
108	+++ b/security/apparmor/lsm.c
109	@@ -883,6 +883,21 @@ static int apparmor_setprocattr(struct t
110	return error;
111	}
112
113	+static int apparmor_task_setrlimit(unsigned int resource,
114	+ struct rlimit *new_rlim)
115	+{
116	+ struct aa_profile *profile;
117	+ int error = 0;
118	+
119	+ profile = aa_get_profile(current);
120	+ if (profile) {
121	+ error = aa_task_setrlimit(profile, resource, new_rlim);
122	+ }
123	+ aa_put_profile(profile);
124	+
125	+ return error;
126	+}
127	+
128	struct security_operations apparmor_ops = {
129	.ptrace = apparmor_ptrace,
130	.capget = cap_capget,
131	@@ -926,6 +941,7 @@ struct security_operations apparmor_ops
132	.task_free_security = apparmor_task_free_security,
133	.task_post_setuid = cap_task_post_setuid,
134	.task_reparent_to_init = cap_task_reparent_to_init,
135	+ .task_setrlimit = apparmor_task_setrlimit,
136
137	.getprocattr = apparmor_getprocattr,
138	.setprocattr = apparmor_setprocattr,
139	--- a/security/apparmor/main.c
140	+++ b/security/apparmor/main.c
141	@@ -177,6 +177,9 @@ static int aa_audit_base(struct aa_profi
142	if (sa->request_mask)
143	audit_log_format(ab, " fsuid=%d", current->fsuid);
144
145	+ if (sa->rlimit)
146	+ audit_log_format(ab, " rlimit=%d", sa->rlimit - 1);
147	+
148	if (sa->iattr) {
149	struct iattr *iattr = sa->iattr;
150
151	@@ -872,6 +875,79 @@ int aa_revalidate_sk(struct sock *sk, ch
152
153	return error;
154	}
155	+/**
156	+ * aa_task_setrlimit - test permission to set an rlimit
157	+ * @profile - profile confining the task
158	+ * @resource - the resource being set
159	+ * @new_rlim - the new resource limit
160	+ *
161	+ * Control raising the processes hard limit.
162	+ */
163	+int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
164	+ struct rlimit *new_rlim)
165	+{
166	+ struct aa_audit sa;
167	+ int error = 0;
168	+
169	+ memset(&sa, 0, sizeof(sa));
170	+ sa.operation = "setrlimit";
171	+ sa.gfp_mask = GFP_KERNEL;
172	+ sa.rlimit = resource + 1;
173	+
174	+ if (profile->rlimits.mask & (1 << resource) &&
175	+ new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max) {
176	+ sa.error_code = -EACCES;
177	+
178	+ error = aa_audit(profile, &sa);
179	+ }
180	+
181	+ return error;
182	+}
183	+
184	+static int aa_rlimit_nproc(struct aa_profile *profile) {
185	+ if (profile && (profile->rlimits.mask & (1 << RLIMIT_NPROC)) &&
186	+ profile->task_count >= profile->rlimits.limits[RLIMIT_NPROC].rlim_max)
187	+ return -EAGAIN;
188	+ return 0;
189	+}
190	+
191	+void aa_set_rlimits(struct task_struct task, struct aa_profile profile)
192	+{
193	+ int i, mask;
194	+
195	+ if (!profile)
196	+ return;
197	+
198	+ if (!profile->rlimits.mask)
199	+ return;
200	+
201	+ task_lock(task->group_leader);
202	+ mask = 1;
203	+ for (i = 0; i < RLIM_NLIMITS; i++, mask <<= 1) {
204	+ struct rlimit new_rlim, *old_rlim;
205	+
206	+ /* check to see if NPROC which is per profile and handled
207	+ * in clone/exec or whether this is a limit to be set
208	+ * can't set cpu limit either right now
209	+ */
210	+ if (i == RLIMIT_NPROC \|\| i == RLIMIT_CPU)
211	+ continue;
212	+
213	+ old_rlim = task->signal->rlim + i;
214	+ new_rlim = *old_rlim;
215	+
216	+ if (mask & profile->rlimits.mask &&
217	+ profile->rlimits.limits[i].rlim_max < new_rlim.rlim_max) {
218	+ new_rlim.rlim_max = profile->rlimits.limits[i].rlim_max;
219	+ /* soft limit should not exceed hard limit */
220	+ if (new_rlim.rlim_cur > new_rlim.rlim_max)
221	+ new_rlim.rlim_cur = new_rlim.rlim_max;
222	+ }
223	+
224	+ *old_rlim = new_rlim;
225	+ }
226	+ task_unlock(task->group_leader);
227	+}
228
229	/*******************************
230	* Global task related functions
231	@@ -885,6 +961,7 @@ int aa_revalidate_sk(struct sock *sk, ch
232	*/
233	int aa_clone(struct task_struct *child)
234	{
235	+ struct aa_audit sa;
236	struct aa_task_context cxt, child_cxt;
237	struct aa_profile *profile;
238
239	@@ -894,6 +971,11 @@ int aa_clone(struct task_struct *child)
240	if (!child_cxt)
241	return -ENOMEM;
242
243	+ memset(&sa, 0, sizeof(sa));
244	+ sa.operation = "clone";
245	+ sa.task = child->pid;
246	+ sa.gfp_mask = GFP_KERNEL;
247	+
248	repeat:
249	profile = aa_get_profile(current);
250	if (profile) {
251	@@ -910,18 +992,22 @@ repeat:
252	goto repeat;
253	}
254
255	+ if (aa_rlimit_nproc(profile)) {
256	+ sa.info = "rlimit nproc limit exceeded";
257	+ unlock_profile(profile);
258	+ aa_audit_reject(profile, &sa);
259	+ aa_put_profile(profile);
260	+ return -EAGAIN;
261	+ }
262	+
263	/* No need to grab the child's task lock here. */
264	aa_change_task_context(child, child_cxt, profile,
265	cxt->cookie, cxt->previous_profile);
266	+
267	unlock_profile(profile);
268
269	if (APPARMOR_COMPLAIN(child_cxt) &&
270	profile == profile->ns->null_complain_profile) {
271	- struct aa_audit sa;
272	- memset(&sa, 0, sizeof(sa));
273	- sa.operation = "clone";
274	- sa.gfp_mask = GFP_KERNEL;
275	- sa.task = child->pid;
276	aa_audit_hint(profile, &sa);
277	}
278	aa_put_profile(profile);
279	@@ -1156,6 +1242,10 @@ repeat:
280	sa.task = current->parent->pid;
281	aa_audit_reject(profile, &sa);
282	}
283	+ if (PTR_ERR(old_profile) == -EAGAIN) {
284	+ sa.info = "rlimit nproc limit exceeded";
285	+ aa_audit_reject(profile, &sa);
286	+ }
287	new_profile = old_profile;
288	goto cleanup;
289	}
290	@@ -1303,6 +1393,12 @@ static int do_change_profile(struct aa_p
291	goto out;
292	}
293
294	+ if ((error = aa_rlimit_nproc(new_profile))) {
295	+ sa->info = "rlimit nproc limit exceeded";
296	+ aa_audit_reject(cxt->profile, sa);
297	+ goto out;
298	+ }
299	+
300	if (new_profile == ns->null_complain_profile)
301	aa_audit_hint(cxt->profile, sa);
302
303	@@ -1481,17 +1577,18 @@ struct aa_profile *__aa_replace_profile(
304
305	cxt = lock_task_and_profiles(task, profile);
306	if (unlikely(profile && profile->isstale)) {
307	- task_unlock(task);
308	- unlock_both_profiles(profile, cxt ? cxt->profile : NULL);
309	- aa_free_task_context(new_cxt);
310	- return ERR_PTR(-ESTALE);
311	+ old_profile = ERR_PTR(-ESTALE);
312	+ goto error;
313	}
314
315	if ((current->ptrace & PT_PTRACED) && aa_may_ptrace(cxt, profile)) {
316	- task_unlock(task);
317	- unlock_both_profiles(profile, cxt ? cxt->profile : NULL);
318	- aa_free_task_context(new_cxt);
319	- return ERR_PTR(-EPERM);
320	+ old_profile = ERR_PTR(-EPERM);
321	+ goto error;
322	+ }
323	+
324	+ if (aa_rlimit_nproc(profile)) {
325	+ old_profile = ERR_PTR(-EAGAIN);
326	+ goto error;
327	}
328
329	if (cxt)
330	@@ -1499,8 +1596,15 @@ struct aa_profile *__aa_replace_profile(
331	aa_change_task_context(task, new_cxt, profile, 0, NULL);
332
333	task_unlock(task);
334	+ aa_set_rlimits(task, profile);
335	unlock_both_profiles(profile, old_profile);
336	return old_profile;
337	+
338	+error:
339	+ task_unlock(task);
340	+ unlock_both_profiles(profile, cxt ? cxt->profile : NULL);
341	+ aa_free_task_context(new_cxt);
342	+ return old_profile;
343	}
344
345	/**
346	@@ -1565,6 +1669,7 @@ void aa_change_task_context(struct task_
347
348	if (old_cxt) {
349	list_del_init(&old_cxt->list);
350	+ old_cxt->profile->task_count--;
351	call_rcu(&old_cxt->rcu, free_aa_task_context_rcu_callback);
352	}
353	if (new_cxt) {
354	@@ -1576,6 +1681,7 @@ void aa_change_task_context(struct task_
355	new_cxt->cookie = cookie;
356	new_cxt->task = task;
357	new_cxt->profile = aa_dup_profile(profile);
358	+ profile->task_count++;
359	new_cxt->previous_profile = aa_dup_profile(previous_profile);
360	list_move(&new_cxt->list, &profile->task_contexts);
361	}
362	--- a/security/apparmor/module_interface.c
363	+++ b/security/apparmor/module_interface.c
364	@@ -177,6 +177,22 @@ fail:
365	return 0;
366	}
367
368	+static int aa_is_u64(struct aa_ext e, u64 data, const char *name)
369	+{
370	+ void *pos = e->pos;
371	+ if (aa_is_nameX(e, AA_U64, name)) {
372	+ if (!aa_inbounds(e, sizeof(u64)))
373	+ goto fail;
374	+ if (data)
375	+ data = le64_to_cpu(get_unaligned((u64 )e->pos));
376	+ e->pos += sizeof(u64);
377	+ return 1;
378	+ }
379	+fail:
380	+ e->pos = pos;
381	+ return 0;
382	+}
383	+
384	static size_t aa_is_array(struct aa_ext e, const char name)
385	{
386	void *pos = e->pos;
387	@@ -312,6 +328,39 @@ fail:
388	return 0;
389	}
390
391	+int aa_unpack_rlimits(struct aa_ext e, struct aa_profile profile)
392	+{
393	+ void *pos = e->pos;
394	+
395	+ /* rlimits are optional */
396	+ if (aa_is_nameX(e, AA_STRUCT, "rlimits")) {
397	+ int i, size;
398	+ u32 tmp = 0;
399	+ if (!aa_is_u32(e, &tmp, NULL))
400	+ goto fail;
401	+ profile->rlimits.mask = tmp;
402	+
403	+ size = aa_is_array(e, NULL);
404	+ if (size > RLIM_NLIMITS)
405	+ goto fail;
406	+ for (i = 0; i < size; i++) {
407	+ u64 tmp = 0;
408	+ if (!aa_is_u64(e, &tmp, NULL))
409	+ goto fail;
410	+ profile->rlimits.limits[i].rlim_max = tmp;
411	+ }
412	+ if (!aa_is_nameX(e, AA_ARRAYEND, NULL))
413	+ goto fail;
414	+ if (!aa_is_nameX(e, AA_STRUCTEND, NULL))
415	+ goto fail;
416	+ }
417	+ return 1;
418	+
419	+fail:
420	+ e->pos = pos;
421	+ return 0;
422	+}
423	+
424	/**
425	* aa_unpack_profile - unpack a serialized profile
426	* @e: serialized data extent information
427	@@ -355,6 +404,9 @@ static struct aa_profile *aa_unpack_prof
428	if (!aa_is_u32(e, &(profile->set_caps), NULL))
429	goto fail;
430
431	+ if (!aa_unpack_rlimits(e, profile))
432	+ goto fail;
433	+
434	size = aa_is_array(e, "net_allowed_af");
435	if (size) {
436	if (size > AF_MAX)
437	@@ -614,6 +666,8 @@ ssize_t aa_replace_profile(void *udata,
438	sa.operation = "profile_load";
439	goto out;
440	}
441	+ /* do not fail replacement based off of profile's NPROC rlimit */
442	+
443	/*
444	* Replacement needs to allocate a new aa_task_context for each
445	* task confined by old_profile. To do this the profile locks
446	@@ -634,6 +688,7 @@ ssize_t aa_replace_profile(void *udata,
447	task_lock(task);
448	task_replace(task, new_cxt, new_profile);
449	task_unlock(task);
450	+ aa_set_rlimits(task, new_profile);
451	new_cxt = NULL;
452	}
453	unlock_both_profiles(old_profile, new_profile);
454	@@ -656,6 +711,7 @@ out:
455	*
456	* remove a profile from the profile list and all aa_task_context references
457	* to said profile.
458	+ * NOTE: removing confinement does not restore rlimits to preconfinemnet values
459	*/
460	ssize_t aa_remove_profile(char *name, size_t size)
461	{