apparmor: fix rlimit for posix cpu timers

Posix cpu timers requires an additional step beyond setting the rlimit.
Refactor the code so its clear when what code is setting the
limit and conditionally update the posix cpu timers when appropriate.

Fixes: baa73d9e478ff ("posix-timers: Make them configurable")
Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index 8e80db3ae21c09052aa06cb24700ac2c6bcf229e..64212b39ba4bbc8581aaf74285f6e790f4688911 100644 (file)
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -196,6 +196,11 @@ void __aa_transition_rlimits(struct aa_label *old_l, struct aa_label *new_l)
                                             rules->rlimits.limits[j].rlim_max);
                        /* soft limit should not exceed hard limit */
                        rlim->rlim_cur = min(rlim->rlim_cur, rlim->rlim_max);
+                       if (j == RLIMIT_CPU &&
+                           rlim->rlim_cur != RLIM_INFINITY &&
+                           IS_ENABLED(CONFIG_POSIX_TIMERS))
+                               (void) update_rlimit_cpu(current->group_leader,
+                                                        rlim->rlim_cur);
                }
        }
 }