projects / cascardo / linux.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge tag 'armsoc-drivers' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
[cascardo/linux.git] / security / apparmor / resource.c
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index 748bf0c..67a6072 100644 (file)
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -101,9 +101,11 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
        /* TODO: extend resource control to handle other (non current)
         * profiles.  AppArmor rules currently have the implicit assumption
         * that the task is setting the resource of a task confined with
-        * the same profile.
+        * the same profile or that the task setting the resource of another
+        * task has CAP_SYS_RESOURCE.
         */
-       if (profile != task_profile ||
+       if ((profile != task_profile &&
+            aa_capable(profile, CAP_SYS_RESOURCE, 1)) ||
            (profile->rlimits.mask & (1 << resource) &&
             new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
                error = -EACCES;
Unnamed repository; edit this file 'description' to name the repository.