From: John Johansen <john.johansen@canonical.com>
Date: Wed, 11 Apr 2018 09:03:26 +0000 (-0700)
Subject: apparmor: fix mediation of prlimit
X-Git-Tag: Ubuntu-4.15.0-16.17~13
X-Git-Url: https://git.proxmox.com/?p=mirror_ubuntu-bionic-kernel.git;a=commitdiff_plain;h=6827f32b8628c340a51292f49065a99cead07285

apparmor: fix mediation of prlimit

BugLink: http://bugs.launchpad.net/bugs/1763427

For primit apparmor requires that if target confinement does not match
the setting task's confinement, the setting task requires CAP_SYS_RESOURCE.

Unfortunately this was broken when rlimit enforcement was reworked to
support labels.

Fixes: 86b92cb782b3 ("apparmor: move resource checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
(cherry picked from commit a4c2746f4d4b32d8557ee17821f1101fd8474f92
 git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor)
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---

diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index cf4d234febe9..6db1cacb6204 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -124,7 +124,7 @@ int aa_task_setrlimit(struct aa_label *label, struct task_struct *task,
 	 */
 
 	if (label != peer &&
-	    !aa_capable(label, CAP_SYS_RESOURCE, SECURITY_CAP_NOAUDIT))
+	    aa_capable(label, CAP_SYS_RESOURCE, SECURITY_CAP_NOAUDIT) != 0)
 		error = fn_for_each(label, profile,
 				audit_resource(profile, resource,
 					       new_rlim->rlim_max, peer,