kernel/linux.git/security/apparmor/resource.c, branch v6.1.168

apparmor: fix rlimit for posix cpu timers

2026-03-04T12:20:08+00:00

[ Upstream commit 6ca56813f4a589f536adceb42882855d91fb1125 ] Posix cpu timers requires an additional step beyond setting the rlimit. Refactor the code so its clear when what code is setting the limit and conditionally update the posix cpu timers when appropriate. Fixes: baa73d9e478ff ("posix-timers: Make them configurable") Reviewed-by: Georgia Garcia Signed-off-by: John Johansen Signed-off-by: Sasha Levin

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 441

2019-06-05T15:37:17+00:00

Based on 1 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation version 2 of the license extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 315 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Allison Randal Reviewed-by: Armijn Hemel Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190531190115.503150771@linutronix.de Signed-off-by: Greg Kroah-Hartman

LSM: generalize flag passing to security_capable

2019-01-10T22:16:06+00:00

This patch provides a general mechanism for passing flags to the security_capable LSM hook. It replaces the specific 'audit' flag that is used to tell security_capable whether it should log an audit message for the given capability check. The reason for generalizing this flag passing is so we can add an additional flag that signifies whether security_capable is being called by a setid syscall (which is needed by the proposed SafeSetID LSM). Signed-off-by: Micah Morton Reviewed-by: Kees Cook Signed-off-by: James Morris

apparmor: fix mediation of prlimit

2018-06-07T08:51:01+00:00

For primit apparmor requires that if target confinement does not match the setting task's confinement, the setting task requires CAP_SYS_RESOURCE. Unfortunately this was broken when rlimit enforcement was reworked to support labels. Fixes: 86b92cb782b3 ("apparmor: move resource checks to using labels") Signed-off-by: John Johansen

apparmor: move context.h to cred.h

2018-02-09T19:30:01+00:00

Now that file contexts have been moved into file, and task context fns() and data have been split from the context, only the cred context remains in context.h so rename to cred.h to better reflect what it deals with. Signed-off-by: John Johansen

apparmor: fix spelling mistake: "resoure" -> "resource"

2017-11-21T08:25:44+00:00

Trivial fix to spelling mistake in comment and also with text in audit_resource call. Signed-off-by: Colin Ian King Signed-off-by: John Johansen

apparmor: move resource checks to using labels

2017-06-11T00:11:40+00:00

Signed-off-by: John Johansen

apparmor: move capability checks to using labels

2017-06-11T00:11:40+00:00

Signed-off-by: John Johansen

apparmor: switch from profiles to using labels on contexts

2017-06-11T00:11:38+00:00

Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible. Signed-off-by: John Johansen

apparmor: convert to profile block critical sections

2017-06-11T00:11:34+00:00

There are still a few places where profile replacement fails to update and a stale profile is used for mediation. Fix this by moving to accessing the current label through a critical section that will always ensure mediation is using the current label regardless of whether the tasks cred has been updated or not. Signed-off-by: John Johansen