[Apparmor-dev] rlimit resource limit policies
Crispin Cowan
crispin at novell.com
Tue May 8 20:08:26 MDT 2007
Sarah Smith wrote:
> On Tuesday 08 May 2007 11:25, Crispin Cowan wrote:
>
>> Hmmm. I hadn't realized that one process got to change another process's
>> limits. We could do that here, or in the IPC work
>> http://forge.novell.com/pipermail/apparmor-dev/2007-April/000503.html
>>
> Ok, in the way that some app could change another apps caps with setcap.
>
Under AppArmor semantics for POSIX.1e Capabilities, you could change
another process's caps with setcap, but the actual capabilities the
process gets to exercise is still bitmasked against the capability set
in the profile.
To be consistent with this, one process could set another process's
limits, but it would be ineffective above the limits specified by the
profile. This is the semantics that Steve wanted.
We can get nearly this effect by having the profile set the hard limits,
and letting one process set another process's soft limits if the usual
DAC permissions allow it. To be safe against soft-limit DoS attacks from
confined processes, we should apply the same logic we do with ptrace
such that a confined process can only mess with another process's limits
if they are running under the same profile.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering http://novell.com
More information about the Apparmor-dev
mailing list