• Eric W. Biederman's avatar
    rlimit: Properly call security_task_setrlimit · cad4ea54
    Eric W. Biederman authored
    Modify do_prlimit to call security_task_setrlimit passing the task
    whose rlimit we are changing not the tsk->group_leader.
    
    In general this should not matter as the lsms implementing
    security_task_setrlimit apparmor and selinux both examine the
    task->cred to see what should be allowed on the destination task.
    
    That task->cred is shared between tasks created with CLONE_THREAD
    unless thread keyrings are in play, in which case both apparmor and
    selinux create duplicate security contexts.
    
    So the only time when it will matter which thread is passed to
    security_task_setrlimit is if one of the threads of a process performs
    an operation that changes only it's credentials.  At which point if a
    thread has done that we don't want to hide that information from the
    lsms.
    
    So fix the call of security_task_setrlimit.  With the removal
    of tsk->group_leader this makes the code slightly faster,
    more comprehensible and maintainable.
    Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
    cad4ea54
sys.c 58 KB