apparmor: fix rlimit for posix cpu timers

jrjohansen · Sasha Levin · commit 1f736dfe27c8 · 2026-03-04T07:20:24.000-05:00
[ Upstream commit 6ca5681 ] Posix cpu timers requires an additional step beyond setting the rlimit. Refactor the code so its clear when what code is setting the limit and conditionally update the posix cpu timers when appropriate. Fixes: baa73d9 ("posix-timers: Make them configurable") Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
@@ -201,6 +201,11 @@ void __aa_transition_rlimits(struct aa_label *old_l, struct aa_label *new_l)
 					     rules->rlimits.limits[j].rlim_max);
 			/* soft limit should not exceed hard limit */
 			rlim->rlim_cur = min(rlim->rlim_cur, rlim->rlim_max);
+			if (j == RLIMIT_CPU &&
+			    rlim->rlim_cur != RLIM_INFINITY &&
+			    IS_ENABLED(CONFIG_POSIX_TIMERS))
+				(void) update_rlimit_cpu(current->group_leader,
+							 rlim->rlim_cur);
 		}
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -201,6 +201,11 @@ void __aa_transition_rlimits(struct aa_label old_l, struct aa_label new_l)`
`201`	`201`	`rules->rlimits.limits[j].rlim_max);`
`202`	`202`	`/* soft limit should not exceed hard limit */`
`203`	`203`	`rlim->rlim_cur = min(rlim->rlim_cur, rlim->rlim_max);`
	`204`	`+ if (j == RLIMIT_CPU &&`
	`205`	`+ rlim->rlim_cur != RLIM_INFINITY &&`
	`206`	`+ IS_ENABLED(CONFIG_POSIX_TIMERS))`
	`207`	`+ (void) update_rlimit_cpu(current->group_leader,`
	`208`	`+ rlim->rlim_cur);`
`204`	`209`	`}`
`205`	`210`	`}`
`206`	`211`	`}`