apparmor: fix rlimit for posix cpu timers

[ Upstream commit 6ca56813f4a589f536adceb42882855d91fb1125 ] Posix cpu timers requires an additional step beyond setting the rlimit. Refactor the code so its clear when what code is setting the limit and conditionally update the posix cpu timers when appropriate. Fixes: baa73d9e478ff ("posix-timers: Make them configurable") Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
author: John Johansen <john.johansen@canonical.com> 2025-11-09 14:16:54 -0800
committer: Sasha Levin <sashal@kernel.org> 2026-03-04 07:20:24 -0500
commit: 1f736dfe27c857b78f8461cd7c3dd9640be74b37 (patch)
tree: 91851b8e20bcddad22249854be54cdb936f2bfb7
parent: 24bb7d11dc309f25e579689df75102af636373c7 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
index dcc94c3153d5..a7eee815f121 100644
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -201,6 +201,11 @@ void __aa_transition_rlimits(struct aa_label *old_l, struct aa_label *new_l)
 					     rules->rlimits.limits[j].rlim_max);
 			/* soft limit should not exceed hard limit */
 			rlim->rlim_cur = min(rlim->rlim_cur, rlim->rlim_max);
+			if (j == RLIMIT_CPU &&
+			    rlim->rlim_cur != RLIM_INFINITY &&
+			    IS_ENABLED(CONFIG_POSIX_TIMERS))
+				(void) update_rlimit_cpu(current->group_leader,
+							 rlim->rlim_cur);
 		}
 	}
 }
author	John Johansen <john.johansen@canonical.com>	2025-11-09 14:16:54 -0800
committer	Sasha Levin <sashal@kernel.org>	2026-03-04 07:20:24 -0500
commit	1f736dfe27c857b78f8461cd7c3dd9640be74b37 (patch)
tree	91851b8e20bcddad22249854be54cdb936f2bfb7
parent	24bb7d11dc309f25e579689df75102af636373c7 (diff)