AppArmor provides the ability to set and control an application's resource
limits (rlimits, also known as ulimits). By default AppArmor does not control
applications rlimits, and it will only control those limits specified in
the confining profile. For more information about resource limits, refer
to the setrlimit(2)
,
ulimit(1)
, or ulimit(3)
man pages.
AppArmor leverages the system's rlimits and as such does not provide an additional auditing that would normally occur. It also cannot raise rlimits set by the system, AppArmor rlmits can only reduce an application's current resource limits.
The values will be inherited by the children of a process and will remain even if a new profile is transitioned to or the application becomes unconfined. So when an application transitions to a new profile, that profile has the ability to further reduce the applications rlimits.
AppArmor's rlimit rules will also provide mediation of an setting an applications hard limits, should it try to raise them. The application will not be able to raise its hard limits any farther than specified in the profile. The mediation of raising hard limits is not inherited as the set value is, so that once the application transitions to a new profile it is free to raise its limits as specified in the profile.
AppArmor's rlimit control does not affect an applications soft limits beyond ensuring that they are less than or equal to the applications hard limits.
AppArmor's hard limit rules have the general form of:
set rlimitresource
<=value
,
where resource
and
value
are to be replaced with the following
values:
cpu
currently not supported
fsize
, data
,
stack
, core
,
rss
, as
,
memlock
, msgqueue
a number in bytes, or a number with a suffix where the suffix can be K (kilobytes), M (megabytes), G (gigabytes), for example
rlimit data <= 100M,
fsize
, nofile
,
locks
, sigpending
,
nproc
*,
rtprio
a number greater or equal to 0
nice
a value between -20 and 19
*The nproc rlimit is handled different than all the other rlimits. Instead of indicating the standard process rlimit it controls the maximum number of processes that can be running under the profile at any given time. Once the limit is exceeded the creation of new processes under the profile will fail until the number of currently running processes is reduced.
Currently the tools can not be used to add rlimit rules to profiles. The only way to add rlimit controls to a profile is manually edit the profile with a text editor. The tools will still work with profiles containing rlimit rules and will not remove them, so it is safe to use the tools to update profiles containing them. |