Linux Kernel AppArmor Rlimit Mismanagement for POSIX CPU Timers Vulnerability

A vulnerability exists in the Linux kernel's AppArmor module regarding the management of resource limits (rlimits) for POSIX CPU timers. The issue arises because POSIX CPU timers require an additional step beyond merely setting the rlimit. The code needs to be refactored to clarify when the limits are being set and to conditionally update the POSIX CPU timers as necessary. This vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can lead to improper management of CPU time limits for processes, potentially allowing them to exceed intended CPU usage constraints.

Reproduction

The vulnerability can be reproduced by configuring AppArmor with profiles that manage resource limits for applications using POSIX CPU timers. When the rlimit for CPU time is set, the corresponding POSIX timer may not be updated correctly, leading to a mismatch between the intended and actual CPU time limits for the application.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched kernel can be found on the official Linux kernel website.