Resource Limit Control - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

21.9 Resource Limit Control

AppArmor provides the ability to set and control an application's resource limits
(rlimits, also known as ulimits). By default AppArmor does not control applications
rlimits, and it will only control those limits specified in the confining profile. For more
information about resource limits, refer to the setrlimit(2), ulimit(1), or
ulimit(3) man pages.
AppArmor leverages the system's rlimits and as such does not provide an additional
auditing that would normally occur. It also cannot raise rlimits set by the system,
AppArmor rlmits can only reduce an application's current resource limits.
The values will be inherited by the children of a process and will remain even if a new
profile is transitioned to or the application becomes unconfined. So when an application
transitions to a new profile, that profile has the ability to further reduce the applications
rlimits.
AppArmor's rlimit rules will also provide mediation of setting an applications hard
limits, should it try to raise them. The application will not be able to raise its hard limits
any farther than specified in the profile. The mediation of raising hard limits is not in-
herited as the set value is, so that once the application transitions to a new profile it is
free to raise its limits as specified in the profile.
AppArmor's rlimit control does not affect an applications soft limits beyond ensuring
that they are less than or equal to the applications hard limits.
AppArmor's hard limit rules have the general form of:
set rlimit resource <= value,
where resource and value are to be replaced with the following values:
cpu
currently not supported
fsize, data, stack, core, rss, as, memlock, msgqueue
a number in bytes, or a number with a suffix where the suffix can be K (kilobytes),
M (megabytes), G (gigabytes), for example
rlimit data <= 100M,
Profile Components and Syntax 217