grsecurity forums

Hi,

I'm using grsec2.0, and I'm trying to create an acl for apache-ssl. Everything is OK until I try to shut it down, when I get this:

grsec: Attempted send of signal 9 to protected task /
sandbox/apache-ssl/usr/sbin/apache-ssl[apache-ssl:24252] uid/euid:33/33 gid/egid:33/33, parent /sandbox/apache-ssl/usr/sbin/apache-ssl[apache-ssl:21691] uid/eui
d:0/0 gid/egid:0/0 by sandbox/apache-ssl/usr/sbin/apache-ssl[apache-ssl:21691]
uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

The acl is like this:

subject /sandbox/apache-ssl/usr/sbin/apache-ssl dp
/ h
/sandbox rxwcd
/sandbox/apache-ssl/usr/lib/apache-ssl/gcache xi
/sandbox/apache-ssl/usr/sbin/apache-ssl xi
-CAP_ALL
+CAP_CHOWN
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE

The documnetation says:
p This process is protected; it can only be killed by processes with the k mode, or by processes within the same subject.

So why cant apache-ssl kill apache-ssl? I would guess its in the same subject?

thanks for any help!

Szo

szo wrote:The documentation says:
p This process is protected; it can only be killed by processes with the k mode, or by processes within the same subject.

looking at the source code it seems that only the 'k' subject flag is actually implemented...