grsecurity forums

Hello!

After enabling and disabling policy with line (role root, subject /bin/bash):

Code: Select all

   RES_AS   5M   5M


there still exists limit:

Code: Select all

xx:~# gradm -E
xx:~# gradm -D
Password:
xx:~# vim /etc/grsec/policy
vim: error while loading shared libraries: libc.so.6: failed to map segment from shared object: Cannot allocate memory


dmesg:

Code: Select all

grsec: From 192.168.0.2: (root:U:/sbin/gradm) grsecurity 2.1.6 RBAC system loaded by /sbin/gradm[gradm:2339] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:2333] uid/euid:0/0 gid/egid:0/0
grsec: From 192.168.0.2: (root:U:/bin/bash) use of CAP_SYS_ADMIN denied for /bin/bash[bash:2333] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:2330] uid/euid:0/0 gid/egid:0/0
grsec: From 192.168.0.2: (root:U:/bin/bash) use of CAP_SYS_RESOURCE denied for /bin/bash[bash:2333] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:2330] uid/euid:0/0 gid/egid:0/0
grsec: From 192.168.0.2: shutdown auth success for /sbin/gradm[gradm:2340] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:2333] uid/euid:0/0 gid/egid:0/0
grsec: From 192.168.0.22: denied resource overstep by requesting 5529600 for RLIMIT_AS against limit 5242880 for /usr/bin/vim[vim:2342] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:2333] uid/euid:0/0 gid/egid:0/0


regards
Robert

Resource limits are the only thing that stick around after a disable of the RBAC system, since they must be applied per-process, and there's no way of knowing after the system is disabled what the correct limits are to set on the processes. To fix the problem, you'll have to restart bash in this case.

-Brad