grsecurity forums

[Someone]

Is it sensible to run grsec on a developers machine, where I have ever changing and writable executables? I played around with the policies and I haven't found a sound way to support a "developers playground". If I understand gresc correctly, I would have to manage a subject for every executable that I compile? It also disallowed vim me to call a self compiled library:

Code: Select all

grsec: (<user>:U:/usr/bin/vim) denied load of writable library /home/<user>/.vim/bundle/YouCompleteMe/third_party/ycmd/ycm_client_support.so by /usr/bin/vim[vim:26090] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/zsh[zsh:24799] uid/euid:1000/1000 gid/egid:1000/1000


How would you do that?

[spender]

You can create subjects on directories, so just create/run the binaries under the defined base directory and you won't need to create individual subjects for each binary. For your vim example, you'll need to add "O" to the subject mode for vim, since the default subject for your role is able to write to the library (see: https://en.wikibooks.org/wiki/Grsecurit ... ject_Modes).

-Brad