grsecurity forums

I am very new to grsecurity, so sorry if this is a stupid question.

Is there any way to create an ACL that says that a certain subject (let's say /bin/touch) can write to a certain object (let's say /var/tmp/timestamp) only if the subject's parent is a certain other subject (let's say /usr/bin/cleverscript)?

If I understand correctly, something like
/usr/bin/cleverscript {
....
/bin/touch rxi
/var/tmp/timestamp w
....
}
is not the correct solution for me, because in this case /bin/touch may inherit several other ACLs (e.g. /usr/bin/cleverscript might have CAP_SYS_RAWIO , which I might not wish /bin/touch to inherit).

Anyway, I am starting to really enjoy grsecurity, inheritance and the learning mode are great. RBAC would be nice however...

Thanks in advance,
Akos

That exactly the situation I'm going to solve with the rewrite of the ACL system, which will support roles and nested ACLs.

-Brad

Ah. OK, that means for now I cannot create different ACLs for a bash started local and for a bash started by sshd, right?

And if I understood you right, this will be possible in the future.
Do you already know, when this will be approximately?

Thanks

Correct. I'm guessing this will take about a month or so. I'm completely rewriting all of grsecurity by myself, so you have to give me some time

-Brad

One month? Hmm, ok. *setMyStopwatch*