grsecurity forums

Hi.

Is it possible to do automatically executed subject with a given some role?

For example pseudocode:

Code: Select all

role daemon # definition role with default settings
subject / {
/ r
/tmp rwcdm
/var/log rwcdm
/var/run rwcdm
}

#..................

_USE_ROLE_ daemon # execution sshd under role daemon with role settings
subject /usr/sbin/sshd {
# any settings
}


It is possible to do that? Or how do likewise?

PS: sorry for my english

It is somewhat possible (requires userland support) if you use a no-authentication special role. You'll need to create some script or modify the binary so that it transitions to the special role. Purely from a policy change though, making a subject run under an arbitrary role isn't possible.

-Brad