problems with protected process

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

problems with protected process

Postby szo » Mon May 10, 2004 7:17 am

Hi,

I'm using grsec2.0, and I'm trying to create an acl for apache-ssl. Everything is OK until I try to shut it down, when I get this:

grsec: Attempted send of signal 9 to protected task /
sandbox/apache-ssl/usr/sbin/apache-ssl[apache-ssl:24252] uid/euid:33/33 gid/egid:33/33, parent /sandbox/apache-ssl/usr/sbin/apache-ssl[apache-ssl:21691] uid/eui
d:0/0 gid/egid:0/0 by sandbox/apache-ssl/usr/sbin/apache-ssl[apache-ssl:21691]
uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

The acl is like this:

subject /sandbox/apache-ssl/usr/sbin/apache-ssl dp
/ h
/sandbox rxwcd
/sandbox/apache-ssl/usr/lib/apache-ssl/gcache xi
/sandbox/apache-ssl/usr/sbin/apache-ssl xi
-CAP_ALL
+CAP_CHOWN
+CAP_KILL
+CAP_SETGID
+CAP_SETUID
+CAP_NET_BIND_SERVICE

The documnetation says:
p This process is protected; it can only be killed by processes with the k mode, or by processes within the same subject.

So why cant apache-ssl kill apache-ssl? I would guess its in the same subject?

thanks for any help!

Szo
szo
 
Posts: 5
Joined: Mon May 10, 2004 7:08 am
Location: Budapest

Re: problems with protected process

Postby PaX Team » Mon May 10, 2004 2:04 pm

szo wrote:The documentation says:
p This process is protected; it can only be killed by processes with the k mode, or by processes within the same subject.
looking at the source code it seems that only the 'k' subject flag is actually implemented...
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to RBAC policy development