On Sun, 9 Feb 2014 13:43:29 +0100 Sven Vermeulen <sven.vermeu...@siphos.be> wrote:
> Isn't there any mount option that you can pass so that all members of > a certain group can still access sysfs? Perhaps "gid="? I guess that would be a safer approach. But I'd prefer a standardized approach for this - surely there are more non-root applications which need extended /sys access. I think not every hardened user should have to figure this out himself. The best way I can imagine to solve this would be a new eclass. It would be called in an ebuild (unconditionally) with an user name, would then check if a certain USE flag (either "hardened" or something more specific) was set and then add the user in question to a certain group, perhaps "sysfs". Before doing this for the first time, it would create that group and ask the user to add an appropriate mount option. What do you think about this? Is it just overcomplicated or a good way to go? Also, do you know of other programs which have problems with GRKERNSEC_SYSFS_RESTRICT? I'd be willing to write the eclass if you like the idea. Regards, Luis Ressel -- Luis Ressel <ara...@aixah.de> GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
signature.asc
Description: PGP signature
